Document Permissions being affected by the relational API Limit about directus HOT 12 OPEN

Fascinating, that is however a separate issue i was debugging before the weekend. Am kinda wondering why that works for ya but let's keep this one on topic 😄

from directus.

It hits the same default query limit but these arrays are much smaller as a customer might only be part of like 10ish companies max so the limit is not an issue for me here

Yeah the 100 default was chosen as a "sensible default" (same as the max nesting limit) so im leaning towards this being intentional and needed some docs on the matter to make sure people know about it 🤔

from directus.

I have not found a way to remove the limit from the permissions using filter rules other than changing the QUERY_LIMIT_DEFAULT on the ENV file.

As you've found you can change this default limit using the QUERY_LIMIT_DEFAULT environment variable or by providing a limit (https://docs.directus.io/reference/query.html#limit) for either on the main collection or deep->_limit (https://docs.directus.io/reference/query.html#deep) for relations as long as it is smaller than the QUERY_LIMIT_MAX.

The App itself should paginate where possible, Is the issue here that pagination is missing somewhere?

Closing the issue for now as the limit itself is by design.

from directus.

Hi @br41nslug

The issue is in the permissions checks themselves for the role. I know how to change the limit when using the API

api/src/services/permissions/index.ts extends ItemsService, which is bound by the default query limit, for permissions should this not check all instead of being limited? if it was by design I will just change the QUERY_LIMIT_DEFAULT variable. I understand the limit for the API but for custom permissions it should probably check all or document somewhere that it will only check the first default query limit of relations.

I will try out the deep limits on the permissions, thanks for responding

from directus.

Ah hate to say it but that second rule ID is on of [<large array>] (*note the nested array) wont work either way 😬

So the core issue is relational values gotten via dynamic variables $current_user.something is hitting the default limit 🤔 I am torn between that being intentional or not as loading in 100+ item for each permission check aint great for performance.

from directus.

I increased the QUERY_LIMIT_DEFAULT to 250 and gives the expected results based on the second rule.

from directus.

I increased the QUERY_LIMIT_DEFAULT to 250 and gives the expected results based on the second rule.

Interesting, maybe that only applies to m2m relations then, fascinating 🤔

from directus.

I am torn between that being intentional or not as loading in 100+ item for each permission check aint great for performance.

I thought this might have been an intentional design choice based on performance but was not sure, I could not find it documented somewhere that permissions would check based on the default query limit.

from directus.

I increased the QUERY_LIMIT_DEFAULT to 250 and gives the expected results based on the second rule.

Interesting, maybe that only applies to m2m relations then, fascinating 🤔

for M2M relations I have found this to work for nested arrays

{
  "_and": [
    {
      "_or": [
        {
          "customer": {
            "id": {
              "_in": [
                "$CURRENT_USER.customers"
              ]
            }
          }
        },
        {
          "customer": {
            "id": {
              "_in": [
                "$CURRENT_USER.companies.customer_id"
              ]
            }
          }
        }
      ]
    }
  ]
}

It hits the same default query limit but these arrays are much smaller as a customer might only be part of like 10ish companies max so the limit is not an issue for me here

from directus.

Thanks for responding,

I think it might need to be mentioned somewhere here configure-custom-permissions so others don't fall into the same trap, I first thought it was my permissions but if they were wrong the user would have seen nothing and not 100 items so then I looked at the source code of the Permissions Service I saw it extended the ItemService so figured it was hitting default query limit.

from directus.

Re-opening as issue for documentation to make sure it doesnt get forgotten 😄

from directus.

@br41nslug much appreciated, if you would like to discuss my M2M permissions setup for your other debugging issue I would be happy to send you the schema on discord DM if it helps out your debugging for M2M permissions.

from directus.