npm - @directus/api - Versions diffs - 19.3.0 → 20.0.0-rc.0 - Mend

@directus/api 19.3.0 → 20.0.0-rc.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (287) hide show

package/dist/utils/get-accountability-for-role.js CHANGED Viewed

@@ -1,40 +1,31 @@
-import { getPermissions } from './get-permissions.js';
+import { fetchRolesTree } from '../permissions/lib/fetch-roles-tree.js';
+import { fetchGlobalAccess } from '../permissions/modules/fetch-global-access/fetch-global-access.js';
+import { createDefaultAccountability } from '../permissions/utils/create-default-accountability.js';
 export async function getAccountabilityForRole(role, context) {
-    let generatedAccountability = context.accountability;
+    let generatedAccountability;
     if (role === null) {
-        generatedAccountability = {
-            role: null,
-            user: null,
-            admin: false,
-            app: false,
-        };
-        generatedAccountability.permissions = await getPermissions(generatedAccountability, context.schema);
+        generatedAccountability = createDefaultAccountability();
     }
     else if (role === 'system') {
-        generatedAccountability = {
-            user: null,
-            role: null,
+        generatedAccountability = createDefaultAccountability({
             admin: true,
             app: true,
-            permissions: [],
-        };
+        });
     }
     else {
-        const roleInfo = await context.database
-            .select(['app_access', 'admin_access'])
-            .from('directus_roles')
-            .where({ id: role })
-            .first();
-        if (!roleInfo) {
+        const roles = await fetchRolesTree(role, context.database);
+        // The roles tree should always include the passed role. If it doesn't, it's because it
+        // couldn't be read from the database and therefore doesn't exist
+        if (roles.length === 0) {
             throw new Error(`Configured role "${role}" isn't a valid role ID or doesn't exist.`);
         }
-        generatedAccountability = {
+        const globalAccess = await fetchGlobalAccess({ user: null, roles, ip: context.accountability?.ip ?? null }, context.database);
+        generatedAccountability = createDefaultAccountability({
             role,
+            roles,
             user: null,
-            admin: roleInfo.admin_access === 1 || roleInfo.admin_access === '1' || roleInfo.admin_access === true,
-            app: roleInfo.app_access === 1 || roleInfo.app_access === '1' || roleInfo.app_access === true,
-        };
-        generatedAccountability.permissions = await getPermissions(generatedAccountability, context.schema);
+            ...globalAccess,
+        });
     }
     return generatedAccountability;
 }

package/dist/utils/get-accountability-for-token.js CHANGED Viewed

@@ -1,41 +1,40 @@
 import { InvalidCredentialsError } from '@directus/errors';
 import getDatabase from '../database/index.js';
+import { fetchRolesTree } from '../permissions/lib/fetch-roles-tree.js';
+import { fetchGlobalAccess } from '../permissions/modules/fetch-global-access/fetch-global-access.js';
+import { createDefaultAccountability } from '../permissions/utils/create-default-accountability.js';
 import { getSecret } from './get-secret.js';
 import isDirectusJWT from './is-directus-jwt.js';
-import { verifySessionJWT } from './verify-session-jwt.js';
 import { verifyAccessJWT } from './jwt.js';
+import { verifySessionJWT } from './verify-session-jwt.js';
 export async function getAccountabilityForToken(token, accountability) {
     if (!accountability) {
-        accountability = {
-            user: null,
-            role: null,
-            admin: false,
-            app: false,
-        };
+        accountability = createDefaultAccountability();
     }
+    // Try finding the user with the provided token
+    const database = getDatabase();
     if (token) {
         if (isDirectusJWT(token)) {
             const payload = verifyAccessJWT(token, getSecret());
             if ('session' in payload) {
                 await verifySessionJWT(payload);
             }
-            accountability.role = payload.role;
-            accountability.admin = payload.admin_access === true || payload.admin_access == 1;
-            accountability.app = payload.app_access === true || payload.app_access == 1;
             if (payload.share)
                 accountability.share = payload.share;
             if (payload.share_scope)
                 accountability.share_scope = payload.share_scope;
             if (payload.id)
                 accountability.user = payload.id;
+            accountability.role = payload.role;
+            accountability.roles = await fetchRolesTree(payload.role, database);
+            const { admin, app } = await fetchGlobalAccess(accountability, database);
+            accountability.admin = admin;
+            accountability.app = app;
         }
         else {
-            // Try finding the user with the provided token
-            const database = getDatabase();
             const user = await database
-                .select('directus_users.id', 'directus_users.role', 'directus_roles.admin_access', 'directus_roles.app_access')
+                .select('directus_users.id', 'directus_users.role')
                 .from('directus_users')
-                .leftJoin('directus_roles', 'directus_users.role', 'directus_roles.id')
                 .where({
                 'directus_users.token': token,
                 status: 'active',
@@ -46,8 +45,10 @@ export async function getAccountabilityForToken(token, accountability) {
             }
             accountability.user = user.id;
             accountability.role = user.role;
-            accountability.admin = user.admin_access === true || user.admin_access == 1;
-            accountability.app = user.app_access === true || user.app_access == 1;
+            accountability.roles = await fetchRolesTree(user.role, database);
+            const { admin, app } = await fetchGlobalAccess(accountability, database);
+            accountability.admin = admin;
+            accountability.app = app;
         }
     }
     return accountability;

package/dist/utils/get-cache-key.d.ts CHANGED Viewed

@@ -1,3 +1,3 @@
 /// <reference types="cookie-parser" />
 import type { Request } from 'express';
-export declare function getCacheKey(req: Request): string;
+export declare function getCacheKey(req: Request): Promise<string>;

package/dist/utils/get-cache-key.js CHANGED Viewed

@@ -1,15 +1,26 @@
 import hash from 'object-hash';
 import url from 'url';
+import getDatabase from '../database/index.js';
+import { fetchPoliciesIpAccess } from '../permissions/modules/fetch-policies-ip-access/fetch-policies-ip-access.js';
 import { getGraphqlQueryAndVariables } from './get-graphql-query-and-variables.js';
 import { version } from 'directus/version';
-export function getCacheKey(req) {
+import { ipInNetworks } from './ip-in-networks.js';
+export async function getCacheKey(req) {
     const path = url.parse(req.originalUrl).pathname;
     const isGraphQl = path?.startsWith('/graphql');
+    let includeIp = false;
+    if (req.accountability && req.accountability.ip) {
+        // Check if the IP influences the result of the request, that can be the case if some policies have an ip_access
+        // filter and the request IP matches any of those filters
+        const ipFilters = await fetchPoliciesIpAccess(req.accountability, getDatabase());
+        includeIp = ipFilters.length > 0 && ipFilters.some((networks) => ipInNetworks(req.accountability.ip, networks));
+    }
     const info = {
         version,
         user: req.accountability?.user || null,
         path,
         query: isGraphQl ? getGraphqlQueryAndVariables(req) : req.sanitizedQuery,
+        ...(includeIp && { ip: req.accountability.ip }),
     };
     const key = hash(info);
     return key;

package/dist/utils/get-column.d.ts CHANGED Viewed

@@ -1,7 +1,8 @@
-import type { Query, SchemaOverview } from '@directus/types';
+import type { Filter, Query, SchemaOverview } from '@directus/types';
 import type { Knex } from 'knex';
 type GetColumnOptions = {
     query?: Query | undefined;
+    cases?: Filter[];
     originalCollectionName?: string | undefined;
 };
 /**

package/dist/utils/get-column.js CHANGED Viewed

@@ -30,6 +30,7 @@ export function getColumn(knex, table, column, alias = applyFunctionToColumnName
             const result = fn[functionName](table, columnName, {
                 type,
                 query: options?.query,
+                cases: options?.cases,
                 originalCollectionName: options?.originalCollectionName,
             });
             if (alias) {

package/dist/utils/get-graphql-type.js CHANGED Viewed

@@ -24,6 +24,7 @@ export function getGraphQLType(localType, special) {
             return GraphQLJSON;
         case 'geometry':
             return GraphQLGeoJSON;
+        case 'time':
         case 'timestamp':
         case 'dateTime':
         case 'date':

package/dist/utils/get-service.d.ts CHANGED Viewed

@@ -2,6 +2,6 @@ import { ItemsService } from '../services/index.js';
 import type { AbstractServiceOptions } from '../types/services.js';
 /**
  * Select the correct service for the given collection. This allows the individual services to run
- * their custom checks (f.e. it allows UsersService to prevent updating TFA secret from outside)
+ * their custom checks (f.e. it allows `UsersService` to prevent updating TFA secret from outside).
  */
 export declare function getService(collection: string, opts: AbstractServiceOptions): ItemsService;

package/dist/utils/get-service.js CHANGED Viewed

@@ -1,18 +1,17 @@
-import { ActivityService, DashboardsService, FilesService, FlowsService, FoldersService, ItemsService, NotificationsService, OperationsService, PanelsService, PermissionsService, PresetsService, RevisionsService, RolesService, SettingsService, SharesService, UsersService, VersionsService, WebhooksService, } from '../services/index.js';
+import { ForbiddenError } from '@directus/errors';
+import { AccessService, ActivityService, DashboardsService, FilesService, FlowsService, FoldersService, ItemsService, NotificationsService, OperationsService, PanelsService, PermissionsService, PoliciesService, PresetsService, RevisionsService, RolesService, SettingsService, SharesService, TranslationsService, UsersService, VersionsService, WebhooksService, } from '../services/index.js';
 /**
  * Select the correct service for the given collection. This allows the individual services to run
- * their custom checks (f.e. it allows UsersService to prevent updating TFA secret from outside)
+ * their custom checks (f.e. it allows `UsersService` to prevent updating TFA secret from outside).
  */
 export function getService(collection, opts) {
     switch (collection) {
+        case 'directus_access':
+            return new AccessService(opts);
         case 'directus_activity':
             return new ActivityService(opts);
-        // case 'directus_collections':
-        // 	return new CollectionsService(opts);
         case 'directus_dashboards':
             return new DashboardsService(opts);
-        // case 'directus_fields':
-        // 	return new FieldsService(opts);
         case 'directus_files':
             return new FilesService(opts);
         case 'directus_flows':
@@ -29,8 +28,8 @@ export function getService(collection, opts) {
             return new PermissionsService(opts);
         case 'directus_presets':
             return new PresetsService(opts);
-        // case 'directus_relations':
-        // 	return new RelationsService(opts);
+        case 'directus_policies':
+            return new PoliciesService(opts);
         case 'directus_revisions':
             return new RevisionsService(opts);
         case 'directus_roles':
@@ -39,13 +38,18 @@ export function getService(collection, opts) {
             return new SettingsService(opts);
         case 'directus_shares':
             return new SharesService(opts);
+        case 'directus_translations':
+            return new TranslationsService(opts);
         case 'directus_users':
             return new UsersService(opts);
-        case 'directus_webhooks':
-            return new WebhooksService(opts);
         case 'directus_versions':
             return new VersionsService(opts);
+        case 'directus_webhooks':
+            return new WebhooksService(opts);
         default:
+            // Deny usage of other system collections via ItemsService
+            if (collection.startsWith('directus_'))
+                throw new ForbiddenError();
             return new ItemsService(collection, opts);
     }
 }

package/dist/utils/reduce-schema.d.ts CHANGED Viewed

@@ -1,9 +1,7 @@
-import type { Permission, PermissionsAction, SchemaOverview } from '@directus/types';
+import type { SchemaOverview } from '@directus/types';
+import type { FieldMap } from '../permissions/modules/fetch-allowed-field-map/fetch-allowed-field-map.js';
 /**
  * Reduces the schema based on the included permissions. The resulting object is the schema structure, but with only
- * the allowed collections/fields/relations included based on the permissions.
- * @param schema The full project schema
- * @param actions Array of permissions actions (crud)
- * @returns Reduced schema
+ * the allowed collections/fields/relations included based on the passed field map.
  */
-export declare function reduceSchema(schema: SchemaOverview, permissions: Permission[] | null, actions?: PermissionsAction[]): SchemaOverview;
+export declare function reduceSchema(schema: SchemaOverview, fieldMap: FieldMap): SchemaOverview;

package/dist/utils/reduce-schema.js CHANGED Viewed

@@ -1,40 +1,20 @@
-import { uniq } from 'lodash-es';
 /**
  * Reduces the schema based on the included permissions. The resulting object is the schema structure, but with only
- * the allowed collections/fields/relations included based on the permissions.
- * @param schema The full project schema
- * @param actions Array of permissions actions (crud)
- * @returns Reduced schema
+ * the allowed collections/fields/relations included based on the passed field map.
  */
-export function reduceSchema(schema, permissions, actions = ['create', 'read', 'update', 'delete']) {
+export function reduceSchema(schema, fieldMap) {
     const reduced = {
         collections: {},
         relations: [],
     };
-    const allowedFieldsInCollection = permissions
-        ?.filter((permission) => actions.includes(permission.action))
-        .reduce((acc, permission) => {
-        if (!acc[permission.collection]) {
-            acc[permission.collection] = [];
-        }
-        if (permission.fields) {
-            acc[permission.collection] = uniq([...acc[permission.collection], ...permission.fields]);
-        }
-        return acc;
-    }, {}) ?? {};
     for (const [collectionName, collection] of Object.entries(schema.collections)) {
-        if (!permissions?.some((permission) => permission.collection === collectionName && actions.includes(permission.action))) {
-            continue;
-        }
         const fields = {};
         for (const [fieldName, field] of Object.entries(schema.collections[collectionName].fields)) {
-            if (!allowedFieldsInCollection[collectionName]?.includes('*') &&
-                !allowedFieldsInCollection[collectionName]?.includes(fieldName)) {
+            if (!fieldMap[collectionName]?.includes('*') && !fieldMap[collectionName]?.includes(fieldName)) {
                 continue;
             }
             const o2mRelation = schema.relations.find((relation) => relation.related_collection === collectionName && relation.meta?.one_field === fieldName);
-            if (o2mRelation &&
-                !permissions?.some((permission) => permission.collection === o2mRelation.collection && actions.includes(permission.action))) {
+            if (o2mRelation && !fieldMap[collectionName]) {
                 continue;
             }
             fields[fieldName] = field;
@@ -47,29 +27,29 @@ export function reduceSchema(schema, permissions, actions = ['create', 'read', '
     reduced.relations = schema.relations.filter((relation) => {
         let collectionsAllowed = true;
         let fieldsAllowed = true;
-        if (Object.keys(allowedFieldsInCollection).includes(relation.collection) === false) {
+        if (Object.keys(fieldMap).includes(relation.collection) === false) {
             collectionsAllowed = false;
         }
         if (relation.related_collection &&
-            (Object.keys(allowedFieldsInCollection).includes(relation.related_collection) === false ||
+            (Object.keys(fieldMap).includes(relation.related_collection) === false ||
                 // Ignore legacy permissions with an empty fields array
-                allowedFieldsInCollection[relation.related_collection]?.length === 0)) {
+                fieldMap[relation.related_collection]?.length === 0)) {
             collectionsAllowed = false;
         }
         if (relation.meta?.one_allowed_collections &&
-            relation.meta.one_allowed_collections.every((collection) => Object.keys(allowedFieldsInCollection).includes(collection)) === false) {
+            relation.meta.one_allowed_collections.every((collection) => Object.keys(fieldMap).includes(collection)) === false) {
             collectionsAllowed = false;
         }
-        if (!allowedFieldsInCollection[relation.collection] ||
-            (allowedFieldsInCollection[relation.collection]?.includes('*') === false &&
-                allowedFieldsInCollection[relation.collection]?.includes(relation.field) === false)) {
+        if (!fieldMap[relation.collection] ||
+            (fieldMap[relation.collection]?.includes('*') === false &&
+                fieldMap[relation.collection]?.includes(relation.field) === false)) {
             fieldsAllowed = false;
         }
         if (relation.related_collection &&
             relation.meta?.one_field &&
-            (!allowedFieldsInCollection[relation.related_collection] ||
-                (allowedFieldsInCollection[relation.related_collection]?.includes('*') === false &&
-                    allowedFieldsInCollection[relation.related_collection]?.includes(relation.meta?.one_field) === false))) {
+            (!fieldMap[relation.related_collection] ||
+                (fieldMap[relation.related_collection]?.includes('*') === false &&
+                    fieldMap[relation.related_collection]?.includes(relation.meta?.one_field) === false))) {
             fieldsAllowed = false;
         }
         return collectionsAllowed && fieldsAllowed;

package/dist/utils/validate-user-count-integrity.d.ts ADDED Viewed

@@ -0,0 +1,13 @@
+import { type FetchUserCountOptions } from './fetch-user-count/fetch-user-count.js';
+export declare enum UserIntegrityCheckFlag {
+    None = 0,
+    /** Check if the number of remaining admin users is greater than 0 */
+    RemainingAdmins = 1,
+    /** Check if the number of users is within the limits */
+    UserLimits = 2,
+    All = 3
+}
+export interface ValidateUserCountIntegrityOptions extends Omit<FetchUserCountOptions, 'adminOnly'> {
+    flags: UserIntegrityCheckFlag;
+}
+export declare function validateUserCountIntegrity(options: ValidateUserCountIntegrityOptions): Promise<void>;

package/dist/utils/validate-user-count-integrity.js ADDED Viewed

@@ -0,0 +1,29 @@
+import { validateRemainingAdminCount } from '../permissions/modules/validate-remaining-admin/validate-remaining-admin-count.js';
+import { checkUserLimits } from '../telemetry/utils/check-user-limits.js';
+import { shouldCheckUserLimits } from '../telemetry/utils/should-check-user-limits.js';
+import { fetchUserCount } from './fetch-user-count/fetch-user-count.js';
+export var UserIntegrityCheckFlag;
+(function (UserIntegrityCheckFlag) {
+    UserIntegrityCheckFlag[UserIntegrityCheckFlag["None"] = 0] = "None";
+    /** Check if the number of remaining admin users is greater than 0 */
+    UserIntegrityCheckFlag[UserIntegrityCheckFlag["RemainingAdmins"] = 1] = "RemainingAdmins";
+    /** Check if the number of users is within the limits */
+    UserIntegrityCheckFlag[UserIntegrityCheckFlag["UserLimits"] = 2] = "UserLimits";
+    UserIntegrityCheckFlag[UserIntegrityCheckFlag["All"] = 3] = "All";
+})(UserIntegrityCheckFlag || (UserIntegrityCheckFlag = {}));
+export async function validateUserCountIntegrity(options) {
+    const validateUserLimits = (options.flags & UserIntegrityCheckFlag.UserLimits) !== 0;
+    const validateRemainingAdminUsers = (options.flags & UserIntegrityCheckFlag.RemainingAdmins) !== 0;
+    const limitCheck = validateUserLimits && shouldCheckUserLimits();
+    if (!validateRemainingAdminUsers && !limitCheck) {
+        return;
+    }
+    const adminOnly = validateRemainingAdminUsers && !limitCheck;
+    const userCounts = await fetchUserCount({ ...options, adminOnly });
+    if (limitCheck) {
+        await checkUserLimits(userCounts);
+    }
+    if (validateRemainingAdminUsers) {
+        validateRemainingAdminCount(userCounts.admin);
+    }
+}

package/dist/websocket/authenticate.d.ts CHANGED Viewed

@@ -1,6 +1,4 @@
-import type { Accountability } from '@directus/types';
 import type { BasicAuthMessage } from './messages.js';
 import type { AuthenticationState } from './types.js';
 export declare function authenticateConnection(message: BasicAuthMessage & Record<string, any>): Promise<AuthenticationState>;
-export declare function refreshAccountability(accountability: Accountability | null | undefined): Promise<Accountability>;
 export declare function authenticationSuccess(uid?: string | number, refresh_token?: string): string;

package/dist/websocket/authenticate.js CHANGED Viewed

@@ -1,7 +1,6 @@
 import { DEFAULT_AUTH_PROVIDER } from '../constants.js';
 import { AuthenticationService } from '../services/index.js';
 import { getAccountabilityForToken } from '../utils/get-accountability-for-token.js';
-import { getPermissions } from '../utils/get-permissions.js';
 import { getSchema } from '../utils/get-schema.js';
 import { WebSocketError } from './errors.js';
 import { getExpiresAtForToken } from './utils/get-expires-at-for-token.js';
@@ -33,17 +32,6 @@ export async function authenticateConnection(message) {
         throw new WebSocketError('auth', 'AUTH_FAILED', 'Authentication failed.', message['uid']);
     }
 }
-export async function refreshAccountability(accountability) {
-    accountability = accountability ?? {
-        role: null,
-        user: null,
-        admin: false,
-        app: false,
-    };
-    const schema = await getSchema();
-    const permissions = await getPermissions(accountability, schema);
-    return { ...accountability, permissions };
-}
 export function authenticationSuccess(uid, refresh_token) {
     const message = {
         type: 'auth',

package/dist/websocket/controllers/graphql.js CHANGED Viewed

@@ -4,7 +4,7 @@ import { useLogger } from '../../logger.js';
 import { bindPubSub } from '../../services/graphql/subscription.js';
 import { GraphQLService } from '../../services/index.js';
 import { getSchema } from '../../utils/get-schema.js';
-import { authenticateConnection, refreshAccountability } from '../authenticate.js';
+import { authenticateConnection } from '../authenticate.js';
 import { handleWebSocketError } from '../errors.js';
 import { ConnectionParams, WebSocketMessage } from '../messages.js';
 import { getMessageType } from '../utils/message.js';
@@ -64,9 +64,6 @@ export class GraphQLSubscriptionController extends SocketController {
                             client.close(CloseCode.Forbidden, 'Forbidden');
                             return;
                         }
-                        else {
-                            client.accountability = await refreshAccountability(client.accountability);
-                        }
                         await cb(JSON.stringify(message));
                     }
                     catch (error) {

package/dist/websocket/controllers/hooks.js CHANGED Viewed

@@ -7,19 +7,23 @@ export function registerWebSocketEvents() {
     actionsRegistered = true;
     registerActionHooks([
         'items',
+        'access',
         'activity',
         'collections',
         'dashboards',
+        'flows',
         'folders',
         'notifications',
         'operations',
         'panels',
         'permissions',
+        'policies',
         'presets',
         'revisions',
         'roles',
         'settings',
         'shares',
+        'translations',
         'users',
         'versions',
         'webhooks',

package/dist/websocket/controllers/rest.js CHANGED Viewed

@@ -2,7 +2,6 @@ import { useEnv } from '@directus/env';
 import { parseJSON } from '@directus/utils';
 import emitter from '../../emitter.js';
 import { useLogger } from '../../logger.js';
-import { refreshAccountability } from '../authenticate.js';
 import { WebSocketError, handleWebSocketError } from '../errors.js';
 import { WebSocketMessage } from '../messages.js';
 import SocketController from './base.js';
@@ -20,7 +19,6 @@ export class WebSocketController extends SocketController {
         client.on('parsed-message', async (message) => {
             try {
                 message = WebSocketMessage.parse(await emitter.emitFilter('websocket.message', message, { client }));
-                client.accountability = await refreshAccountability(client.accountability);
                 emitter.emitAction('websocket.message', { message, client });
             }
             catch (error) {

package/dist/websocket/handlers/subscribe.js CHANGED Viewed

@@ -4,7 +4,6 @@ import { useBus } from '../../bus/index.js';
 import emitter from '../../emitter.js';
 import { getSchema } from '../../utils/get-schema.js';
 import { sanitizeQuery } from '../../utils/sanitize-query.js';
-import { refreshAccountability } from '../authenticate.js';
 import { WebSocketError, handleWebSocketError } from '../errors.js';
 import { WebSocketSubscribeMessage } from '../messages.js';
 import { getPayload } from '../utils/items.js';
@@ -112,7 +111,6 @@ export class SubscribeHandler {
                     continue;
             }
             try {
-                client.accountability = await refreshAccountability(client.accountability);
                 const result = await getPayload(subscription, client.accountability, schema, event);
                 if (Array.isArray(result?.['data']) && result?.['data']?.length === 0)
                     continue;

package/dist/websocket/utils/items.d.ts CHANGED Viewed

@@ -39,5 +39,5 @@ export declare function getFieldsPayload(subscription: PSubscription, accountabi
  * @param event Event data
  * @returns the fetched data
  */
-export declare function getItemsPayload(subscription: PSubscription, accountability: Accountability | null, schema: SchemaOverview, event?: WebSocketEvent): Promise<string | number | import("@directus/types").Item | (string | number)[] | import("@directus/types").Item[]>;
+export declare function getItemsPayload(subscription: PSubscription, accountability: Accountability | null, schema: SchemaOverview, event?: WebSocketEvent): Promise<string | number | (string | number)[] | import("@directus/types").Item | import("@directus/types").Item[]>;
 export {};

package/dist/websocket/utils/items.js CHANGED Viewed

@@ -1,5 +1,6 @@
-import { getService } from '../../utils/get-service.js';
+import { InvalidPayloadError } from '@directus/errors';
 import { CollectionsService, FieldsService, MetaService } from '../../services/index.js';
+import { getService } from '../../utils/get-service.js';
 /**
  * Get items from a collection using the appropriate service
  *
@@ -24,6 +25,8 @@ export async function getPayload(subscription, accountability, schema, event) {
         case 'directus_relations':
             result['data'] = event?.payload;
             break;
+        case 'directus_extensions':
+            throw new InvalidPayloadError({ reason: '"directus_extensions" is currently not supported.' });
         default:
             result['data'] = await getItemsPayload(subscription, accountability, schema, event);
             break;