Directus allows updates to non-allowed fields due to overlapping policies
If there are two overlapping policies for the update action that allow access to different fields, instead of correctly checking access permissions against the item they apply for the user is allowed to update the superset of fields allowed by any of the policies. E.g. have one policy allowing update access to field_a if the id == 1 and one policy allowing update access to field_b if the id == …