#Permissions - Allow update of different fields depending on roles

10 messages · Page 1 of 1 (latest)

quasi dove
#

Hello all ! I am working on the setup of the permissions through directus (which are very powerful!), and I am looking for a way to achieve the following thing, that seems to me impossible, at least through the App interface :
I have 2 roles : "Teacher" and "Student".
I need my Teacher Role to be able to update the Directus Users collection, the followiong way :

  • For $CURRENT_USER (himself), be able to update all information, including password, etc.
  • For users with role "Student", be able to update SOME of the informations, such as name, email, etc. but not Password for example.
    In other words, I need my Teacher user to be able to update differents fields, depending on the user role. It seems that, in the Directus App, I cannot define such thing, since we cannot definie specific Fields Permissions depending on Items Permissions...

Do you have an idea of something I would not know about this that would enable that..?

Thanks a lot for your help !

ivory cedar
#

You're very right, while very flexible already you cannot (without extensions) enforce 2 permission rules conditionally like different field permissions based on item permission.

quasi dove
#

hello and thank you for answer !
Do you have an idea of what such an extension should be able to do ?
I was wondring if adding a new permission item (in directus_permissions) for same role and collection but with different rules inside would work...? How does directus deal with two permission items linked to same role and collection...?

frosty field
quasi dove
frosty field
nimble mason
#

I'm in the exact same situation.

I need students to be able to edit their own profile, but not their grade field.
At the same time, I need teachers to be able to update only the grade filed for students while retaining the ability to fully edit their own profile.

I need teachers role permission's that would follow this logic:

if "id" = "$CURRENT_USER"
    then allow full edit
else allow edit only for `grade` field

(please note, that's NOT code, merely an expression of the logic)

The correct code for the first condition is:

"id": {
    "_eq": "$CURRENT_USER"
}

Is there any way to add the second condition?

Or should I create a Directus users+role that's not tied to a person, but to a specific task (grading students)? That would imply a teacher has to log out then back into a different user (with different role), which have some implications on accountability (unless I create a grader account for each existing teacher account, but that look less than elegant to me…).

I've read anything I could find in the docs regarding users, roles & permissions. Any advice, insight or suggested reading is welcome.

nimble mason
#

OK, I think I got it... Or at least a workaround (for my use case, even though I still have to figure the grading part).

I also have a field classes to record who attended what. This calls for an M2M relationship.

  • The collection classes has a field students to record who attended. <--- this is writable by the role teachers.
  • The student (Directus_user) profile has a field attended_classes for what classes where attended by that particular student. <--- this is writable by NO ONE.
  • In between the two, is a junction table, that Directus conveniently creates for us. <--- this collection needs to be writable by teachers.

The key thing: the field attended_classes into the student/user profile is an alias, which, according to the docs is a field that do not map directly to an actual database column:

For example, [...] certain relational types that display data stored elsewhere (such as O2M and M2M).

In other words, the attended_classes is merely a window (hence not writable) looking at data stored elsewhere.

Hope that helps.

Glossary | Directus Docs

A glossary of key Directus terminology.

restive surge
#

Is this really not possible to solve with two roles teacher and student? Thinking about it in my head, it should be quite easy. Are teachers and students separate collections with different fields? Then it would be even easier. If you have just one profile collection with teachers and students mixed, then you could still define different read and write permissions for each role, though a grade field for teachers would not make much sense, only maybe if they can be both at the same time, then things get tricky.

nimble mason
# restive surge Is this really not possible to solve with two roles teacher and student? Thinkin...

Hey @restive surge !
Thanks for reaching out !

Thinking about it in my head, it should be quite easy.

At first, it looked that way for me, too…

Are teachers and students separate collections with different fields?

Well, I didn’t consider it that way.
As of now, teachers and students aren’t collections but roles.
The containing collection is directus_users.

though a grade field for teachers would not make much sense

Agreed. But I decided teachers are grown-up that are able to ignore that field. 😉

The problem (from a near-noob perspective) is, if teachers can write the grade field, they either are able to write to every field of every user account OR only to that grade field, even for their own account.

Reconsidering this:

Are teachers and students separate collections with different fields?

Would there be a way to manage app users with something that is in a custom collection, but NOT a directus_users ?

If you have just one profile collection with teachers and students mixed, then you could still define different read and write permissions for each role

Not to be rude by challenging you on this, but if you could provide either a Data Studio screenshot or a snippet of code, that would help immensely.

Cheers!