@directus/api 19.3.1 → 20.0.0-rc.0

package/dist/services/utils.js

@@ -3,6 +3,8 @@ import { systemCollectionRows } from '@directus/system-data';
 import { clearSystemCache, getCache } from '../cache.js';
 import getDatabase from '../database/index.js';
 import emitter from '../emitter.js';
+import { fetchAllowedFields } from '../permissions/modules/fetch-allowed-fields/fetch-allowed-fields.js';
+import { validateAccess } from '../permissions/modules/validate-access/validate-access.js';
 import { shouldClearCache } from '../utils/should-clear-cache.js';
 export class UtilsService {
     knex;
@@ -20,14 +22,16 @@ export class UtilsService {
         if (!sortField) {
             throw new InvalidPayloadError({ reason: `Collection "${collection}" doesn't have a sort field` });
         }
-        if (this.accountability?.admin !== true) {
-            const permissions = this.accountability?.permissions?.find((permission) => {
-                return permission.collection === collection && permission.action === 'update';
+        if (this.accountability && this.accountability.admin !== true) {
+            await validateAccess({
+                accountability: this.accountability,
+                action: 'update',
+                collection,
+            }, {
+                schema: this.schema,
+                knex: this.knex,
             });
-            if (!permissions) {
-                throw new ForbiddenError();
-            }
-            const allowedFields = permissions.fields ?? [];
+            const allowedFields = await fetchAllowedFields({ collection, action: 'update', accountability: this.accountability }, { schema: this.schema, knex: this.knex });
             if (allowedFields[0] !== '*' && allowedFields.includes(sortField) === false) {
                 throw new ForbiddenError();
             }

package/dist/services/versions.d.ts

@@ -1,9 +1,7 @@
 import type { Item, PrimaryKey, Query } from '@directus/types';
 import type { AbstractServiceOptions, MutationOptions } from '../types/index.js';
-import { AuthorizationService } from './authorization.js';
 import { ItemsService } from './items.js';
 export declare class VersionsService extends ItemsService {
-    authorizationService: AuthorizationService;
     constructor(options: AbstractServiceOptions);
     private validateCreateData;
     getMainItem(collection: string, item: PrimaryKey, query?: Query): Promise<Item>;

package/dist/services/versions.js

@@ -6,21 +6,15 @@ import objectHash from 'object-hash';
 import { getCache } from '../cache.js';
 import getDatabase from '../database/index.js';
 import emitter from '../emitter.js';
+import { validateAccess } from '../permissions/modules/validate-access/validate-access.js';
 import { shouldClearCache } from '../utils/should-clear-cache.js';
 import { ActivityService } from './activity.js';
-import { AuthorizationService } from './authorization.js';
 import { ItemsService } from './items.js';
 import { PayloadService } from './payload.js';
 import { RevisionsService } from './revisions.js';
 export class VersionsService extends ItemsService {
-    authorizationService;
     constructor(options) {
         super('directus_versions', options);
-        this.authorizationService = new AuthorizationService({
-            accountability: this.accountability,
-            knex: this.knex,
-            schema: this.schema,
-        });
     }
     async validateCreateData(data) {
         if (!data['key'])
@@ -55,11 +49,31 @@ export class VersionsService extends ItemsService {
             });
         }
         // will throw an error if the accountability does not have permission to read the item
-        await this.authorizationService.checkAccess('read', data['collection'], data['item']);
+        if (this.accountability) {
+            await validateAccess({
+                accountability: this.accountability,
+                action: 'read',
+                collection: data['collection'],
+                primaryKeys: [data['item']],
+            }, {
+                schema: this.schema,
+                knex: this.knex,
+            });
+        }
     }
     async getMainItem(collection, item, query) {
         // will throw an error if the accountability does not have permission to read the item
-        await this.authorizationService.checkAccess('read', collection, item);
+        if (this.accountability) {
+            await validateAccess({
+                accountability: this.accountability,
+                action: 'read',
+                collection,
+                primaryKeys: [item],
+            }, {
+                schema: this.schema,
+                knex: this.knex,
+            });
+        }
         const itemsService = new ItemsService(collection, {
             knex: this.knex,
             accountability: this.accountability,
@@ -200,7 +214,17 @@ export class VersionsService extends ItemsService {
     async promote(version, mainHash, fields) {
         const { id, collection, item } = (await this.readOne(version));
         // will throw an error if the accountability does not have permission to update the item
-        await this.authorizationService.checkAccess('update', collection, item);
+        if (this.accountability) {
+            await validateAccess({
+                accountability: this.accountability,
+                action: 'update',
+                collection,
+                primaryKeys: [item],
+            }, {
+                schema: this.schema,
+                knex: this.knex,
+            });
+        }
         const { outdated } = await this.verifyHash(collection, item, mainHash);
         if (outdated) {
             throw new UnprocessableContentError({

package/dist/telemetry/lib/get-report.js

@@ -2,10 +2,11 @@ import { useEnv } from '@directus/env';
 import { version } from 'directus/version';
 import { getHelpers } from '../../database/helpers/index.js';
 import { getDatabase, getDatabaseClient } from '../../database/index.js';
+import { fetchUserCount } from '../../utils/fetch-user-count/fetch-user-count.js';
 import { getExtensionCount } from '../utils/get-extension-count.js';
 import { getFieldCount } from '../utils/get-field-count.js';
+import { getFilesizeSum } from '../utils/get-filesize-sum.js';
 import { getItemCount } from '../utils/get-item-count.js';
-import { getUserCount } from '../utils/get-user-count.js';
 import { getUserItemCount } from '../utils/get-user-item-count.js';
 const basicCountTasks = [
     { collection: 'directus_dashboards' },
@@ -24,13 +25,14 @@ export const getReport = async () => {
     const db = getDatabase();
     const env = useEnv();
     const helpers = getHelpers(db);
-    const [basicCounts, userCounts, userItemCount, fieldsCounts, extensionsCounts, databaseSize] = await Promise.all([
+    const [basicCounts, userCounts, userItemCount, fieldsCounts, extensionsCounts, databaseSize, filesizes] = await Promise.all([
         getItemCount(db, basicCountTasks),
-        getUserCount(db),
+        fetchUserCount({ knex: db }),
         getUserItemCount(db),
         getFieldCount(db),
         getExtensionCount(db),
         helpers.schema.getDatabaseSize(),
+        getFilesizeSum(db),
     ]);
     return {
         url: env['PUBLIC_URL'],
@@ -50,5 +52,6 @@ export const getReport = async () => {
         fields_total: fieldsCounts.total,
         extensions: extensionsCounts.totalEnabled,
         database_size: databaseSize ?? 0,
+        files_size_total: filesizes.total,
     };
 };

package/dist/telemetry/types/report.d.ts

@@ -67,4 +67,8 @@ export interface TelemetryReport {
      * Size of the database in bytes
      */
     database_size: number;
+    /**
+     * Total size of the files in bytes
+     */
+    files_size_total: number;
 }

package/dist/telemetry/utils/check-user-limits.d.ts

@@ -0,0 +1,5 @@
+import { type UserCount } from '../../utils/fetch-user-count/fetch-user-count.js';
+/**
+ * Ensure that user limits are not reached
+ */
+export declare function checkUserLimits(userCounts: UserCount): Promise<void>;

package/dist/telemetry/utils/check-user-limits.js

@@ -0,0 +1,19 @@
+import { useEnv } from '@directus/env';
+import { LimitExceededError } from '@directus/errors';
+import {} from '../../utils/fetch-user-count/fetch-user-count.js';
+const env = useEnv();
+/**
+ * Ensure that user limits are not reached
+ */
+export async function checkUserLimits(userCounts) {
+    if (userCounts.admin > Number(env['USERS_ADMIN_ACCESS_LIMIT'])) {
+        throw new LimitExceededError({ category: 'Active Admin users' });
+    }
+    // Both app and admin users count against the app access limit
+    if (userCounts.app + userCounts.admin > Number(env['USERS_APP_ACCESS_LIMIT'])) {
+        throw new LimitExceededError({ category: 'Active App users' });
+    }
+    if (userCounts.api > Number(env['USERS_API_ACCESS_LIMIT'])) {
+        throw new LimitExceededError({ category: 'Active API users' });
+    }
+}

package/dist/telemetry/utils/get-filesize-sum.d.ts

@@ -0,0 +1,5 @@
+import { type Knex } from 'knex';
+export interface FilesizeSum {
+    total: number;
+}
+export declare const getFilesizeSum: (db: Knex) => Promise<FilesizeSum>;

package/dist/telemetry/utils/get-filesize-sum.js

@@ -0,0 +1,7 @@
+import {} from 'knex';
+export const getFilesizeSum = async (db) => {
+    const query = (await db.sum({ total: 'filesize' }).from('directus_files').first());
+    return {
+        total: query?.total ? Number(query.total) : 0,
+    };
+};

package/dist/types/ast.d.ts

@@ -1,4 +1,4 @@
-import type { Query, Relation } from '@directus/types';
+import type { Filter, Query, Relation } from '@directus/types';
 export type M2ONode = {
     type: 'm2o';
     name: string;
@@ -8,6 +8,14 @@ export type M2ONode = {
     relation: Relation;
     parentKey: string;
     relatedKey: string;
+    /**
+     * Which permission cases have to be met on the current item for this field to return a value
+     */
+    whenCase: number[];
+    /**
+     * Permissions rules for the item access of the children of this item.
+     */
+    cases: Filter[];
 };
 export type A2MNode = {
     type: 'a2o';
@@ -24,6 +32,16 @@ export type A2MNode = {
     fieldKey: string;
     relation: Relation;
     parentKey: string;
+    /**
+     * Which permission cases have to be met on the current item for this field to return a value
+     */
+    whenCase: number[];
+    /**
+     * Permissions rules for the item access of the children of this item.
+     */
+    cases: {
+        [collection: string]: Filter[];
+    };
 };
 export type O2MNode = {
     type: 'o2m';
@@ -34,12 +52,24 @@ export type O2MNode = {
     relation: Relation;
     parentKey: string;
     relatedKey: string;
+    /**
+     * Which permission cases have to be met on the current item for this field to return a value
+     */
+    whenCase: number[];
+    /**
+     * Permissions rules for the item access of the children of this item.
+     */
+    cases: Filter[];
 };
 export type NestedCollectionNode = M2ONode | O2MNode | A2MNode;
 export type FieldNode = {
     type: 'field';
     name: string;
     fieldKey: string;
+    /**
+     * Which permission cases have to be met on the current item for this field to return a value
+     */
+    whenCase: number[];
 };
 export type FunctionFieldNode = {
     type: 'functionField';
@@ -47,10 +77,22 @@ export type FunctionFieldNode = {
     fieldKey: string;
     query: Query;
     relatedCollection: string;
+    /**
+     * Which permission cases have to be met on the current item for this field to return a value
+     */
+    whenCase: number[];
+    /**
+     * Permissions rules for the item access of the related collection of this item.
+     */
+    cases: Filter[];
 };
 export type AST = {
     type: 'root';
     name: string;
     children: (NestedCollectionNode | FieldNode | FunctionFieldNode)[];
     query: Query;
+    /**
+     * Permissions rules for the item access of the children of this item.
+     */
+    cases: Filter[];
 };

package/dist/types/items.d.ts

@@ -1,6 +1,7 @@
 import type { DirectusError } from '@directus/errors';
 import type { EventContext, PrimaryKey } from '@directus/types';
 import type { MutationTracker } from '../services/items.js';
+import type { UserIntegrityCheckFlag } from '../utils/validate-user-count-integrity.js';
 export type MutationOptions = {
     /**
      * Callback function that's fired whenever a revision is made in the mutation
@@ -33,6 +34,16 @@ export type MutationOptions = {
     mutationTracker?: MutationTracker | undefined;
     preMutationError?: DirectusError | undefined;
     bypassAutoIncrementSequenceReset?: boolean;
+    /**
+     * Indicate that the top level mutation needs to perform a user integrity check before commiting the transaction
+     * This is a combination of flags
+     * @see UserIntegrityCheckFlag
+     */
+    userIntegrityCheckFlags?: UserIntegrityCheckFlag;
+    /**
+     * Callback function that is called whenever a mutation requires a user integrity check to be made
+     */
+    onRequireUserIntegrityCheck?: ((flags: UserIntegrityCheckFlag) => void) | undefined;
 };
 export type ActionEventParams = {
     event: string | string[];

package/dist/utils/apply-query.d.ts

@@ -5,7 +5,7 @@ export declare const generateAlias: (size?: number | undefined) => string;
 /**
  * Apply the Query to a given Knex query builder instance
  */
-export default function applyQuery(knex: Knex, collection: string, dbQuery: Knex.QueryBuilder, query: Query, schema: SchemaOverview, options?: {
+export default function applyQuery(knex: Knex, collection: string, dbQuery: Knex.QueryBuilder, query: Query, schema: SchemaOverview, cases: Filter[], options?: {
     aliasMap?: AliasMap;
     isInnerQuery?: boolean;
     hasMultiRelationalSort?: boolean | undefined;
@@ -32,10 +32,11 @@ export declare function applySort(knex: Knex, schema: SchemaOverview, rootQuery:
 };
 export declare function applyLimit(knex: Knex, rootQuery: Knex.QueryBuilder, limit: any): void;
 export declare function applyOffset(knex: Knex, rootQuery: Knex.QueryBuilder, offset: any): void;
-export declare function applyFilter(knex: Knex, schema: SchemaOverview, rootQuery: Knex.QueryBuilder, rootFilter: Filter, collection: string, aliasMap: AliasMap): {
+export declare function applyFilter(knex: Knex, schema: SchemaOverview, rootQuery: Knex.QueryBuilder, rootFilter: Filter, collection: string, aliasMap: AliasMap, cases: Filter[]): {
     query: Knex.QueryBuilder<any, any>;
     hasJoins: boolean;
     hasMultiRelationalFilter: boolean;
 };
-export declare function applySearch(knex: Knex, schema: SchemaOverview, dbQuery: Knex.QueryBuilder, searchQuery: string, collection: string): Promise<void>;
+export declare function applySearch(knex: Knex, schema: SchemaOverview, dbQuery: Knex.QueryBuilder, searchQuery: string, collection: string): void;
 export declare function applyAggregate(schema: SchemaOverview, dbQuery: Knex.QueryBuilder, aggregate: Aggregate, collection: string, hasJoins: boolean): void;
+export declare function joinFilterWithCases(filter: Filter | null | undefined, cases: Filter[]): Filter | null;

package/dist/utils/apply-query.js

@@ -14,7 +14,7 @@ export const generateAlias = customAlphabet('abcdefghijklmnopqrstuvwxyz', 5);
 /**
  * Apply the Query to a given Knex query builder instance
  */
-export default function applyQuery(knex, collection, dbQuery, query, schema, options) {
+export default function applyQuery(knex, collection, dbQuery, query, schema, cases, options) {
     const aliasMap = options?.aliasMap ?? Object.create(null);
     let hasJoins = false;
     let hasMultiRelationalFilter = false;
@@ -37,8 +37,14 @@ export default function applyQuery(knex, collection, dbQuery, query, schema, opt
     if (query.group) {
         dbQuery.groupBy(query.group.map((column) => getColumn(knex, collection, column, false, schema)));
     }
-    if (query.filter) {
-        const filterResult = applyFilter(knex, schema, dbQuery, query.filter, collection, aliasMap);
+    // `cases` are the permissions cases that are required for the current data set. We're
+    // dynamically adding those into the filters that the user provided to enforce the permission
+    // rules. You should be able to read an item if one or more of the cases matches. The actual case
+    // is reused in the column selection case/when to dynamically return or nullify the field values
+    // you're actually allowed to read
+    const filter = joinFilterWithCases(query.filter, cases);
+    if (filter) {
+        const filterResult = applyFilter(knex, schema, dbQuery, filter, collection, aliasMap, cases);
         if (!hasJoins) {
             hasJoins = filterResult.hasJoins;
         }
@@ -226,7 +232,7 @@ export function applyOffset(knex, rootQuery, offset) {
         getHelpers(knex).schema.applyOffset(rootQuery, offset);
     }
 }
-export function applyFilter(knex, schema, rootQuery, rootFilter, collection, aliasMap) {
+export function applyFilter(knex, schema, rootQuery, rootFilter, collection, aliasMap, cases) {
     const helpers = getHelpers(knex);
     const relations = schema.relations;
     let hasJoins = false;
@@ -235,12 +241,23 @@ export function applyFilter(knex, schema, rootQuery, rootFilter, collection, ali
     addWhereClauses(knex, rootQuery, rootFilter, collection);
     return { query: rootQuery, hasJoins, hasMultiRelationalFilter };
     function addJoins(dbQuery, filter, collection) {
-        for (const [key, value] of Object.entries(filter)) {
+        // eslint-disable-next-line prefer-const
+        for (let [key, value] of Object.entries(filter)) {
             if (key === '_or' || key === '_and') {
                 // If the _or array contains an empty object (full permissions), we should short-circuit and ignore all other
                 // permission checks, as {} already matches full permissions.
                 if (key === '_or' && value.some((subFilter) => Object.keys(subFilter).length === 0)) {
-                    continue;
+                    // But only do so, if the value is not equal to `cases` (since then this is not permission related at all)
+                    // or the length of value is 1, ie. only the empty filter.
+                    // If the length is more than one it means that some items (and fields) might now be available, so
+                    // the joins are required for the case/when construction.
+                    if (value !== cases || value.length === 1) {
+                        continue;
+                    }
+                    else {
+                        // Otherwise we can at least filter out all empty filters that would not add joins anyway
+                        value = value.filter((subFilter) => Object.keys(subFilter).length > 0);
+                    }
                 }
                 value.forEach((subFilter) => {
                     addJoins(dbQuery, subFilter, collection);
@@ -311,7 +328,7 @@ export function applyFilter(knex, schema, rootQuery, rootFilter, collection, ali
                             .select({ [field]: column })
                             .from(collection)
                             .whereNotNull(column);
-                        applyQuery(knex, relation.collection, subQueryKnex, { filter }, schema);
+                        applyQuery(knex, relation.collection, subQueryKnex, { filter }, schema, cases);
                     };
                     const childKey = Object.keys(value)?.[0];
                     if (childKey === '_none') {
@@ -551,7 +568,7 @@ export function applyFilter(knex, schema, rootQuery, rootFilter, collection, ali
         }
     }
 }
-export async function applySearch(knex, schema, dbQuery, searchQuery, collection) {
+export function applySearch(knex, schema, dbQuery, searchQuery, collection) {
     const { number: numberHelper } = getHelpers(knex);
     const fields = Object.entries(schema.collections[collection].fields);
     dbQuery.andWhere(function () {
@@ -627,6 +644,18 @@ export function applyAggregate(schema, dbQuery, aggregate, collection, hasJoins)
         }
     }
 }
+export function joinFilterWithCases(filter, cases) {
+    if (cases.length > 0 && !filter) {
+        return { _or: cases };
+    }
+    else if (filter && cases.length === 0) {
+        return filter ?? null;
+    }
+    else if (filter && cases.length > 0) {
+        return { _and: [filter, { _or: cases }] };
+    }
+    return null;
+}
 function getFilterPath(key, value) {
     const path = [key];
     const childKey = Object.keys(value)[0];

package/dist/utils/fetch-user-count/fetch-access-lookup.d.ts

@@ -0,0 +1,17 @@
+import type { PrimaryKey } from '@directus/types';
+import type { Knex } from 'knex';
+export interface AccessLookup {
+    role: string | null;
+    user: string | null;
+    app_access: boolean | number;
+    admin_access: boolean | number;
+}
+export interface FetchAccessLookupOptions {
+    excludeAccessRows?: PrimaryKey[];
+    excludePolicies?: PrimaryKey[];
+    excludeUsers?: PrimaryKey[];
+    excludeRoles?: PrimaryKey[];
+    adminOnly?: boolean;
+    knex: Knex;
+}
+export declare function fetchAccessLookup(options: FetchAccessLookupOptions): Promise<AccessLookup[]>;

package/dist/utils/fetch-user-count/fetch-access-lookup.js

@@ -0,0 +1,22 @@
+export async function fetchAccessLookup(options) {
+    let query = options.knex
+        .select('directus_access.role', 'directus_access.user', 'directus_policies.app_access', 'directus_policies.admin_access')
+        .from('directus_access')
+        .leftJoin('directus_policies', 'directus_access.policy', 'directus_policies.id');
+    if (options.excludeAccessRows && options.excludeAccessRows.length > 0) {
+        query = query.whereNotIn('directus_access.id', options.excludeAccessRows);
+    }
+    if (options.excludePolicies && options.excludePolicies.length > 0) {
+        query = query.whereNotIn('directus_access.policy', options.excludePolicies);
+    }
+    if (options.excludeUsers && options.excludeUsers.length > 0) {
+        query = query.where((q) => q.whereNotIn('directus_access.user', options.excludeUsers).orWhereNull('directus_access.user'));
+    }
+    if (options.excludeRoles && options.excludeRoles.length > 0) {
+        query = query.where((q) => q.whereNotIn('directus_access.role', options.excludeRoles).orWhereNull('directus_access.role'));
+    }
+    if (options.adminOnly) {
+        query = query.where('directus_policies.admin_access', 1);
+    }
+    return query;
+}

package/dist/utils/fetch-user-count/fetch-access-roles.d.ts

@@ -0,0 +1,16 @@
+import type { PrimaryKey } from '@directus/types';
+import type { Knex } from 'knex';
+export interface FetchAccessRolesOptions {
+    adminRoles: Set<string>;
+    appRoles: Set<string>;
+    excludeRoles?: PrimaryKey[];
+}
+/**
+ * Return a set of roles that allow app or admin access, if itself or any of its parents do
+ */
+export declare function fetchAccessRoles(options: FetchAccessRolesOptions, context: {
+    knex: Knex;
+}): Promise<{
+    adminRoles: Set<string>;
+    appRoles: Set<string>;
+}>;

package/dist/utils/fetch-user-count/fetch-access-roles.js

@@ -0,0 +1,37 @@
+/**
+ * Return a set of roles that allow app or admin access, if itself or any of its parents do
+ */
+export async function fetchAccessRoles(options, context) {
+    // Only fetch the roles that have a parent, as otherwise those roles should already be included in at least one of the input set
+    const allChildRoles = await context.knex
+        .select('id', 'parent')
+        .from('directus_roles')
+        .whereNotNull('parent')
+        .whereNotIn('id', options.excludeRoles ?? []);
+    const adminRoles = new Set(options.adminRoles);
+    const appRoles = new Set(options.appRoles);
+    const remainingRoles = new Set(allChildRoles);
+    let hasChanged = remainingRoles.size > 0;
+    // This loop accounts for the undefined order in which the roles are returned, as there is the possibility
+    // of a role parent not being in the set of roles yet, so we need to iterate over the roles multiple times
+    // until no further roles are added to the sets
+    while (hasChanged) {
+        hasChanged = false;
+        for (const role of remainingRoles) {
+            if (adminRoles.has(role.parent)) {
+                adminRoles.add(role.id);
+                remainingRoles.delete(role);
+                hasChanged = true;
+            }
+            if (appRoles.has(role.parent)) {
+                appRoles.add(role.id);
+                remainingRoles.delete(role);
+                hasChanged = true;
+            }
+        }
+    }
+    return {
+        adminRoles,
+        appRoles,
+    };
+}

package/dist/utils/fetch-user-count/fetch-active-users.d.ts

@@ -0,0 +1,6 @@
+import type { Knex } from 'knex';
+export interface ActiveUser {
+    id: string;
+    role: string | null;
+}
+export declare function fetchActiveUsers(knex: Knex): Promise<ActiveUser[]>;

package/dist/utils/fetch-user-count/fetch-active-users.js

@@ -0,0 +1,3 @@
+export async function fetchActiveUsers(knex) {
+    return await knex.select('id', 'role').from('directus_users').where('status', 'active');
+}

package/dist/utils/fetch-user-count/fetch-user-count.d.ts

@@ -0,0 +1,12 @@
+import { type FetchAccessLookupOptions } from './fetch-access-lookup.js';
+export interface FetchUserCountOptions extends FetchAccessLookupOptions {
+}
+export interface UserCount {
+    admin: number;
+    app: number;
+    api: number;
+}
+/**
+ * Returns counts of all active users in the system grouped by admin, app, and api access
+ */
+export declare function fetchUserCount(options: FetchUserCountOptions): Promise<UserCount>;

package/dist/utils/fetch-user-count/fetch-user-count.js

@@ -0,0 +1,57 @@
+import { toBoolean } from '@directus/utils';
+import { fetchAccessLookup } from './fetch-access-lookup.js';
+import { fetchAccessRoles } from './fetch-access-roles.js';
+import { getUserCountQuery } from './get-user-count-query.js';
+/**
+ * Returns counts of all active users in the system grouped by admin, app, and api access
+ */
+export async function fetchUserCount(options) {
+    const accessRows = await fetchAccessLookup(options);
+    const adminRoles = new Set(accessRows.filter((row) => toBoolean(row.admin_access) && row.role !== null).map((row) => row.role));
+    const appRoles = new Set(accessRows
+        .filter((row) => !toBoolean(row.admin_access) && toBoolean(row.app_access) && row.role !== null)
+        .map((row) => row.role));
+    // All users that are directly granted rights through a connected policy
+    const adminUsers = new Set(accessRows.filter((row) => toBoolean(row.admin_access) && row.user !== null).map((row) => row.user));
+    // Some roles might be granted access rights through nesting, so determine all roles that grant admin or app access,
+    // including nested roles
+    const { adminRoles: allAdminRoles, appRoles: allAppRoles } = await fetchAccessRoles({
+        adminRoles,
+        appRoles,
+        ...options,
+    }, { knex: options.knex });
+    // All users that are granted admin rights through a role, but not directly
+    const adminCountQuery = getUserCountQuery(options.knex, {
+        includeRoles: Array.from(allAdminRoles),
+        excludeIds: [...adminUsers, ...(options.excludeUsers ?? [])],
+    });
+    if (options.adminOnly) {
+        // Shortcut for only counting admin users
+        const adminResult = await adminCountQuery;
+        return {
+            admin: Number(adminResult?.['count'] ?? 0) + adminUsers.size,
+            app: 0,
+            api: 0,
+        };
+    }
+    const appUsers = new Set(accessRows
+        .filter((row) => !toBoolean(row.admin_access) && toBoolean(row.app_access) && row.user !== null)
+        .map((row) => row.user));
+    // All users that are granted app rights through a role, but not directly, and that aren't admin users
+    const appCountQuery = getUserCountQuery(options.knex, {
+        includeRoles: Array.from(allAppRoles),
+        excludeRoles: Array.from(allAdminRoles),
+        excludeIds: [...appUsers, ...adminUsers, ...(options.excludeUsers ?? [])],
+    });
+    const allCountQuery = getUserCountQuery(options.knex, {
+        excludeIds: options.excludeUsers ?? [],
+    });
+    const [adminResult, appResult, allResult] = await Promise.all([adminCountQuery, appCountQuery, allCountQuery]);
+    const adminCount = Number(adminResult?.['count'] ?? 0) + adminUsers.size;
+    const appCount = Number(appResult?.['count'] ?? 0) + appUsers.size;
+    return {
+        admin: adminCount,
+        app: appCount,
+        api: Number(allResult?.['count'] ?? 0) - adminCount - appCount,
+    };
+}

package/dist/utils/fetch-user-count/get-user-count-query.d.ts

@@ -0,0 +1,20 @@
+import type { PrimaryKey } from '@directus/types';
+import type { Knex } from 'knex';
+export interface GetUserCountOptions {
+    excludeIds?: PrimaryKey[];
+    excludeRoles?: PrimaryKey[];
+    includeRoles?: PrimaryKey[];
+}
+export declare function getUserCountQuery(knex: Knex, options: GetUserCountOptions): Promise<{
+    count: number;
+}> | Knex.QueryBuilder<any, {
+    _base: {};
+    _hasSelection: true;
+    _keys: never;
+    _aliases: {};
+    _single: false;
+    _intersectProps: {
+        count?: string | number;
+    };
+    _unionProps: undefined;
+}>;