@directus/api 19.3.0 → 20.0.0-rc.0

package/dist/services/shares.js

@@ -3,29 +3,33 @@ import { ForbiddenError, InvalidCredentialsError } from '@directus/errors';
 import argon2 from 'argon2';
 import jwt from 'jsonwebtoken';
 import { useLogger } from '../logger.js';
+import { validateAccess } from '../permissions/modules/validate-access/validate-access.js';
 import { getMilliseconds } from '../utils/get-milliseconds.js';
 import { getSecret } from '../utils/get-secret.js';
 import { md } from '../utils/md.js';
 import { Url } from '../utils/url.js';
 import { userName } from '../utils/user-name.js';
-import { AuthorizationService } from './authorization.js';
 import { ItemsService } from './items.js';
 import { MailService } from './mail/index.js';
 import { UsersService } from './users.js';
 const env = useEnv();
 const logger = useLogger();
 export class SharesService extends ItemsService {
-    authorizationService;
     constructor(options) {
         super('directus_shares', options);
-        this.authorizationService = new AuthorizationService({
-            accountability: this.accountability,
-            knex: this.knex,
-            schema: this.schema,
-        });
     }
     async createOne(data, opts) {
-        await this.authorizationService.checkAccess('share', data['collection'], data['item']);
+        if (this.accountability) {
+            await validateAccess({
+                accountability: this.accountability,
+                action: 'share',
+                collection: data['collection'],
+                primaryKeys: [data['item']],
+            }, {
+                schema: this.schema,
+                knex: this.knex,
+            });
+        }
         return super.createOne(data, opts);
     }
     async login(payload, options) {

package/dist/services/specifications.d.ts

@@ -9,7 +9,7 @@ export declare class SpecificationService {
     schema: SchemaOverview;
     oas: OASSpecsService;
     graphql: GraphQLSpecsService;
-    constructor({ accountability, knex, schema }: AbstractServiceOptions);
+    constructor(options: AbstractServiceOptions);
 }
 interface SpecificationSubService {
     generate: (_?: any) => Promise<any>;
@@ -18,7 +18,7 @@ declare class OASSpecsService implements SpecificationSubService {
     accountability: Accountability | null;
     knex: Knex;
     schema: SchemaOverview;
-    constructor({ knex, schema, accountability }: AbstractServiceOptions);
+    constructor(options: AbstractServiceOptions);
     generate(host?: string): Promise<OpenAPIObject>;
     private generateTags;
     private generatePaths;

package/dist/services/specifications.js

@@ -1,14 +1,17 @@
 import { useEnv } from '@directus/env';
 import formatTitle from '@directus/format-title';
 import { spec } from '@directus/specs';
+import { isSystemCollection } from '@directus/system-data';
 import { version } from 'directus/version';
 import { cloneDeep, mergeWith } from 'lodash-es';
 import { OAS_REQUIRED_SCHEMAS } from '../constants.js';
 import getDatabase from '../database/index.js';
+import { fetchPermissions } from '../permissions/lib/fetch-permissions.js';
+import { fetchPolicies } from '../permissions/lib/fetch-policies.js';
+import { fetchAllowedFieldMap } from '../permissions/modules/fetch-allowed-field-map/fetch-allowed-field-map.js';
 import { getRelationType } from '../utils/get-relation-type.js';
 import { reduceSchema } from '../utils/reduce-schema.js';
 import { GraphQLService } from './graphql/index.js';
-import { isSystemCollection } from '@directus/system-data';
 const env = useEnv();
 export class SpecificationService {
     accountability;
@@ -16,29 +19,38 @@ export class SpecificationService {
     schema;
     oas;
     graphql;
-    constructor({ accountability, knex, schema }) {
-        this.accountability = accountability || null;
-        this.knex = knex || getDatabase();
-        this.schema = schema;
-        this.oas = new OASSpecsService({ knex, schema, accountability });
-        this.graphql = new GraphQLSpecsService({ knex, schema, accountability });
+    constructor(options) {
+        this.accountability = options.accountability || null;
+        this.knex = options.knex || getDatabase();
+        this.schema = options.schema;
+        this.oas = new OASSpecsService(options);
+        this.graphql = new GraphQLSpecsService(options);
     }
 }
 class OASSpecsService {
     accountability;
     knex;
     schema;
-    constructor({ knex, schema, accountability }) {
-        this.accountability = accountability || null;
-        this.knex = knex || getDatabase();
-        this.schema =
-            this.accountability?.admin === true ? schema : reduceSchema(schema, accountability?.permissions || null);
+    constructor(options) {
+        this.accountability = options.accountability || null;
+        this.knex = options.knex || getDatabase();
+        this.schema = options.schema;
     }
     async generate(host) {
-        const permissions = this.accountability?.permissions ?? [];
-        const tags = await this.generateTags();
+        let schema = this.schema;
+        let permissions = [];
+        if (this.accountability && this.accountability.admin !== true) {
+            const allowedFields = await fetchAllowedFieldMap({
+                accountability: this.accountability,
+                action: 'read',
+            }, { schema, knex: this.knex });
+            schema = reduceSchema(schema, allowedFields);
+            const policies = await fetchPolicies(this.accountability, { schema, knex: this.knex });
+            permissions = await fetchPermissions({ action: 'read', policies, accountability: this.accountability }, { schema, knex: this.knex });
+        }
+        const tags = await this.generateTags(schema);
         const paths = await this.generatePaths(permissions, tags);
-        const components = await this.generateComponents(tags);
+        const components = await this.generateComponents(schema, tags);
         const isDefaultPublicUrl = env['PUBLIC_URL'] === '/';
         const url = isDefaultPublicUrl && host ? host : env['PUBLIC_URL'];
         const spec = {
@@ -62,9 +74,9 @@ class OASSpecsService {
             spec.components = components;
         return spec;
     }
-    async generateTags() {
+    async generateTags(schema) {
         const systemTags = cloneDeep(spec.tags);
-        const collections = Object.values(this.schema.collections);
+        const collections = Object.values(schema.collections);
         const tags = [];
         for (const systemTag of systemTags) {
             // Check if necessary authentication level is given
@@ -246,7 +258,7 @@ class OASSpecsService {
         }
         return paths;
     }
-    async generateComponents(tags) {
+    async generateComponents(schema, tags) {
         if (!tags)
             return;
         let components = cloneDeep(spec.components);
@@ -264,7 +276,7 @@ class OASSpecsService {
                 };
             }
         }
-        const collections = Object.values(this.schema.collections);
+        const collections = Object.values(schema.collections);
         for (const collection of collections) {
             const tag = tags.find((tag) => tag['x-collection'] === collection.collection);
             if (!tag)
@@ -277,7 +289,7 @@ class OASSpecsService {
                 schemaComponent['x-collection'] = collection.collection;
                 for (const field of fieldsInCollection) {
                     schemaComponent.properties[field.field] =
-                        cloneDeep(spec.components.schemas[tag.name].properties[field.field]) || this.generateField(collection.collection, field, tags);
+                        cloneDeep(spec.components.schemas[tag.name].properties[field.field]) || this.generateField(schema, collection.collection, field, tags);
                 }
                 components.schemas[tag.name] = schemaComponent;
             }
@@ -288,7 +300,7 @@ class OASSpecsService {
                     'x-collection': collection.collection,
                 };
                 for (const field of fieldsInCollection) {
-                    schemaComponent.properties[field.field] = this.generateField(collection.collection, field, tags);
+                    schemaComponent.properties[field.field] = this.generateField(schema, collection.collection, field, tags);
                 }
                 components.schemas[tag.name] = schemaComponent;
             }
@@ -311,13 +323,13 @@ class OASSpecsService {
                 return 'read';
         }
     }
-    generateField(collection, field, tags) {
+    generateField(schema, collection, field, tags) {
         let propertyObject = {};
         propertyObject.nullable = field.nullable;
         if (field.note) {
             propertyObject.description = field.note;
         }
-        const relation = this.schema.relations.find((relation) => (relation.collection === collection && relation.field === field.field) ||
+        const relation = schema.relations.find((relation) => (relation.collection === collection && relation.field === field.field) ||
             (relation.related_collection === collection && relation.meta?.one_field === field.field));
         if (!relation) {
             propertyObject = {
@@ -335,10 +347,10 @@ class OASSpecsService {
                 const relatedTag = tags.find((tag) => tag['x-collection'] === relation.related_collection);
                 if (!relatedTag ||
                     !relation.related_collection ||
-                    relation.related_collection in this.schema.collections === false) {
+                    relation.related_collection in schema.collections === false) {
                     return propertyObject;
                 }
-                const relatedCollection = this.schema.collections[relation.related_collection];
+                const relatedCollection = schema.collections[relation.related_collection];
                 const relatedPrimaryKeyField = relatedCollection.fields[relatedCollection.primary];
                 propertyObject.oneOf = [
                     {
@@ -351,10 +363,10 @@ class OASSpecsService {
             }
             else if (relationType === 'o2m') {
                 const relatedTag = tags.find((tag) => tag['x-collection'] === relation.collection);
-                if (!relatedTag || !relation.related_collection || relation.collection in this.schema.collections === false) {
+                if (!relatedTag || !relation.related_collection || relation.collection in schema.collections === false) {
                     return propertyObject;
                 }
-                const relatedCollection = this.schema.collections[relation.collection];
+                const relatedCollection = schema.collections[relation.collection];
                 const relatedPrimaryKeyField = relatedCollection.fields[relatedCollection.primary];
                 if (!relatedTag || !relatedPrimaryKeyField)
                     return propertyObject;

package/dist/services/users.d.ts

@@ -1,4 +1,4 @@
-import type { Item, PrimaryKey, Query, RegisterUserInput } from '@directus/types';
+import type { Item, PrimaryKey, RegisterUserInput } from '@directus/types';
 import type { AbstractServiceOptions, MutationOptions } from '../types/index.js';
 import { ItemsService } from './items.js';
 export declare class UsersService extends ItemsService {
@@ -13,11 +13,6 @@ export declare class UsersService extends ItemsService {
      * directus_settings.auth_password_policy
      */
     private checkPasswordPolicy;
-    private checkRemainingAdminExistence;
-    /**
-     * Make sure there's at least one active admin user when updating user status
-     */
-    private checkRemainingActiveAdmin;
     /**
      * Get basic information of user identified by email
      */
@@ -38,32 +33,19 @@ export declare class UsersService extends ItemsService {
      * Create multiple new users
      */
     createMany(data: Partial<Item>[], opts?: MutationOptions): Promise<PrimaryKey[]>;
-    /**
-     * Update many users by query
-     */
-    updateByQuery(query: Query, data: Partial<Item>, opts?: MutationOptions): Promise<PrimaryKey[]>;
-    /**
-     * Update a single user by primary key
-     */
-    updateOne(key: PrimaryKey, data: Partial<Item>, opts?: MutationOptions): Promise<PrimaryKey>;
-    updateBatch(data: Partial<Item>[], opts?: MutationOptions): Promise<PrimaryKey[]>;
     /**
      * Update many users by primary key
      */
     updateMany(keys: PrimaryKey[], data: Partial<Item>, opts?: MutationOptions): Promise<PrimaryKey[]>;
-    /**
-     * Delete a single user by primary key
-     */
-    deleteOne(key: PrimaryKey, opts?: MutationOptions): Promise<PrimaryKey>;
     /**
      * Delete multiple users by primary key
      */
     deleteMany(keys: PrimaryKey[], opts?: MutationOptions): Promise<PrimaryKey[]>;
-    deleteByQuery(query: Query, opts?: MutationOptions): Promise<PrimaryKey[]>;
     inviteUser(email: string | string[], role: string, url: string | null, subject?: string | null): Promise<void>;
     acceptInvite(token: string, password: string): Promise<void>;
     registerUser(input: RegisterUserInput): Promise<void>;
     verifyRegistration(token: string): Promise<string>;
     requestPasswordReset(email: string, url: string | null, subject?: string | null): Promise<void>;
     resetPassword(token: string, password: string): Promise<void>;
+    private clearCaches;
 }

package/dist/services/users.js

@@ -1,23 +1,22 @@
 import { useEnv } from '@directus/env';
-import { ForbiddenError, InvalidPayloadError, RecordNotUniqueError, UnprocessableContentError } from '@directus/errors';
-import { getSimpleHash, toArray, toBoolean, validatePayload } from '@directus/utils';
+import { ForbiddenError, InvalidPayloadError, RecordNotUniqueError } from '@directus/errors';
+import { getSimpleHash, toArray, validatePayload } from '@directus/utils';
 import { FailedValidationError, joiValidationErrorItemToErrorExtensions } from '@directus/validation';
 import Joi from 'joi';
 import jwt from 'jsonwebtoken';
-import { cloneDeep, isEmpty, mergeWith } from 'lodash-es';
+import { isEmpty } from 'lodash-es';
 import { performance } from 'perf_hooks';
+import { clearSystemCache } from '../cache.js';
 import getDatabase from '../database/index.js';
 import { useLogger } from '../logger.js';
-import { checkIncreasedUserLimits } from '../telemetry/utils/check-increased-user-limits.js';
-import { getRoleCountsByRoles } from '../telemetry/utils/get-role-counts-by-roles.js';
-import { getRoleCountsByUsers } from '../telemetry/utils/get-role-counts-by-users.js';
-import {} from '../telemetry/utils/get-user-count.js';
+import { validateRemainingAdminUsers } from '../permissions/modules/validate-remaining-admin/validate-remaining-admin-users.js';
+import { createDefaultAccountability } from '../permissions/utils/create-default-accountability.js';
 import { getSecret } from '../utils/get-secret.js';
 import isUrlAllowed from '../utils/is-url-allowed.js';
 import { verifyJWT } from '../utils/jwt.js';
 import { stall } from '../utils/stall.js';
-import { transaction } from '../utils/transaction.js';
 import { Url } from '../utils/url.js';
+import { UserIntegrityCheckFlag } from '../utils/validate-user-count-integrity.js';
 import { ItemsService } from './items.js';
 import { MailService } from './mail/index.js';
 import { SettingsService } from './settings.js';
@@ -88,42 +87,11 @@ export class UsersService extends ItemsService {
             }
         }
     }
-    async checkRemainingAdminExistence(excludeKeys) {
-        // Make sure there's at least one admin user left after this deletion is done
-        const otherAdminUsers = await this.knex
-            .count('*', { as: 'count' })
-            .from('directus_users')
-            .whereNotIn('directus_users.id', excludeKeys)
-            .andWhere({ 'directus_roles.admin_access': true })
-            .leftJoin('directus_roles', 'directus_users.role', 'directus_roles.id')
-            .first();
-        const otherAdminUsersCount = +(otherAdminUsers?.count || 0);
-        if (otherAdminUsersCount === 0) {
-            throw new UnprocessableContentError({ reason: `You can't remove the last admin user from the role` });
-        }
-    }
-    /**
-     * Make sure there's at least one active admin user when updating user status
-     */
-    async checkRemainingActiveAdmin(excludeKeys) {
-        const otherAdminUsers = await this.knex
-            .count('*', { as: 'count' })
-            .from('directus_users')
-            .whereNotIn('directus_users.id', excludeKeys)
-            .andWhere({ 'directus_roles.admin_access': true })
-            .andWhere({ 'directus_users.status': 'active' })
-            .leftJoin('directus_roles', 'directus_users.role', 'directus_roles.id')
-            .first();
-        const otherAdminUsersCount = +(otherAdminUsers?.count || 0);
-        if (otherAdminUsersCount === 0) {
-            throw new UnprocessableContentError({ reason: `You can't change the active status of the last admin user` });
-        }
-    }
     /**
      * Get basic information of user identified by email
      */
     async getUserByEmail(email) {
-        return await this.knex
+        return this.knex
             .select('id', 'role', 'status', 'password', 'email')
             .from('directus_users')
             .whereRaw(`LOWER(??) = ?`, ['email', email.toLowerCase()])
@@ -158,17 +126,34 @@ export class UsersService extends ItemsService {
     /**
      * Create a new user
      */
-    async createOne(data, opts) {
-        const result = await this.createMany([data], opts);
-        return result[0];
+    async createOne(data, opts = {}) {
+        try {
+            if ('email' in data) {
+                this.validateEmail(data['email']);
+                await this.checkUniqueEmails([data['email']]);
+            }
+            if ('password' in data) {
+                await this.checkPasswordPolicy([data['password']]);
+            }
+        }
+        catch (err) {
+            opts.preMutationError = err;
+        }
+        if (!('status' in data) || data['status'] === 'active') {
+            // Creating a user only requires checking user limits if the user is active, no need to care about the role
+            opts.userIntegrityCheckFlags =
+                (opts.userIntegrityCheckFlags ?? UserIntegrityCheckFlag.None) | UserIntegrityCheckFlag.UserLimits;
+            opts.onRequireUserIntegrityCheck?.(opts.userIntegrityCheckFlags);
+        }
+        return await super.createOne(data, opts);
     }
     /**
      * Create multiple new users
      */
-    async createMany(data, opts) {
-        const emails = data['map']((payload) => payload['email']).filter((email) => email);
-        const passwords = data['map']((payload) => payload['password']).filter((password) => password);
-        const roles = data['map']((payload) => payload['role']).filter((role) => role);
+    async createMany(data, opts = {}) {
+        const emails = data.map((payload) => payload['email']).filter((email) => email);
+        const passwords = data.map((payload) => payload['password']).filter((password) => password);
+        const someActive = data.some((payload) => !('status' in payload) || payload['status'] === 'active');
         try {
             if (emails.length) {
                 this.validateEmail(emails);
@@ -177,128 +162,30 @@ export class UsersService extends ItemsService {
             if (passwords.length) {
                 await this.checkPasswordPolicy(passwords);
             }
-            if (roles.length) {
-                const increasedCounts = {
-                    admin: 0,
-                    app: 0,
-                    api: 0,
-                };
-                const existingRoles = [];
-                for (const role of roles) {
-                    if (typeof role === 'object') {
-                        if ('admin_access' in role && role['admin_access'] === true) {
-                            increasedCounts.admin++;
-                        }
-                        else if ('app_access' in role && role['app_access'] === true) {
-                            increasedCounts.app++;
-                        }
-                        else {
-                            increasedCounts.api++;
-                        }
-                    }
-                    else {
-                        existingRoles.push(role);
-                    }
-                }
-                const existingRoleCounts = await getRoleCountsByRoles(this.knex, existingRoles);
-                mergeWith(increasedCounts, existingRoleCounts, (x, y) => x + y);
-                await checkIncreasedUserLimits(this.knex, increasedCounts);
-            }
         }
         catch (err) {
-            (opts || (opts = {})).preMutationError = err;
+            opts.preMutationError = err;
         }
-        return await super.createMany(data, opts);
-    }
-    /**
-     * Update many users by query
-     */
-    async updateByQuery(query, data, opts) {
-        const keys = await this.getKeysByQuery(query);
-        return keys.length ? await this.updateMany(keys, data, opts) : [];
-    }
-    /**
-     * Update a single user by primary key
-     */
-    async updateOne(key, data, opts) {
-        await this.updateMany([key], data, opts);
-        return key;
-    }
-    async updateBatch(data, opts = {}) {
-        if (!opts.mutationTracker)
-            opts.mutationTracker = this.createMutationTracker();
-        const primaryKeyField = this.schema.collections[this.collection].primary;
-        const keys = [];
-        await transaction(this.knex, async (trx) => {
-            const service = new UsersService({
-                accountability: this.accountability,
-                knex: trx,
-                schema: this.schema,
-            });
-            for (const item of data) {
-                if (!item[primaryKeyField])
-                    throw new InvalidPayloadError({ reason: `User in update misses primary key` });
-                keys.push(await service.updateOne(item[primaryKeyField], item, opts));
-            }
+        if (someActive) {
+            // Creating users only requires checking user limits if the users are active, no need to care about the role
+            opts.userIntegrityCheckFlags =
+                (opts.userIntegrityCheckFlags ?? UserIntegrityCheckFlag.None) | UserIntegrityCheckFlag.UserLimits;
+            opts.onRequireUserIntegrityCheck?.(opts.userIntegrityCheckFlags);
+        }
+        // Use generic ItemsService to avoid calling `UserService.createOne` to avoid additional work of validating emails,
+        // as this requires one query per email if done in `createOne`
+        const itemsService = new ItemsService(this.collection, {
+            schema: this.schema,
+            accountability: this.accountability,
+            knex: this.knex,
         });
-        return keys;
+        return await itemsService.createMany(data, opts);
     }
     /**
      * Update many users by primary key
      */
-    async updateMany(keys, data, opts) {
+    async updateMany(keys, data, opts = {}) {
         try {
-            if (data['role']) {
-                /*
-                 * data['role'] has the following cases:
-                 * - a string with existing role id
-                 * - an object with existing role id for GraphQL mutations
-                 * - an object with data for new role
-                 */
-                const role = data['role']?.id ?? data['role'];
-                let newRole;
-                if (typeof role === 'string') {
-                    newRole = await this.knex
-                        .select('admin_access', 'app_access')
-                        .from('directus_roles')
-                        .where('id', role)
-                        .first();
-                }
-                else {
-                    newRole = role;
-                }
-                if (!newRole?.admin_access) {
-                    await this.checkRemainingAdminExistence(keys);
-                }
-                if (newRole) {
-                    const existingCounts = await getRoleCountsByUsers(this.knex, keys);
-                    const increasedCounts = {
-                        admin: 0,
-                        app: 0,
-                        api: 0,
-                    };
-                    if (toBoolean(newRole.admin_access)) {
-                        increasedCounts.admin = keys.length - existingCounts.admin;
-                    }
-                    else if (toBoolean(newRole.app_access)) {
-                        increasedCounts.app = keys.length - existingCounts.app;
-                    }
-                    else {
-                        increasedCounts.api = keys.length - existingCounts.api;
-                    }
-                    await checkIncreasedUserLimits(this.knex, increasedCounts);
-                }
-            }
-            if (data['role'] === null) {
-                await checkIncreasedUserLimits(this.knex, { admin: 0, app: 0, api: 1 });
-            }
-            if (data['status'] !== undefined && data['status'] !== 'active') {
-                await this.checkRemainingActiveAdmin(keys);
-            }
-            if (data['status'] === 'active') {
-                const increasedCounts = await getRoleCountsByUsers(this.knex, keys, { inactiveUsers: true });
-                await checkIncreasedUserLimits(this.knex, increasedCounts);
-            }
             if (data['email']) {
                 if (keys.length > 1) {
                     throw new RecordNotUniqueError({
@@ -329,26 +216,45 @@ export class UsersService extends ItemsService {
             }
         }
         catch (err) {
-            (opts || (opts = {})).preMutationError = err;
+            opts.preMutationError = err;
         }
-        return await super.updateMany(keys, data, opts);
-    }
-    /**
-     * Delete a single user by primary key
-     */
-    async deleteOne(key, opts) {
-        await this.deleteMany([key], opts);
-        return key;
+        if ('role' in data) {
+            opts.userIntegrityCheckFlags = UserIntegrityCheckFlag.All;
+        }
+        if ('status' in data) {
+            if (data['status'] === 'active') {
+                // User are being activated, no need to check if there are enough admins
+                opts.userIntegrityCheckFlags =
+                    (opts.userIntegrityCheckFlags ?? UserIntegrityCheckFlag.None) | UserIntegrityCheckFlag.UserLimits;
+            }
+            else {
+                opts.userIntegrityCheckFlags = UserIntegrityCheckFlag.All;
+            }
+        }
+        if (opts.userIntegrityCheckFlags) {
+            opts.onRequireUserIntegrityCheck?.(opts.userIntegrityCheckFlags);
+        }
+        const result = await super.updateMany(keys, data, opts);
+        // Only clear the caches if the role has been updated
+        if ('role' in data) {
+            await this.clearCaches(opts);
+        }
+        return result;
     }
     /**
      * Delete multiple users by primary key
      */
-    async deleteMany(keys, opts) {
-        try {
-            await this.checkRemainingAdminExistence(keys);
+    async deleteMany(keys, opts = {}) {
+        if (opts?.onRequireUserIntegrityCheck) {
+            opts.onRequireUserIntegrityCheck(opts?.userIntegrityCheckFlags ?? UserIntegrityCheckFlag.None);
         }
-        catch (err) {
-            (opts || (opts = {})).preMutationError = err;
+        else {
+            try {
+                await validateRemainingAdminUsers({ excludeUsers: keys }, { knex: this.knex, schema: this.schema });
+            }
+            catch (err) {
+                opts.preMutationError = err;
+            }
         }
         // Manual constraint, see https://github.com/directus/directus/pull/19912
         await this.knex('directus_notifications').update({ sender: null }).whereIn('sender', keys);
@@ -356,21 +262,6 @@ export class UsersService extends ItemsService {
         await super.deleteMany(keys, opts);
         return keys;
     }
-    async deleteByQuery(query, opts) {
-        const primaryKeyField = this.schema.collections[this.collection].primary;
-        const readQuery = cloneDeep(query);
-        readQuery.fields = [primaryKeyField];
-        // Not authenticated:
-        const itemsService = new ItemsService(this.collection, {
-            knex: this.knex,
-            schema: this.schema,
-        });
-        const itemsToDelete = await itemsService.readByQuery(readQuery);
-        const keys = itemsToDelete.map((item) => item[primaryKeyField]);
-        if (keys.length === 0)
-            return [];
-        return await this.deleteMany(keys, opts);
-    }
     async inviteUser(email, role, url, subject) {
         const opts = {};
         try {
@@ -586,10 +477,16 @@ export class UsersService extends ItemsService {
             knex: this.knex,
             schema: this.schema,
             accountability: {
-                ...(this.accountability ?? { role: null }),
+                ...(this.accountability ?? createDefaultAccountability()),
                 admin: true, // We need to skip permissions checks for the update call below
             },
         });
         await service.updateOne(user.id, { password, status: 'active' }, opts);
     }
+    async clearCaches(opts) {
+        await clearSystemCache({ autoPurgeCache: opts?.autoPurgeCache });
+        if (this.cache && opts?.autoPurgeCache !== false) {
+            await this.cache.clear();
+        }
+    }
 }

package/dist/services/utils.js

@@ -3,6 +3,8 @@ import { systemCollectionRows } from '@directus/system-data';
 import { clearSystemCache, getCache } from '../cache.js';
 import getDatabase from '../database/index.js';
 import emitter from '../emitter.js';
+import { fetchAllowedFields } from '../permissions/modules/fetch-allowed-fields/fetch-allowed-fields.js';
+import { validateAccess } from '../permissions/modules/validate-access/validate-access.js';
 import { shouldClearCache } from '../utils/should-clear-cache.js';
 export class UtilsService {
     knex;
@@ -20,14 +22,16 @@ export class UtilsService {
         if (!sortField) {
             throw new InvalidPayloadError({ reason: `Collection "${collection}" doesn't have a sort field` });
         }
-        if (this.accountability?.admin !== true) {
-            const permissions = this.accountability?.permissions?.find((permission) => {
-                return permission.collection === collection && permission.action === 'update';
+        if (this.accountability && this.accountability.admin !== true) {
+            await validateAccess({
+                accountability: this.accountability,
+                action: 'update',
+                collection,
+            }, {
+                schema: this.schema,
+                knex: this.knex,
             });
-            if (!permissions) {
-                throw new ForbiddenError();
-            }
-            const allowedFields = permissions.fields ?? [];
+            const allowedFields = await fetchAllowedFields({ collection, action: 'update', accountability: this.accountability }, { schema: this.schema, knex: this.knex });
             if (allowedFields[0] !== '*' && allowedFields.includes(sortField) === false) {
                 throw new ForbiddenError();
             }