@directus/api 19.3.0 → 20.0.0-rc.0

package/dist/services/relations.js

@@ -6,14 +6,15 @@ import { clearSystemCache, getCache } from '../cache.js';
 import { getHelpers } from '../database/helpers/index.js';
 import getDatabase, { getSchemaInspector } from '../database/index.js';
 import emitter from '../emitter.js';
+import { fetchAllowedFieldMap } from '../permissions/modules/fetch-allowed-field-map/fetch-allowed-field-map.js';
+import { fetchAllowedFields } from '../permissions/modules/fetch-allowed-fields/fetch-allowed-fields.js';
+import { validateAccess } from '../permissions/modules/validate-access/validate-access.js';
 import { getDefaultIndexName } from '../utils/get-default-index-name.js';
 import { getSchema } from '../utils/get-schema.js';
 import { transaction } from '../utils/transaction.js';
 import { ItemsService } from './items.js';
-import { PermissionsService } from './permissions/index.js';
 export class RelationsService {
     knex;
-    permissionsService;
     schemaInspector;
     accountability;
     schema;
@@ -22,7 +23,6 @@ export class RelationsService {
     helpers;
     constructor(options) {
         this.knex = options.knex || getDatabase();
-        this.permissionsService = new PermissionsService(options);
         this.schemaInspector = options.knex ? createInspector(options.knex) : getSchemaInspector();
         this.schema = options.schema;
         this.accountability = options.accountability || null;
@@ -37,8 +37,15 @@ export class RelationsService {
         this.helpers = getHelpers(this.knex);
     }
     async readAll(collection, opts) {
-        if (this.accountability && this.accountability.admin !== true && this.hasReadAccess === false) {
-            throw new ForbiddenError();
+        if (this.accountability) {
+            await validateAccess({
+                accountability: this.accountability,
+                action: 'read',
+                collection: 'directus_relations',
+            }, {
+                knex: this.knex,
+                schema: this.schema,
+            });
         }
         const metaReadQuery = {
             limit: -1,
@@ -64,18 +71,17 @@ export class RelationsService {
     }
     async readOne(collection, field) {
         if (this.accountability && this.accountability.admin !== true) {
-            if (this.hasReadAccess === false) {
-                throw new ForbiddenError();
-            }
-            const permissions = this.accountability.permissions?.find((permission) => {
-                return permission.action === 'read' && permission.collection === collection;
+            await validateAccess({
+                accountability: this.accountability,
+                action: 'read',
+                collection: 'directus_relations',
+            }, {
+                schema: this.schema,
+                knex: this.knex,
             });
-            if (!permissions || !permissions.fields)
+            const allowedFields = await fetchAllowedFields({ collection, action: 'read', accountability: this.accountability }, { schema: this.schema, knex: this.knex });
+            if (allowedFields.includes('*') === false && allowedFields.includes(field) === false) {
                 throw new ForbiddenError();
-            if (permissions.fields.includes('*') === false) {
-                const allowedFields = permissions.fields;
-                if (allowedFields.includes(field) === false)
-                    throw new ForbiddenError();
             }
         }
         const metaRow = await this.relationsItemService.readByQuery({
@@ -357,14 +363,6 @@ export class RelationsService {
             }
         }
     }
-    /**
-     * Whether or not the current user has read access to relations
-     */
-    get hasReadAccess() {
-        return !!this.accountability?.permissions?.find((permission) => {
-            return permission.collection === 'directus_relations' && permission.action === 'read';
-        });
-    }
     /**
      * Combine raw schema foreign key information with Directus relations meta rows to form final
      * Relation objects
@@ -413,12 +411,11 @@ export class RelationsService {
     async filterForbidden(relations) {
         if (this.accountability === null || this.accountability?.admin === true)
             return relations;
-        const allowedCollections = this.accountability.permissions
-            ?.filter((permission) => {
-            return permission.action === 'read';
-        })
-            .map(({ collection }) => collection) ?? [];
-        const allowedFields = this.permissionsService.getAllowedFields('read');
+        const allowedFields = await fetchAllowedFieldMap({
+            accountability: this.accountability,
+            action: 'read',
+        }, { schema: this.schema, knex: this.knex });
+        const allowedCollections = Object.keys(allowedFields);
         relations = toArray(relations);
         return relations.filter((relation) => {
             let collectionsAllowed = true;

package/dist/services/roles.d.ts

@@ -1,20 +1,10 @@
-import type { Item, PrimaryKey, Query } from '@directus/types';
+import type { Item, PrimaryKey } from '@directus/types';
 import type { AbstractServiceOptions, MutationOptions } from '../types/index.js';
 import { ItemsService } from './items.js';
 export declare class RolesService extends ItemsService {
     constructor(options: AbstractServiceOptions);
-    private checkForOtherAdminRoles;
-    private checkForOtherAdminUsers;
-    private isIpAccessValid;
-    private assertValidIpAccess;
-    private getRoleAccessType;
-    createOne(data: Partial<Item>, opts?: MutationOptions): Promise<PrimaryKey>;
-    createMany(data: Partial<Item>[], opts?: MutationOptions): Promise<PrimaryKey[]>;
-    updateOne(key: PrimaryKey, data: Partial<Item>, opts?: MutationOptions): Promise<PrimaryKey>;
-    updateBatch(data: Partial<Item>[], opts?: MutationOptions): Promise<PrimaryKey[]>;
     updateMany(keys: PrimaryKey[], data: Partial<Item>, opts?: MutationOptions): Promise<PrimaryKey[]>;
-    updateByQuery(query: Query, data: Partial<Item>, opts?: MutationOptions | undefined): Promise<PrimaryKey[]>;
-    deleteOne(key: PrimaryKey): Promise<PrimaryKey>;
-    deleteMany(keys: PrimaryKey[]): Promise<PrimaryKey[]>;
-    deleteByQuery(query: Query, opts?: MutationOptions): Promise<PrimaryKey[]>;
+    deleteMany(keys: PrimaryKey[], opts?: MutationOptions): Promise<PrimaryKey[]>;
+    private validateRoleNesting;
+    private clearCaches;
 }

package/dist/services/roles.js

@@ -1,435 +1,51 @@
-import { InvalidPayloadError, UnprocessableContentError } from '@directus/errors';
-import { getMatch } from 'ip-matching';
-import { checkIncreasedUserLimits } from '../telemetry/utils/check-increased-user-limits.js';
-import { getRoleCountsByUsers } from '../telemetry/utils/get-role-counts-by-users.js';
-import {} from '../telemetry/utils/get-user-count.js';
-import { getUserCountsByRoles } from '../telemetry/utils/get-user-counts-by-roles.js';
+import { InvalidPayloadError } from '@directus/errors';
+import { clearSystemCache } from '../cache.js';
+import { fetchRolesTree } from '../permissions/lib/fetch-roles-tree.js';
 import { transaction } from '../utils/transaction.js';
+import { UserIntegrityCheckFlag } from '../utils/validate-user-count-integrity.js';
 import { ItemsService } from './items.js';
-import { PermissionsService } from './permissions/index.js';
+import { AccessService } from './access.js';
 import { PresetsService } from './presets.js';
 import { UsersService } from './users.js';
-import { shouldClearCache } from '../utils/should-clear-cache.js';
-import { omit } from 'lodash-es';
 export class RolesService extends ItemsService {
     constructor(options) {
         super('directus_roles', options);
     }
-    async checkForOtherAdminRoles(excludeKeys) {
-        // Make sure there's at least one admin role left after this deletion is done
-        const otherAdminRoles = await this.knex
-            .count('*', { as: 'count' })
-            .from('directus_roles')
-            .whereNotIn('id', excludeKeys)
-            .andWhere({ admin_access: true })
-            .first();
-        const otherAdminRolesCount = Number(otherAdminRoles?.count ?? 0);
-        if (otherAdminRolesCount === 0) {
-            throw new UnprocessableContentError({ reason: `You can't delete the last admin role` });
-        }
-    }
-    async checkForOtherAdminUsers(key, users) {
-        const role = await this.knex.select('admin_access').from('directus_roles').where('id', '=', key).first();
-        // No-op if role doesn't exist
-        if (!role)
-            return;
-        const usersBefore = (await this.knex.select('id').from('directus_users').where('role', '=', key)).map((user) => user.id);
-        const usersAdded = [];
-        const usersUpdated = [];
-        const usersCreated = [];
-        const usersRemoved = [];
-        if (Array.isArray(users)) {
-            const usersKept = [];
-            for (const user of users) {
-                if (typeof user === 'string') {
-                    if (usersBefore.includes(user)) {
-                        usersKept.push(user);
-                    }
-                    else {
-                        usersAdded.push({ id: user });
-                    }
-                }
-                else if (user.id) {
-                    if (usersBefore.includes(user.id)) {
-                        usersKept.push(user.id);
-                        usersUpdated.push(user);
-                    }
-                    else {
-                        usersAdded.push(user);
-                    }
-                }
-                else {
-                    usersCreated.push(user);
-                }
-            }
-            usersRemoved.push(...usersBefore.filter((user) => !usersKept.includes(user)));
-        }
-        else {
-            for (const user of users.update) {
-                if (usersBefore.includes(user['id'])) {
-                    usersUpdated.push(user);
-                }
-                else {
-                    usersAdded.push(user);
-                }
-            }
-            usersCreated.push(...users.create);
-            usersRemoved.push(...users.delete);
-        }
-        if (role.admin_access === false || role.admin_access === 0) {
-            // Admin users might have moved in from other role, thus becoming non-admin
-            if (usersAdded.length > 0) {
-                const otherAdminUsers = await this.knex
-                    .count('*', { as: 'count' })
-                    .from('directus_users')
-                    .leftJoin('directus_roles', 'directus_users.role', 'directus_roles.id')
-                    .whereNotIn('directus_users.id', usersAdded.map((user) => user.id))
-                    .andWhere({ 'directus_roles.admin_access': true, status: 'active' })
-                    .first();
-                const otherAdminUsersCount = Number(otherAdminUsers?.count ?? 0);
-                if (otherAdminUsersCount === 0) {
-                    throw new UnprocessableContentError({ reason: `You can't remove the last admin user from the admin role` });
-                }
-            }
-            return;
-        }
-        // Only added or created new users
-        if (usersUpdated.length === 0 && usersRemoved.length === 0)
-            return;
-        // Active admin user(s) about to be created
-        if (usersCreated.some((user) => !('status' in user) || user.status === 'active'))
-            return;
-        const usersDeactivated = [...usersAdded, ...usersUpdated]
-            .filter((user) => 'status' in user && user.status !== 'active')
-            .map((user) => user.id);
-        const usersAddedNonDeactivated = usersAdded
-            .filter((user) => !usersDeactivated.includes(user.id))
-            .map((user) => user.id);
-        // Active user(s) about to become admin
-        if (usersAddedNonDeactivated.length > 0) {
-            const userCount = await this.knex
-                .count('*', { as: 'count' })
-                .from('directus_users')
-                .whereIn('id', usersAddedNonDeactivated)
-                .andWhere({ status: 'active' })
-                .first();
-            if (Number(userCount?.count ?? 0) > 0) {
-                return;
-            }
-        }
-        const otherAdminUsers = await this.knex
-            .count('*', { as: 'count' })
-            .from('directus_users')
-            .leftJoin('directus_roles', 'directus_users.role', 'directus_roles.id')
-            .whereNotIn('directus_users.id', [...usersDeactivated, ...usersRemoved])
-            .andWhere({ 'directus_roles.admin_access': true, status: 'active' })
-            .first();
-        const otherAdminUsersCount = Number(otherAdminUsers?.count ?? 0);
-        if (otherAdminUsersCount === 0) {
-            throw new UnprocessableContentError({ reason: `You can't remove the last admin user from the admin role` });
-        }
-        return;
-    }
-    isIpAccessValid(value) {
-        if (value === undefined)
-            return false;
-        if (value === null)
-            return true;
-        if (Array.isArray(value) && value.length === 0)
-            return true;
-        for (const ip of value) {
-            if (typeof ip !== 'string' || ip.includes('*'))
-                return false;
-            try {
-                const match = getMatch(ip);
-                if (match.type == 'IPMask')
-                    return false;
-            }
-            catch {
-                return false;
-            }
-        }
-        return true;
-    }
-    assertValidIpAccess(partialItem) {
-        if ('ip_access' in partialItem && !this.isIpAccessValid(partialItem['ip_access'])) {
-            throw new InvalidPayloadError({
-                reason: 'IP Access contains an incorrect value. Valid values are: IP addresses, IP ranges and CIDR blocks',
-            });
-        }
-    }
-    getRoleAccessType(data) {
-        if ('admin_access' in data && data['admin_access'] === true) {
-            return 'admin';
-        }
-        else if (('app_access' in data && data['app_access'] === true) || 'app_access' in data === false) {
-            return 'app';
-        }
-        else {
-            return 'api';
-        }
-    }
-    async createOne(data, opts) {
-        this.assertValidIpAccess(data);
-        const increasedCounts = {
-            admin: 0,
-            app: 0,
-            api: 0,
-        };
-        const existingIds = [];
-        if ('users' in data) {
-            const type = this.getRoleAccessType(data);
-            increasedCounts[type] += data['users'].length;
-            for (const user of data['users']) {
-                if (typeof user === 'string') {
-                    existingIds.push(user);
-                }
-                else if (typeof user === 'object' && 'id' in user) {
-                    existingIds.push(user['id']);
-                }
-            }
-        }
-        await checkIncreasedUserLimits(this.knex, increasedCounts, existingIds);
-        return super.createOne(data, opts);
-    }
-    async createMany(data, opts) {
-        const increasedCounts = {
-            admin: 0,
-            app: 0,
-            api: 0,
-        };
-        const existingIds = [];
-        for (const partialItem of data) {
-            this.assertValidIpAccess(partialItem);
-            if ('users' in partialItem) {
-                const type = this.getRoleAccessType(partialItem);
-                increasedCounts[type] += partialItem['users'].length;
-                for (const user of partialItem['users']) {
-                    if (typeof user === 'string') {
-                        existingIds.push(user);
-                    }
-                    else if (typeof user === 'object' && 'id' in user) {
-                        existingIds.push(user['id']);
-                    }
-                }
-            }
-        }
-        await checkIncreasedUserLimits(this.knex, increasedCounts, existingIds);
-        return super.createMany(data, opts);
-    }
-    async updateOne(key, data, opts) {
-        this.assertValidIpAccess(data);
-        try {
-            const increasedCounts = {
-                admin: 0,
-                app: 0,
-                api: 0,
-            };
-            let increasedUsers = 0;
-            const existingIds = [];
-            let existingRole = await this.knex
-                .count('directus_users.id', { as: 'count' })
-                .select('directus_roles.admin_access', 'directus_roles.app_access')
-                .from('directus_users')
-                .where('directus_roles.id', '=', key)
-                .andWhere('directus_users.status', '=', 'active')
-                .leftJoin('directus_roles', 'directus_users.role', '=', 'directus_roles.id')
-                .groupBy('directus_roles.admin_access', 'directus_roles.app_access')
-                .first();
-            if (!existingRole) {
-                try {
-                    const role = (await this.knex
-                        .select('admin_access', 'app_access')
-                        .from('directus_roles')
-                        .where('id', '=', key)
-                        .first()) ?? { admin_access: null, app_access: null };
-                    existingRole = { count: 0, ...role };
-                }
-                catch {
-                    existingRole = { count: 0, admin_access: null, app_access: null };
-                }
-            }
-            if ('users' in data) {
-                await this.checkForOtherAdminUsers(key, data['users']);
-                const users = data['users'];
-                if (Array.isArray(users)) {
-                    increasedUsers = users.length - Number(existingRole.count);
-                    for (const user of users) {
-                        if (typeof user === 'string') {
-                            existingIds.push(user);
-                        }
-                        else if (typeof user === 'object' && 'id' in user) {
-                            existingIds.push(user['id']);
-                        }
-                    }
-                }
-                else {
-                    increasedUsers += users.create.length;
-                    increasedUsers -= users.delete.length;
-                    const userIds = [];
-                    for (const user of users.update) {
-                        if ('status' in user) {
-                            // account for users being activated and deactivated
-                            if (user['status'] === 'active') {
-                                increasedUsers++;
-                            }
-                            else {
-                                increasedUsers--;
-                            }
-                        }
-                        userIds.push(user.id);
-                    }
-                    try {
-                        const existingCounts = await getRoleCountsByUsers(this.knex, userIds);
-                        if (existingRole.admin_access) {
-                            increasedUsers += existingCounts.app + existingCounts.api;
-                        }
-                        else if (existingRole.app_access) {
-                            increasedUsers += existingCounts.admin + existingCounts.api;
-                        }
-                        else {
-                            increasedUsers += existingCounts.admin + existingCounts.app;
-                        }
-                    }
-                    catch {
-                        // ignore failed user call
-                    }
-                }
-            }
-            let isAccessChanged = false;
-            let accessType = 'api';
-            if ('app_access' in data) {
-                if (data['app_access'] === true) {
-                    accessType = 'app';
-                    if (!existingRole.app_access)
-                        isAccessChanged = true;
-                }
-                else if (existingRole.app_access) {
-                    isAccessChanged = true;
-                }
-            }
-            else if (existingRole.app_access) {
-                accessType = 'app';
-            }
-            if ('admin_access' in data) {
-                if (data['admin_access'] === true) {
-                    accessType = 'admin';
-                    if (!existingRole.admin_access)
-                        isAccessChanged = true;
-                }
-                else if (existingRole.admin_access) {
-                    isAccessChanged = true;
-                }
-            }
-            else if (existingRole.admin_access) {
-                accessType = 'admin';
-            }
-            if (isAccessChanged) {
-                increasedCounts[accessType] += Number(existingRole.count);
-            }
-            increasedCounts[accessType] += increasedUsers;
-            await checkIncreasedUserLimits(this.knex, increasedCounts, existingIds);
-        }
-        catch (err) {
-            (opts || (opts = {})).preMutationError = err;
-        }
-        return super.updateOne(key, data, opts);
-    }
-    async updateBatch(data, opts = {}) {
-        for (const partialItem of data) {
-            this.assertValidIpAccess(partialItem);
-        }
-        const primaryKeyField = this.schema.collections[this.collection].primary;
-        if (!opts.mutationTracker) {
-            opts.mutationTracker = this.createMutationTracker();
-        }
-        const keys = [];
-        try {
-            await transaction(this.knex, async (trx) => {
-                const service = new RolesService({
-                    accountability: this.accountability,
-                    knex: trx,
-                    schema: this.schema,
-                });
-                for (const item of data) {
-                    const combinedOpts = Object.assign({ autoPurgeCache: false }, opts);
-                    keys.push(await service.updateOne(item[primaryKeyField], omit(item, primaryKeyField), combinedOpts));
-                }
-            });
-        }
-        finally {
-            if (shouldClearCache(this.cache, opts, this.collection)) {
-                await this.cache.clear();
-            }
-        }
-        return keys;
-    }
-    async updateMany(keys, data, opts) {
-        this.assertValidIpAccess(data);
-        try {
-            if ('admin_access' in data && data['admin_access'] === false) {
-                await this.checkForOtherAdminRoles(keys);
-            }
-            if ('admin_access' in data || 'app_access' in data) {
-                const existingCounts = await getUserCountsByRoles(this.knex, keys);
-                const increasedCounts = {
-                    admin: 0,
-                    app: 0,
-                    api: 0,
-                };
-                const type = this.getRoleAccessType(data);
-                for (const [existingType, existingCount] of Object.entries(existingCounts)) {
-                    if (existingType === type)
-                        continue;
-                    increasedCounts[type] += existingCount;
-                }
-                await checkIncreasedUserLimits(this.knex, increasedCounts);
-            }
-        }
-        catch (err) {
-            (opts || (opts = {})).preMutationError = err;
-        }
-        return super.updateMany(keys, data, opts);
+    // No need to check user integrity in createOne, as the creation of a role itself does not influence the number of
+    // users, as the role of a user is actually updated in the UsersService on the user, which will make sure to
+    // initiate a user integrity check if necessary. Same goes for role nesting check as well as cache clearing.
+    async updateMany(keys, data, opts = {}) {
+        if ('parent' in data) {
+            // If the parent of a role changed we need to make a full integrity check.
+            // Anything related to policies will be checked in the AccessService, where the policies are attached to roles
+            opts.userIntegrityCheckFlags = UserIntegrityCheckFlag.All;
+            opts.onRequireUserIntegrityCheck?.(opts.userIntegrityCheckFlags);
+            await this.validateRoleNesting(keys, data['parent']);
+        }
+        const result = await super.updateMany(keys, data, opts);
+        // Only clear the permissions cache if the parent role has changed
+        // If anything policies related has changed, the cache will be cleared in the AccessService as well
+        if ('parent' in data) {
+            await this.clearCaches();
+        }
+        return result;
     }
-    async updateByQuery(query, data, opts) {
-        this.assertValidIpAccess(data);
-        return super.updateByQuery(query, data, opts);
-    }
-    async deleteOne(key) {
-        await this.deleteMany([key]);
-        return key;
-    }
-    async deleteMany(keys) {
-        const opts = {};
-        try {
-            await this.checkForOtherAdminRoles(keys);
-        }
-        catch (err) {
-            opts.preMutationError = err;
-        }
+    async deleteMany(keys, opts = {}) {
+        opts.userIntegrityCheckFlags = UserIntegrityCheckFlag.All;
+        opts.onRequireUserIntegrityCheck?.(opts.userIntegrityCheckFlags);
         await transaction(this.knex, async (trx) => {
-            const itemsService = new ItemsService('directus_roles', {
+            const options = {
                 knex: trx,
                 accountability: this.accountability,
                 schema: this.schema,
-            });
-            const permissionsService = new PermissionsService({
-                knex: trx,
-                accountability: this.accountability,
-                schema: this.schema,
-            });
-            const presetsService = new PresetsService({
-                knex: trx,
-                accountability: this.accountability,
-                schema: this.schema,
-            });
-            const usersService = new UsersService({
-                knex: trx,
-                accountability: this.accountability,
-                schema: this.schema,
-            });
+            };
+            const itemsService = new ItemsService('directus_roles', options);
+            const rolesService = new RolesService(options);
+            const accessService = new AccessService(options);
+            const presetsService = new PresetsService(options);
+            const usersService = new UsersService(options);
             // Delete permissions/presets for this role, suspend all remaining users in role
-            await permissionsService.deleteByQuery({
+            await accessService.deleteByQuery({
                 filter: { role: { _in: keys } },
             }, { ...opts, bypassLimits: true });
             await presetsService.deleteByQuery({
@@ -441,11 +57,31 @@ export class RolesService extends ItemsService {
                 status: 'suspended',
                 role: null,
             }, { ...opts, bypassLimits: true });
+            // If the about to be deleted roles are the parent of other roles set those parents to null
+            // Use a newly created RolesService here that works within the current transaction
+            await rolesService.updateByQuery({
+                filter: { parent: { _in: keys } },
+            }, { parent: null });
             await itemsService.deleteMany(keys, opts);
         });
+        // Since nested roles could be updated, clear caches
+        await this.clearCaches();
         return keys;
     }
-    deleteByQuery(query, opts) {
-        return super.deleteByQuery(query, opts);
+    async validateRoleNesting(ids, parent) {
+        if (ids.includes(parent)) {
+            throw new InvalidPayloadError({ reason: 'A role cannot be a parent of itself' });
+        }
+        const roles = await fetchRolesTree(parent, this.knex);
+        if (ids.some((id) => roles.includes(id))) {
+            // The role tree up from the parent already includes this role, so it would create a circular reference
+            throw new InvalidPayloadError({ reason: 'A role cannot have a parent that is already a descendant of itself' });
+        }
+    }
+    async clearCaches(opts) {
+        await clearSystemCache({ autoPurgeCache: opts?.autoPurgeCache });
+        if (this.cache && opts?.autoPurgeCache !== false) {
+            await this.cache.clear();
+        }
     }
 }

package/dist/services/shares.d.ts

@@ -1,9 +1,7 @@
 import type { Item, PrimaryKey } from '@directus/types';
 import type { AbstractServiceOptions, LoginResult, MutationOptions } from '../types/index.js';
-import { AuthorizationService } from './authorization.js';
 import { ItemsService } from './items.js';
 export declare class SharesService extends ItemsService {
-    authorizationService: AuthorizationService;
     constructor(options: AbstractServiceOptions);
     createOne(data: Partial<Item>, opts?: MutationOptions): Promise<PrimaryKey>;
     login(payload: Record<string, any>, options?: Partial<{