crLud? I'd like to see support for a separate LIST permission #11464
Replies: 9 comments 10 replies
-
|
Agreed! We should find a better acronym than CrLud though, and add an S for "share". Maybe CUDdLeRS, CURSeDLy, SCRUpLeD?! 😄 |
Beta Was this translation helpful? Give feedback.
-
|
Is there any other way to block listing all files via API but still have access to single files using their hash-id? 🙏🏼 |
Beta Was this translation helpful? Give feedback.
-
|
Not without some custom hook/endpoint magic, no |
Beta Was this translation helpful? Give feedback.
-
|
LUDCRS seems fine as directus is software out of this world. You could even say it's ludicrous. |
Beta Was this translation helpful? Give feedback.
-
|
To restrict the list of files, is it not possible to simply make an environment variable? Do not list but be able to access files if they are called on /assets with their token for public role It's a security concern, or a loss of functionality (sharp.js...) with a custom endpoint |
Beta Was this translation helpful? Give feedback.
-
|
I don't think there should be a difference in files vs other data sets personally 🤔 |
Beta Was this translation helpful? Give feedback.
-
|
Exactly. Individual entries could also be accessed via a hash while the list may be hidden. It's a nobrainer. The strength of the hash could also be defined in Directus or simply chosen by the user. |
Beta Was this translation helpful? Give feedback.
-
I have no security breach on the other data because the permissions filters are enough On the other hand, the files are not only given in the database.. these are confidential documents in our case The token to retrieve them is sufficient security, it's really really the listing that is the problem The only solution found to date is to make a "public" folder and to filter in the API, for confidential data to be accessible outside of directus, I made a role and a user who has the necessary permissions. but it's more DIY than clean development, it's a shame and a bit frustrating 😵💫😅 (So sorry for my English, say thx to Google translate aha) |
Beta Was this translation helpful? Give feedback.
-
|
Here's an unofficial workaround. An extension to disable listing of routes and collections.
|
Beta Was this translation helpful? Give feedback.
-
|
Would it be possible to do something similar with a filter hook extension? For example, throwing an error when trying to list files for a public user, or a specific public folder since external users shouldn't be able to list either if they authenticate. If so, would that be less brittle in case of API route or Express changes? |
Beta Was this translation helpful? Give feedback.
-
|
I like this proposal! I think it would be good. |
Beta Was this translation helpful? Give feedback.
-
|
Hello, did you mention me here? |
Beta Was this translation helpful? Give feedback.
-
|
@rijkvanzanten Is there any progress on this concept? I think the "share" permission is now already used otherwise, right? |
Beta Was this translation helpful? Give feedback.
-
|
No progress yet. It makes total sense to me for things like
Yup! The share permission is used to control what you are allowed to share 👍🏻 |
Beta Was this translation helpful? Give feedback.
-
|
Heya! Thanks for opening this feature request! This feature request has received over 15 votes from the community. This means we'll move this feature request to the Under Review state! The Core team will schedule a meeting to review this request as soon as possible. The discussion will then be approved or denied. You may or may not be invited to join this meeting with the core team. For more information, see our Feature Request Process. |
Beta Was this translation helpful? Give feedback.
-
|
Searching for the feature to set permissions to files based on the collection it is used with instead of global files read permission to everyone... Following here... |
Beta Was this translation helpful? Give feedback.
-
|
I don't think the feature request in this thread is what you're talking about. Make sure to upvote #3144 tho! |
Beta Was this translation helpful? Give feedback.
-
|
A new feature request came in about the same thing in the new rfc format here: #24075 |
Beta Was this translation helpful? Give feedback.
-
|
Is this planned in any way? |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
It seems to me that quite a common use-case is to for example have photos attached to articles which should be public, while still leaving the other files private. The way this is often done is by having UUIDs as PKs (which directus supports), and only allowing public ReadOne and not ReadMany.
Thus separating Read into Read and List/ReadMany would be great and shouldn't increase complexity too much (i hope :D )
Beta Was this translation helpful? Give feedback.
All reactions