@directus/api 19.3.1 → 20.0.0-rc.0

package/dist/services/items.js

@@ -1,19 +1,22 @@
 import { Action } from '@directus/constants';
 import { useEnv } from '@directus/env';
-import { ForbiddenError, InvalidPayloadError } from '@directus/errors';
+import { ErrorCode, ForbiddenError, InvalidPayloadError, isDirectusError } from '@directus/errors';
 import { isSystemCollection } from '@directus/system-data';
 import { assign, clone, cloneDeep, omit, pick, without } from 'lodash-es';
 import { getCache } from '../cache.js';
 import { translateDatabaseError } from '../database/errors/translate.js';
+import { getAstFromQuery } from '../database/get-ast-from-query/get-ast-from-query.js';
 import { getHelpers } from '../database/helpers/index.js';
 import getDatabase from '../database/index.js';
-import runAST from '../database/run-ast.js';
+import { runAst } from '../database/run-ast/run-ast.js';
 import emitter from '../emitter.js';
-import getASTFromQuery from '../utils/get-ast-from-query.js';
+import { processAst } from '../permissions/modules/process-ast/process-ast.js';
+import { processPayload } from '../permissions/modules/process-payload/process-payload.js';
+import { validateAccess } from '../permissions/modules/validate-access/validate-access.js';
 import { shouldClearCache } from '../utils/should-clear-cache.js';
 import { transaction } from '../utils/transaction.js';
 import { validateKeys } from '../utils/validate-keys.js';
-import { AuthorizationService } from './authorization.js';
+import { UserIntegrityCheckFlag, validateUserCountIntegrity } from '../utils/validate-user-count-integrity.js';
 import { PayloadService } from './payload.js';
 const env = useEnv();
 export class ItemsService {
@@ -32,6 +35,20 @@ export class ItemsService {
         this.cache = getCache().cache;
         return this;
     }
+    /**
+     * Create a fork of the current service, allowing instantiation with different options.
+     */
+    fork(options) {
+        const Service = this.constructor;
+        // ItemsService expects `collection` and `options` as parameters,
+        // while the other services only expect `options`
+        const isItemsService = Service.length === 2;
+        const newOptions = { knex: this.knex, accountability: this.accountability, schema: this.schema, ...options };
+        if (isItemsService) {
+            return new ItemsService(this.collection, newOptions);
+        }
+        return new Service(newOptions);
+    }
     createMutationTracker(initialCount = 0) {
         const maxCount = Number(env['MAX_BATCH_MUTATION']);
         let mutationCount = initialCount;
@@ -84,17 +101,13 @@ export class ItemsService {
         // that any errors thrown in any nested relational changes will bubble up and cancel the whole
         // update tree
         const primaryKey = await transaction(this.knex, async (trx) => {
-            // We're creating new services instances so they can use the transaction as their Knex interface
-            const payloadService = new PayloadService(this.collection, {
-                accountability: this.accountability,
-                knex: trx,
-                schema: this.schema,
-            });
-            const authorizationService = new AuthorizationService({
+            const serviceOptions = {
                 accountability: this.accountability,
                 knex: trx,
                 schema: this.schema,
-            });
+            };
+            // We're creating new services instances so they can use the transaction as their Knex interface
+            const payloadService = new PayloadService(this.collection, serviceOptions);
             // Run all hooks that are attached to this event so the end user has the chance to augment the
             // item that is about to be saved
             const payloadAfterHooks = opts.emitEvents !== false
@@ -109,13 +122,21 @@ export class ItemsService {
                 })
                 : payload;
             const payloadWithPresets = this.accountability
-                ? authorizationService.validatePayload('create', this.collection, payloadAfterHooks)
+                ? await processPayload({
+                    accountability: this.accountability,
+                    action: 'create',
+                    collection: this.collection,
+                    payload: payloadAfterHooks,
+                }, {
+                    knex: trx,
+                    schema: this.schema,
+                })
                 : payloadAfterHooks;
             if (opts.preMutationError) {
                 throw opts.preMutationError;
             }
-            const { payload: payloadWithM2O, revisions: revisionsM2O, nestedActionEvents: nestedActionEventsM2O, } = await payloadService.processM2O(payloadWithPresets, opts);
-            const { payload: payloadWithA2O, revisions: revisionsA2O, nestedActionEvents: nestedActionEventsA2O, } = await payloadService.processA2O(payloadWithM2O, opts);
+            const { payload: payloadWithM2O, revisions: revisionsM2O, nestedActionEvents: nestedActionEventsM2O, userIntegrityCheckFlags: userIntegrityCheckFlagsM2O, } = await payloadService.processM2O(payloadWithPresets, opts);
+            const { payload: payloadWithA2O, revisions: revisionsA2O, nestedActionEvents: nestedActionEventsA2O, userIntegrityCheckFlags: userIntegrityCheckFlagsA2O, } = await payloadService.processA2O(payloadWithM2O, opts);
             const payloadWithoutAliases = pick(payloadWithA2O, without(fields, ...aliases));
             const payloadWithTypeCasting = await payloadService.processValues('create', payloadWithoutAliases);
             // The primary key can already exist in the payload.
@@ -151,7 +172,14 @@ export class ItemsService {
                 }
             }
             catch (err) {
-                throw await translateDatabaseError(err);
+                const dbError = await translateDatabaseError(err);
+                if (isDirectusError(dbError, ErrorCode.RecordNotUnique) && dbError.extensions.primaryKey) {
+                    // This is a MySQL specific thing we need to handle here, since MySQL does not return the field name
+                    // if the unique constraint is the primary key
+                    dbError.extensions.field = pkField?.field ?? null;
+                    delete dbError.extensions.primaryKey;
+                }
+                throw dbError;
             }
             // Most database support returning, those who don't tend to return the PK anyways
             // (MySQL/SQLite). In case the primary key isn't know yet, we'll do a best-attempt at
@@ -166,10 +194,22 @@ export class ItemsService {
             }
             // At this point, the primary key is guaranteed to be set.
             primaryKey = primaryKey;
-            const { revisions: revisionsO2M, nestedActionEvents: nestedActionEventsO2M } = await payloadService.processO2M(payloadWithPresets, primaryKey, opts);
+            const { revisions: revisionsO2M, nestedActionEvents: nestedActionEventsO2M, userIntegrityCheckFlags: userIntegrityCheckFlagsO2M, } = await payloadService.processO2M(payloadWithPresets, primaryKey, opts);
             nestedActionEvents.push(...nestedActionEventsM2O);
             nestedActionEvents.push(...nestedActionEventsA2O);
             nestedActionEvents.push(...nestedActionEventsO2M);
+            const userIntegrityCheckFlags = (opts.userIntegrityCheckFlags ?? UserIntegrityCheckFlag.None) |
+                userIntegrityCheckFlagsM2O |
+                userIntegrityCheckFlagsA2O |
+                userIntegrityCheckFlagsO2M;
+            if (userIntegrityCheckFlags) {
+                if (opts.onRequireUserIntegrityCheck) {
+                    opts.onRequireUserIntegrityCheck(userIntegrityCheckFlags);
+                }
+                else {
+                    await validateUserCountIntegrity({ flags: userIntegrityCheckFlags, knex: trx });
+                }
+            }
             // If this is an authenticated action, and accountability tracking is enabled, save activity row
             if (this.accountability && this.schema.collections[this.collection].accountability !== null) {
                 const activityService = new ActivityService({
@@ -252,16 +292,15 @@ export class ItemsService {
     }
     /**
      * Create multiple new items at once. Inserts all provided records sequentially wrapped in a transaction.
+     *
+     * Uses `this.createOne` under the hood.
      */
     async createMany(data, opts = {}) {
         if (!opts.mutationTracker)
             opts.mutationTracker = this.createMutationTracker();
         const { primaryKeys, nestedActionEvents } = await transaction(this.knex, async (knex) => {
-            const service = new ItemsService(this.collection, {
-                accountability: this.accountability,
-                schema: this.schema,
-                knex: knex,
-            });
+            const service = this.fork({ knex });
+            let userIntegrityCheckFlags = opts.userIntegrityCheckFlags ?? UserIntegrityCheckFlag.None;
             const primaryKeys = [];
             const nestedActionEvents = [];
             const pkField = this.schema.collections[this.collection].primary;
@@ -275,12 +314,21 @@ export class ItemsService {
                 const primaryKey = await service.createOne(payload, {
                     ...(opts || {}),
                     autoPurgeCache: false,
+                    onRequireUserIntegrityCheck: (flags) => (userIntegrityCheckFlags |= flags),
                     bypassEmitAction: (params) => nestedActionEvents.push(params),
                     mutationTracker: opts.mutationTracker,
                     bypassAutoIncrementSequenceReset,
                 });
                 primaryKeys.push(primaryKey);
             }
+            if (userIntegrityCheckFlags) {
+                if (opts.onRequireUserIntegrityCheck) {
+                    opts.onRequireUserIntegrityCheck(userIntegrityCheckFlags);
+                }
+                else {
+                    await validateUserCountIntegrity({ flags: userIntegrityCheckFlags, knex });
+                }
+            }
             return { primaryKeys, nestedActionEvents };
         });
         if (opts.emitEvents !== false) {
@@ -299,7 +347,7 @@ export class ItemsService {
         return primaryKeys;
     }
     /**
-     * Get items by query
+     * Get items by query.
      */
     async readByQuery(query, opts) {
         const updatedQuery = opts?.emitEvents !== false
@@ -313,27 +361,21 @@ export class ItemsService {
                 accountability: this.accountability,
             })
             : query;
-        let ast = await getASTFromQuery(this.collection, updatedQuery, this.schema, {
+        let ast = await getAstFromQuery({
+            collection: this.collection,
+            query: updatedQuery,
             accountability: this.accountability,
-            // By setting the permissions action, you can read items using the permissions for another
-            // operation's permissions. This is used to dynamically check if you have update/delete
-            // access to (a) certain item(s)
-            action: opts?.permissionsAction || 'read',
+        }, {
+            schema: this.schema,
             knex: this.knex,
         });
-        if (this.accountability && this.accountability.admin !== true) {
-            const authorizationService = new AuthorizationService({
-                accountability: this.accountability,
-                knex: this.knex,
-                schema: this.schema,
-            });
-            ast = await authorizationService.processAST(ast, opts?.permissionsAction);
-        }
-        const records = await runAST(ast, this.schema, {
+        ast = await processAst({ ast, action: 'read', accountability: this.accountability }, { knex: this.knex, schema: this.schema });
+        const records = await runAst(ast, this.schema, {
             knex: this.knex,
             // GraphQL requires relational keys to be returned regardless
             stripNonRequested: opts?.stripNonRequested !== undefined ? opts.stripNonRequested : true,
         });
+        // TODO when would this happen?
         if (records === null) {
             throw new ForbiddenError();
         }
@@ -361,7 +403,9 @@ export class ItemsService {
         return filteredRecords;
     }
     /**
-     * Get single item by primary key
+     * Get single item by primary key.
+     *
+     * Uses `this.readByQuery` under the hood.
      */
     async readOne(key, query = {}, opts) {
         const primaryKeyField = this.schema.collections[this.collection].primary;
@@ -375,7 +419,9 @@ export class ItemsService {
         return results[0];
     }
     /**
-     * Get multiple items by primary keys
+     * Get multiple items by primary keys.
+     *
+     * Uses `this.readByQuery` under the hood.
      */
     async readMany(keys, query = {}, opts) {
         const primaryKeyField = this.schema.collections[this.collection].primary;
@@ -390,7 +436,9 @@ export class ItemsService {
         return results;
     }
     /**
-     * Update multiple items by query
+     * Update multiple items by query.
+     *
+     * Uses `this.updateMany` under the hood.
      */
     async updateByQuery(query, data, opts) {
         const keys = await this.getKeysByQuery(query);
@@ -399,7 +447,9 @@ export class ItemsService {
         return keys.length ? await this.updateMany(keys, data, opts) : [];
     }
     /**
-     * Update a single item by primary key
+     * Update a single item by primary key.
+     *
+     * Uses `this.updateMany` under the hood.
      */
     async updateOne(key, data, opts) {
         const primaryKeyField = this.schema.collections[this.collection].primary;
@@ -408,7 +458,9 @@ export class ItemsService {
         return key;
     }
     /**
-     * Update multiple items in a single transaction
+     * Update multiple items in a single transaction.
+     *
+     * Uses `this.updateOne` under the hood.
      */
     async updateBatch(data, opts = {}) {
         if (!Array.isArray(data)) {
@@ -419,17 +471,27 @@ export class ItemsService {
         const primaryKeyField = this.schema.collections[this.collection].primary;
         const keys = [];
         try {
-            await transaction(this.knex, async (trx) => {
-                const service = new ItemsService(this.collection, {
-                    accountability: this.accountability,
-                    knex: trx,
-                    schema: this.schema,
-                });
+            await transaction(this.knex, async (knex) => {
+                const service = this.fork({ knex });
+                let userIntegrityCheckFlags = opts.userIntegrityCheckFlags ?? UserIntegrityCheckFlag.None;
                 for (const item of data) {
-                    if (!item[primaryKeyField])
+                    const primaryKey = item[primaryKeyField];
+                    if (!primaryKey)
                         throw new InvalidPayloadError({ reason: `Item in update misses primary key` });
-                    const combinedOpts = Object.assign({ autoPurgeCache: false }, opts);
-                    keys.push(await service.updateOne(item[primaryKeyField], omit(item, primaryKeyField), combinedOpts));
+                    const combinedOpts = {
+                        autoPurgeCache: false,
+                        ...opts,
+                        onRequireUserIntegrityCheck: (flags) => (userIntegrityCheckFlags |= flags),
+                    };
+                    keys.push(await service.updateOne(primaryKey, omit(item, primaryKeyField), combinedOpts));
+                }
+                if (userIntegrityCheckFlags) {
+                    if (opts.onRequireUserIntegrityCheck) {
+                        opts.onRequireUserIntegrityCheck(userIntegrityCheckFlags);
+                    }
+                    else {
+                        await validateUserCountIntegrity({ flags: userIntegrityCheckFlags, knex });
+                    }
                 }
             });
         }
@@ -441,7 +503,7 @@ export class ItemsService {
         return keys;
     }
     /**
-     * Update many items by primary key, setting all items to the same change
+     * Update many items by primary key, setting all items to the same change.
      */
     async updateMany(keys, data, opts = {}) {
         if (!opts.mutationTracker)
@@ -459,11 +521,6 @@ export class ItemsService {
             .map((field) => field.field);
         const payload = cloneDeep(data);
         const nestedActionEvents = [];
-        const authorizationService = new AuthorizationService({
-            accountability: this.accountability,
-            knex: this.knex,
-            schema: this.schema,
-        });
         // Run all hooks that are attached to this event so the end user has the chance to augment the
         // item that is about to be saved
         const payloadAfterHooks = opts.emitEvents !== false
@@ -481,10 +538,26 @@ export class ItemsService {
         // Sort keys to ensure that the order is maintained
         keys.sort();
         if (this.accountability) {
-            await authorizationService.checkAccess('update', this.collection, keys);
+            await validateAccess({
+                accountability: this.accountability,
+                action: 'update',
+                collection: this.collection,
+                primaryKeys: keys,
+            }, {
+                schema: this.schema,
+                knex: this.knex,
+            });
         }
         const payloadWithPresets = this.accountability
-            ? authorizationService.validatePayload('update', this.collection, payloadAfterHooks)
+            ? await processPayload({
+                accountability: this.accountability,
+                action: 'update',
+                collection: this.collection,
+                payload: payloadAfterHooks,
+            }, {
+                knex: this.knex,
+                schema: this.schema,
+            })
             : payloadAfterHooks;
         if (opts.preMutationError) {
             throw opts.preMutationError;
@@ -495,8 +568,8 @@ export class ItemsService {
                 knex: trx,
                 schema: this.schema,
             });
-            const { payload: payloadWithM2O, revisions: revisionsM2O, nestedActionEvents: nestedActionEventsM2O, } = await payloadService.processM2O(payloadWithPresets, opts);
-            const { payload: payloadWithA2O, revisions: revisionsA2O, nestedActionEvents: nestedActionEventsA2O, } = await payloadService.processA2O(payloadWithM2O, opts);
+            const { payload: payloadWithM2O, revisions: revisionsM2O, nestedActionEvents: nestedActionEventsM2O, userIntegrityCheckFlags: userIntegrityCheckFlagsM2O, } = await payloadService.processM2O(payloadWithPresets, opts);
+            const { payload: payloadWithA2O, revisions: revisionsA2O, nestedActionEvents: nestedActionEventsA2O, userIntegrityCheckFlags: userIntegrityCheckFlagsA2O, } = await payloadService.processA2O(payloadWithM2O, opts);
             const payloadWithoutAliasAndPK = pick(payloadWithA2O, without(fields, primaryKeyField, ...aliases));
             const payloadWithTypeCasting = await payloadService.processValues('update', payloadWithoutAliasAndPK);
             if (Object.keys(payloadWithTypeCasting).length > 0) {
@@ -508,12 +581,25 @@ export class ItemsService {
                 }
             }
             const childrenRevisions = [...revisionsM2O, ...revisionsA2O];
+            let userIntegrityCheckFlags = opts.userIntegrityCheckFlags ??
+                UserIntegrityCheckFlag.None | userIntegrityCheckFlagsM2O | userIntegrityCheckFlagsA2O;
             nestedActionEvents.push(...nestedActionEventsM2O);
             nestedActionEvents.push(...nestedActionEventsA2O);
             for (const key of keys) {
-                const { revisions, nestedActionEvents: nestedActionEventsO2M } = await payloadService.processO2M(payloadWithA2O, key, opts);
+                const { revisions, nestedActionEvents: nestedActionEventsO2M, userIntegrityCheckFlags: userIntegrityCheckFlagsO2M, } = await payloadService.processO2M(payloadWithA2O, key, opts);
                 childrenRevisions.push(...revisions);
                 nestedActionEvents.push(...nestedActionEventsO2M);
+                userIntegrityCheckFlags |= userIntegrityCheckFlagsO2M;
+            }
+            if (userIntegrityCheckFlags) {
+                if (opts?.onRequireUserIntegrityCheck) {
+                    opts.onRequireUserIntegrityCheck(userIntegrityCheckFlags);
+                }
+                else {
+                    // Having no onRequireUserIntegrityCheck callback indicates that
+                    // this is the top level invocation of the nested updates, so perform the user integrity check
+                    await validateUserCountIntegrity({ flags: userIntegrityCheckFlags, knex: trx });
+                }
             }
             // If this is an authenticated action, and accountability tracking is enabled, save activity row
             if (this.accountability && this.schema.collections[this.collection].accountability !== null) {
@@ -603,7 +689,9 @@ export class ItemsService {
         return keys;
     }
     /**
-     * Upsert a single item
+     * Upsert a single item.
+     *
+     * Uses `this.createOne` / `this.updateOne` under the hood.
      */
     async upsertOne(payload, opts) {
         const primaryKeyField = this.schema.collections[this.collection].primary;
@@ -625,17 +713,15 @@ export class ItemsService {
         }
     }
     /**
-     * Upsert many items
+     * Upsert many items.
+     *
+     * Uses `this.upsertOne` under the hood.
      */
     async upsertMany(payloads, opts = {}) {
         if (!opts.mutationTracker)
             opts.mutationTracker = this.createMutationTracker();
-        const primaryKeys = await transaction(this.knex, async (trx) => {
-            const service = new ItemsService(this.collection, {
-                accountability: this.accountability,
-                schema: this.schema,
-                knex: trx,
-            });
+        const primaryKeys = await transaction(this.knex, async (knex) => {
+            const service = this.fork({ knex });
             const primaryKeys = [];
             for (const payload of payloads) {
                 const primaryKey = await service.upsertOne(payload, { ...(opts || {}), autoPurgeCache: false });
@@ -649,7 +735,9 @@ export class ItemsService {
         return primaryKeys;
     }
     /**
-     * Delete multiple items by query
+     * Delete multiple items by query.
+     *
+     * Uses `this.deleteMany` under the hood.
      */
     async deleteByQuery(query, opts) {
         const keys = await this.getKeysByQuery(query);
@@ -658,7 +746,9 @@ export class ItemsService {
         return keys.length ? await this.deleteMany(keys, opts) : [];
     }
     /**
-     * Delete a single item by primary key
+     * Delete a single item by primary key.
+     *
+     * Uses `this.deleteMany` under the hood.
      */
     async deleteOne(key, opts) {
         const primaryKeyField = this.schema.collections[this.collection].primary;
@@ -667,7 +757,7 @@ export class ItemsService {
         return key;
     }
     /**
-     * Delete multiple items by primary key
+     * Delete multiple items by primary key.
      */
     async deleteMany(keys, opts = {}) {
         if (!opts.mutationTracker)
@@ -678,13 +768,16 @@ export class ItemsService {
         const { ActivityService } = await import('./activity.js');
         const primaryKeyField = this.schema.collections[this.collection].primary;
         validateKeys(this.schema, this.collection, primaryKeyField, keys);
-        if (this.accountability && this.accountability.admin !== true) {
-            const authorizationService = new AuthorizationService({
+        if (this.accountability) {
+            await validateAccess({
                 accountability: this.accountability,
-                schema: this.schema,
+                action: 'delete',
+                collection: this.collection,
+                primaryKeys: keys,
+            }, {
                 knex: this.knex,
+                schema: this.schema,
             });
-            await authorizationService.checkAccess('delete', this.collection, keys);
         }
         if (opts.preMutationError) {
             throw opts.preMutationError;
@@ -700,6 +793,14 @@ export class ItemsService {
         }
         await transaction(this.knex, async (trx) => {
             await trx(this.collection).whereIn(primaryKeyField, keys).delete();
+            if (opts.userIntegrityCheckFlags) {
+                if (opts.onRequireUserIntegrityCheck) {
+                    opts.onRequireUserIntegrityCheck(opts.userIntegrityCheckFlags);
+                }
+                else {
+                    await validateUserCountIntegrity({ flags: opts.userIntegrityCheckFlags, knex: trx });
+                }
+            }
             if (this.accountability && this.schema.collections[this.collection].accountability !== null) {
                 const activityService = new ActivityService({
                     knex: trx,
@@ -745,7 +846,7 @@ export class ItemsService {
         return keys;
     }
     /**
-     * Read/treat collection as singleton
+     * Read/treat collection as singleton.
      */
     async readSingleton(query, opts) {
         query = clone(query);
@@ -773,7 +874,9 @@ export class ItemsService {
         return record;
     }
     /**
-     * Upsert/treat collection as singleton
+     * Upsert/treat collection as singleton.
+     *
+     * Uses `this.createOne` / `this.updateOne` under the hood.
      */
     async upsertSingleton(data, opts) {
         const primaryKeyField = this.schema.collections[this.collection].primary;

package/dist/services/meta.js

@@ -1,5 +1,8 @@
 import getDatabase from '../database/index.js';
-import { ForbiddenError } from '@directus/errors';
+import { fetchPermissions } from '../permissions/lib/fetch-permissions.js';
+import { fetchPolicies } from '../permissions/lib/fetch-policies.js';
+import { dedupeAccess } from '../permissions/modules/process-ast/utils/dedupe-access.js';
+import { validateAccess } from '../permissions/modules/validate-access/validate-access.js';
 import { applyFilter, applySearch } from '../utils/apply-query.js';
 export class MetaService {
     knex;
@@ -28,39 +31,73 @@ export class MetaService {
         }, {});
     }
     async totalCount(collection) {
-        const dbQuery = this.knex(collection).count('*', { as: 'count' }).first();
-        if (this.accountability?.admin !== true) {
-            const permissionsRecord = this.accountability?.permissions?.find((permission) => {
-                return permission.action === 'read' && permission.collection === collection;
-            });
-            if (!permissionsRecord)
-                throw new ForbiddenError();
-            const permissions = permissionsRecord.permissions ?? {};
-            applyFilter(this.knex, this.schema, dbQuery, permissions, collection, {});
+        const dbQuery = this.knex(collection);
+        let hasJoins = false;
+        if (this.accountability && this.accountability.admin === false) {
+            const context = { knex: this.knex, schema: this.schema };
+            await validateAccess({
+                accountability: this.accountability,
+                action: 'read',
+                collection,
+            }, context);
+            const policies = await fetchPolicies(this.accountability, context);
+            const permissions = await fetchPermissions({
+                action: 'read',
+                policies,
+                accountability: this.accountability,
+                ...(collection ? { collections: [collection] } : {}),
+            }, context);
+            const rules = dedupeAccess(permissions);
+            const cases = rules.map(({ rule }) => rule);
+            const filter = {
+                _or: cases,
+            };
+            const result = applyFilter(this.knex, this.schema, dbQuery, filter, collection, {}, cases);
+            hasJoins = result.hasJoins;
+        }
+        if (hasJoins) {
+            const primaryKeyName = this.schema.collections[collection].primary;
+            dbQuery.countDistinct({ count: [`${collection}.${primaryKeyName}`] });
+        }
+        else {
+            dbQuery.count('*', { as: 'count' });
         }
-        const result = await dbQuery;
+        const result = await dbQuery.first();
         return Number(result?.count ?? 0);
     }
     async filterCount(collection, query) {
         const dbQuery = this.knex(collection);
         let filter = query.filter || {};
         let hasJoins = false;
-        if (this.accountability?.admin !== true) {
-            const permissionsRecord = this.accountability?.permissions?.find((permission) => {
-                return permission.action === 'read' && permission.collection === collection;
-            });
-            if (!permissionsRecord)
-                throw new ForbiddenError();
-            const permissions = permissionsRecord.permissions ?? {};
+        let cases = [];
+        if (this.accountability && this.accountability.admin === false) {
+            const context = { knex: this.knex, schema: this.schema };
+            await validateAccess({
+                accountability: this.accountability,
+                action: 'read',
+                collection,
+            }, context);
+            const policies = await fetchPolicies(this.accountability, context);
+            const permissions = await fetchPermissions({
+                action: 'read',
+                policies,
+                accountability: this.accountability,
+                ...(collection ? { collections: [collection] } : {}),
+            }, context);
+            const rules = dedupeAccess(permissions);
+            cases = rules.map(({ rule }) => rule);
+            const permissionsFilter = {
+                _or: cases,
+            };
             if (Object.keys(filter).length > 0) {
-                filter = { _and: [permissions, filter] };
+                filter = { _and: [permissionsFilter, filter] };
             }
             else {
-                filter = permissions;
+                filter = permissionsFilter;
             }
         }
         if (Object.keys(filter).length > 0) {
-            ({ hasJoins } = applyFilter(this.knex, this.schema, dbQuery, filter, collection, {}));
+            ({ hasJoins } = applyFilter(this.knex, this.schema, dbQuery, filter, collection, {}, cases));
         }
         if (query.search) {
             applySearch(this.knex, this.schema, dbQuery, query.search, collection);
@@ -72,7 +109,7 @@ export class MetaService {
         else {
             dbQuery.count('*', { as: 'count' });
         }
-        const records = await dbQuery;
-        return Number(records[0]['count']);
+        const result = await dbQuery.first();
+        return Number(result?.count ?? 0);
     }
 }

package/dist/services/notifications.d.ts

@@ -8,6 +8,5 @@ export declare class NotificationsService extends ItemsService {
     mailService: MailService;
     constructor(options: AbstractServiceOptions);
     createOne(data: Partial<Notification>, opts?: MutationOptions): Promise<PrimaryKey>;
-    createMany(data: Partial<Notification>[], opts?: MutationOptions): Promise<PrimaryKey[]>;
     sendEmail(data: Partial<Notification>): Promise<void>;
 }

package/dist/services/notifications.js

@@ -20,13 +20,6 @@ export class NotificationsService extends ItemsService {
         await this.sendEmail(data);
         return response;
     }
-    async createMany(data, opts) {
-        const response = await super.createMany(data, opts);
-        for (const notification of data) {
-            await this.sendEmail(notification);
-        }
-        return response;
-    }
     async sendEmail(data) {
         if (data.recipient) {
             const user = await this.usersService.readOne(data.recipient, {

package/dist/services/operations.d.ts

@@ -4,8 +4,6 @@ import { ItemsService } from './items.js';
 export declare class OperationsService extends ItemsService<OperationRaw> {
     constructor(options: AbstractServiceOptions);
     createOne(data: Partial<Item>, opts?: MutationOptions): Promise<PrimaryKey>;
-    createMany(data: Partial<Item>[], opts?: MutationOptions): Promise<PrimaryKey[]>;
-    updateBatch(data: Partial<Item>[], opts?: MutationOptions): Promise<PrimaryKey[]>;
     updateMany(keys: PrimaryKey[], data: Partial<Item>, opts?: MutationOptions): Promise<PrimaryKey[]>;
     deleteMany(keys: PrimaryKey[], opts?: MutationOptions): Promise<PrimaryKey[]>;
 }