@directus/api 19.3.1 → 20.0.0-rc.0

package/dist/database/run-ast/utils/merge-with-parent-items.js

@@ -0,0 +1,87 @@
+import { useEnv } from '@directus/env';
+import { toArray } from '@directus/utils';
+import { clone, isArray } from 'lodash-es';
+export function mergeWithParentItems(schema, nestedItem, parentItem, nestedNode, fieldAllowed) {
+    const env = useEnv();
+    const nestedItems = toArray(nestedItem);
+    const parentItems = clone(toArray(parentItem));
+    if (nestedNode.type === 'm2o') {
+        for (const parentItem of parentItems) {
+            const itemChild = nestedItems.find((nestedItem) => {
+                return (nestedItem[schema.collections[nestedNode.relation.related_collection].primary] ==
+                    parentItem[nestedNode.relation.field]);
+            });
+            parentItem[nestedNode.fieldKey] = itemChild || null;
+        }
+    }
+    else if (nestedNode.type === 'o2m') {
+        for (const [index, parentItem] of parentItems.entries()) {
+            if (fieldAllowed === false || (isArray(fieldAllowed) && !fieldAllowed[index])) {
+                parentItem[nestedNode.fieldKey] = null;
+                continue;
+            }
+            if (!parentItem[nestedNode.fieldKey])
+                parentItem[nestedNode.fieldKey] = [];
+            const itemChildren = nestedItems.filter((nestedItem) => {
+                if (nestedItem === null)
+                    return false;
+                if (Array.isArray(nestedItem[nestedNode.relation.field]))
+                    return true;
+                return (nestedItem[nestedNode.relation.field] ==
+                    parentItem[schema.collections[nestedNode.relation.related_collection].primary] ||
+                    nestedItem[nestedNode.relation.field]?.[schema.collections[nestedNode.relation.related_collection].primary] == parentItem[schema.collections[nestedNode.relation.related_collection].primary]);
+            });
+            parentItem[nestedNode.fieldKey].push(...itemChildren);
+            const limit = nestedNode.query.limit ?? Number(env['QUERY_LIMIT_DEFAULT']);
+            if (nestedNode.query.page && nestedNode.query.page > 1) {
+                parentItem[nestedNode.fieldKey] = parentItem[nestedNode.fieldKey].slice(limit * (nestedNode.query.page - 1));
+            }
+            if (nestedNode.query.offset && nestedNode.query.offset >= 0) {
+                parentItem[nestedNode.fieldKey] = parentItem[nestedNode.fieldKey].slice(nestedNode.query.offset);
+            }
+            if (limit !== -1) {
+                parentItem[nestedNode.fieldKey] = parentItem[nestedNode.fieldKey].slice(0, limit);
+            }
+            parentItem[nestedNode.fieldKey] = parentItem[nestedNode.fieldKey].sort((a, b) => {
+                // This is pre-filled in get-ast-from-query
+                const sortField = nestedNode.query.sort[0];
+                let column = sortField;
+                let order = 'asc';
+                if (sortField.startsWith('-')) {
+                    column = sortField.substring(1);
+                    order = 'desc';
+                }
+                if (a[column] === b[column])
+                    return 0;
+                if (a[column] === null)
+                    return 1;
+                if (b[column] === null)
+                    return -1;
+                if (order === 'asc') {
+                    return a[column] < b[column] ? -1 : 1;
+                }
+                else {
+                    return a[column] < b[column] ? 1 : -1;
+                }
+            });
+        }
+    }
+    else if (nestedNode.type === 'a2o') {
+        for (const parentItem of parentItems) {
+            if (!nestedNode.relation.meta?.one_collection_field) {
+                parentItem[nestedNode.fieldKey] = null;
+                continue;
+            }
+            const relatedCollection = parentItem[nestedNode.relation.meta.one_collection_field];
+            if (!nestedItem[relatedCollection]) {
+                parentItem[nestedNode.fieldKey] = null;
+                continue;
+            }
+            const itemChild = nestedItem[relatedCollection].find((nestedItem) => {
+                return nestedItem[nestedNode.relatedKey[relatedCollection]] == parentItem[nestedNode.fieldKey];
+            });
+            parentItem[nestedNode.fieldKey] = itemChild || null;
+        }
+    }
+    return Array.isArray(parentItem) ? parentItems : parentItems[0];
+}

package/dist/database/run-ast/utils/remove-temporary-fields.d.ts

@@ -0,0 +1,3 @@
+import type { Item, SchemaOverview } from '@directus/types';
+import type { AST, NestedCollectionNode } from '../../../types/ast.js';
+export declare function removeTemporaryFields(schema: SchemaOverview, rawItem: Item | Item[], ast: AST | NestedCollectionNode, primaryKeyField: string, parentItem?: Item): null | Item | Item[];

package/dist/database/run-ast/utils/remove-temporary-fields.js

@@ -0,0 +1,73 @@
+import { toArray } from '@directus/utils';
+import { cloneDeep, pick } from 'lodash-es';
+import { applyFunctionToColumnName } from '../../../utils/apply-function-to-column-name.js';
+export function removeTemporaryFields(schema, rawItem, ast, primaryKeyField, parentItem) {
+    const rawItems = cloneDeep(toArray(rawItem));
+    const items = [];
+    if (ast.type === 'a2o') {
+        const fields = {};
+        const nestedCollectionNodes = {};
+        for (const relatedCollection of ast.names) {
+            if (!fields[relatedCollection])
+                fields[relatedCollection] = [];
+            if (!nestedCollectionNodes[relatedCollection])
+                nestedCollectionNodes[relatedCollection] = [];
+            for (const child of ast.children[relatedCollection]) {
+                if (child.type === 'field' || child.type === 'functionField') {
+                    fields[relatedCollection].push(child.name);
+                }
+                else {
+                    fields[relatedCollection].push(child.fieldKey);
+                    nestedCollectionNodes[relatedCollection].push(child);
+                }
+            }
+        }
+        for (const rawItem of rawItems) {
+            const relatedCollection = parentItem?.[ast.relation.meta.one_collection_field];
+            if (rawItem === null || rawItem === undefined)
+                return rawItem;
+            let item = rawItem;
+            for (const nestedNode of nestedCollectionNodes[relatedCollection]) {
+                item[nestedNode.fieldKey] = removeTemporaryFields(schema, item[nestedNode.fieldKey], nestedNode, schema.collections[nestedNode.relation.collection].primary, item);
+            }
+            const fieldsWithFunctionsApplied = fields[relatedCollection].map((field) => applyFunctionToColumnName(field));
+            item =
+                fields[relatedCollection].length > 0 ? pick(rawItem, fieldsWithFunctionsApplied) : rawItem[primaryKeyField];
+            items.push(item);
+        }
+    }
+    else {
+        const fields = [];
+        const nestedCollectionNodes = [];
+        for (const child of ast.children) {
+            fields.push(child.fieldKey);
+            if (child.type !== 'field' && child.type !== 'functionField') {
+                nestedCollectionNodes.push(child);
+            }
+        }
+        // Make sure any requested aggregate fields are included
+        if (ast.query?.aggregate) {
+            for (const [operation, aggregateFields] of Object.entries(ast.query.aggregate)) {
+                if (!fields)
+                    continue;
+                if (operation === 'count' && aggregateFields.includes('*'))
+                    fields.push('count');
+                fields.push(...aggregateFields.map((field) => `${operation}.${field}`));
+            }
+        }
+        for (const rawItem of rawItems) {
+            if (rawItem === null || rawItem === undefined)
+                return rawItem;
+            let item = rawItem;
+            for (const nestedNode of nestedCollectionNodes) {
+                item[nestedNode.fieldKey] = removeTemporaryFields(schema, item[nestedNode.fieldKey], nestedNode, nestedNode.type === 'm2o'
+                    ? schema.collections[nestedNode.relation.related_collection].primary
+                    : schema.collections[nestedNode.relation.collection].primary, item);
+            }
+            const fieldsWithFunctionsApplied = fields.map((field) => applyFunctionToColumnName(field));
+            item = fields.length > 0 ? pick(rawItem, fieldsWithFunctionsApplied) : rawItem[primaryKeyField];
+            items.push(item);
+        }
+    }
+    return Array.isArray(rawItem) ? items : items[0];
+}

package/dist/extensions/lib/sandbox/generate-api-extensions-sandbox-entrypoint.d.ts

@@ -16,7 +16,7 @@ export declare function generateApiExtensionsSandboxEntrypoint(type: ApiExtensio
     unregisterFunction: () => Promise<void>;
 } | {
     code: string;
-    hostFunctions: ((path: import("isolated-vm").Reference<string>, method: import("isolated-vm").Reference<"GET" | "POST" | "DELETE" | "PUT" | "PATCH">, cb: import("isolated-vm").Reference<(req: {
+    hostFunctions: ((path: import("isolated-vm").Reference<string>, method: import("isolated-vm").Reference<"GET" | "POST" | "PUT" | "PATCH" | "DELETE">, cb: import("isolated-vm").Reference<(req: {
         url: string;
         headers: import("http").IncomingHttpHeaders;
         body: string;

package/dist/flows.js

@@ -1,8 +1,9 @@
 import { Action } from '@directus/constants';
 import { useEnv } from '@directus/env';
 import { ForbiddenError } from '@directus/errors';
+import { isSystemCollection } from '@directus/system-data';
 import { applyOptionsData, getRedactedString, isValidJSON, parseJSON, toArray } from '@directus/utils';
-import { omit, pick } from 'lodash-es';
+import { pick } from 'lodash-es';
 import { get } from 'micromustache';
 import { useBus } from './bus/index.js';
 import getDatabase from './database/index.js';
@@ -18,7 +19,6 @@ import { JobQueue } from './utils/job-queue.js';
 import { mapValuesDeep } from './utils/map-values-deep.js';
 import { redactObject } from './utils/redact-object.js';
 import { scheduleSynchronizedJob, validateCron } from './utils/schedule.js';
-import { isSystemCollection } from '@directus/system-data';
 let flowManager;
 export function getFlowManager() {
     if (flowManager) {
@@ -284,8 +284,7 @@ class FlowManager {
                     item: flow.id,
                     data: {
                         steps: steps.map((step) => redactObject(step, { values: this.envs }, getRedactedString)),
-                        data: redactObject(omit(keyedData, '$accountability.permissions'), // Permissions is a ton of data, and is just a copy of what's in the directus_permissions table
-                        {
+                        data: redactObject(keyedData, {
                             keys: [
                                 ['**', 'headers', 'authorization'],
                                 ['**', 'headers', 'cookie'],

package/dist/middleware/authenticate.js

@@ -1,6 +1,7 @@
 import { isEqual } from 'lodash-es';
 import getDatabase from '../database/index.js';
 import emitter from '../emitter.js';
+import { createDefaultAccountability } from '../permissions/utils/create-default-accountability.js';
 import asyncHandler from '../utils/async-handler.js';
 import { getAccountabilityForToken } from '../utils/get-accountability-for-token.js';
 import { getIPFromReq } from '../utils/get-ip-from-req.js';
@@ -12,13 +13,7 @@ import { SESSION_COOKIE_OPTIONS } from '../constants.js';
  */
 export const handler = async (req, res, next) => {
     const env = useEnv();
-    const defaultAccountability = {
-        user: null,
-        role: null,
-        admin: false,
-        app: false,
-        ip: getIPFromReq(req),
-    };
+    const defaultAccountability = createDefaultAccountability({ ip: getIPFromReq(req) });
     const userAgent = req.get('user-agent')?.substring(0, 1024);
     if (userAgent)
         defaultAccountability.userAgent = userAgent;

package/dist/middleware/cache.js

@@ -20,7 +20,7 @@ const checkCacheMiddleware = asyncHandler(async (req, res, next) => {
             res.setHeader(`${env['CACHE_STATUS_HEADER']}`, 'MISS');
         return next();
     }
-    const key = getCacheKey(req);
+    const key = await getCacheKey(req);
     let cachedData;
     try {
         cachedData = await getCacheValue(cache, key);

package/dist/middleware/cors.js

@@ -4,12 +4,12 @@ let corsMiddleware = (_req, _res, next) => next();
 const env = useEnv();
 if (env['CORS_ENABLED'] === true) {
     corsMiddleware = cors({
-        origin: env['CORS_ORIGIN'] || true,
-        methods: env['CORS_METHODS'] || 'GET,POST,PATCH,DELETE',
+        origin: env['CORS_ORIGIN'],
+        methods: env['CORS_METHODS'],
         allowedHeaders: env['CORS_ALLOWED_HEADERS'],
         exposedHeaders: env['CORS_EXPOSED_HEADERS'],
-        credentials: env['CORS_CREDENTIALS'] || undefined,
-        maxAge: env['CORS_MAX_AGE'] || undefined,
+        credentials: env['CORS_CREDENTIALS'],
+        maxAge: env['CORS_MAX_AGE'],
     });
 }
 export default corsMiddleware;

package/dist/middleware/respond.js

@@ -25,7 +25,7 @@ export const respond = asyncHandler(async (req, res) => {
         !req.sanitizedQuery.export &&
         res.locals['cache'] !== false &&
         exceedsMaxSize === false) {
-        const key = getCacheKey(req);
+        const key = await getCacheKey(req);
         try {
             await setCacheValue(cache, key, res.locals['payload'], getMilliseconds(env['CACHE_TTL']));
             await setCacheValue(cache, `${key}__expires_at`, { exp: Date.now() + getMilliseconds(env['CACHE_TTL'], 0) });

package/dist/permissions/cache.d.ts

@@ -0,0 +1,2 @@
+export declare const useCache: () => import("@directus/memory").Cache;
+export declare function clearCache(): Promise<void>;

package/dist/permissions/cache.js

@@ -0,0 +1,23 @@
+import { defineCache } from '@directus/memory';
+import { redisConfigAvailable, useRedis } from '../redis/index.js';
+const localOnly = redisConfigAvailable() === false;
+const config = localOnly
+    ? {
+        type: 'local',
+        maxKeys: 500,
+    }
+    : {
+        type: 'multi',
+        redis: {
+            namespace: 'permissions',
+            redis: useRedis(),
+        },
+        local: {
+            maxKeys: 100,
+        },
+    };
+export const useCache = defineCache(config);
+export function clearCache() {
+    const cache = useCache();
+    return cache.clear();
+}

package/dist/permissions/lib/fetch-permissions.d.ts

@@ -0,0 +1,10 @@
+import type { Accountability, Permission, PermissionsAction } from '@directus/types';
+import type { Context } from '../types.js';
+export declare const fetchPermissions: typeof _fetchPermissions;
+export interface FetchPermissionsOptions {
+    action?: PermissionsAction;
+    policies: string[];
+    collections?: string[];
+    accountability?: Pick<Accountability, 'user' | 'role' | 'roles' | 'app'>;
+}
+export declare function _fetchPermissions(options: FetchPermissionsOptions, context: Context): Promise<Permission[]>;

package/dist/permissions/lib/fetch-permissions.js

@@ -0,0 +1,55 @@
+import { pick, sortBy } from 'lodash-es';
+import { fetchDynamicVariableContext } from '../utils/fetch-dynamic-variable-context.js';
+import { processPermissions } from '../utils/process-permissions.js';
+import { withCache } from '../utils/with-cache.js';
+import { withAppMinimalPermissions } from './with-app-minimal-permissions.js';
+export const fetchPermissions = withCache('permissions', _fetchPermissions, ({ action, policies, collections, accountability }) => ({
+    policies, // we assume that policies always come from the same source, so they should be in the same order
+    ...(action && { action }),
+    ...(collections && { collections: sortBy(collections) }),
+    ...(accountability && { accountability: pick(accountability, ['user', 'role', 'roles', 'app']) }),
+}));
+export async function _fetchPermissions(options, context) {
+    const { PermissionsService } = await import('../../services/permissions.js');
+    const permissionsService = new PermissionsService(context);
+    const filter = {
+        _and: [{ policy: { _in: options.policies } }],
+    };
+    if (options.action) {
+        filter._and.push({ action: { _eq: options.action } });
+    }
+    if (options.collections) {
+        filter._and.push({ collection: { _in: options.collections } });
+    }
+    let permissions = (await permissionsService.readByQuery({
+        filter,
+        limit: -1,
+    }));
+    // Sort permissions by their order in the policies array
+    // This ensures that if a sorted array of policies is passed in the permissions are returned in the same order
+    // which is necessary for correctly applying the presets in order
+    permissions = sortBy(permissions, (permission) => options.policies.indexOf(permission.policy));
+    if (options.accountability) {
+        // Add app minimal permissions for the request accountability, if applicable.
+        // Normally this is done in the permissions service readByQuery, but it also needs to do it here
+        // since the permissions service is created without accountability.
+        // We call it without the policies filter, since the static minimal app permissions don't have a policy attached.
+        const permissionsWithAppPermissions = withAppMinimalPermissions(options.accountability ?? null, permissions, {
+            _and: filter._and.slice(1),
+        });
+        const permissionsContext = await fetchDynamicVariableContext({
+            accountability: options.accountability,
+            policies: options.policies,
+            permissions: permissionsWithAppPermissions,
+        }, context);
+        // Replace dynamic variables with their actual values
+        const processedPermissions = processPermissions({
+            permissions: permissionsWithAppPermissions,
+            accountability: options.accountability,
+            permissionsContext,
+        });
+        // TODO merge in permissions coming from the share scope
+        return processedPermissions;
+    }
+    return permissions;
+}

package/dist/permissions/lib/fetch-policies.d.ts

@@ -0,0 +1,7 @@
+import type { Accountability } from '@directus/types';
+import type { Context } from '../types.js';
+export declare const fetchPolicies: typeof _fetchPolicies;
+/**
+ * Fetch the policies associated with the current user accountability
+ */
+export declare function _fetchPolicies({ roles, user, ip }: Pick<Accountability, 'user' | 'roles' | 'ip'>, context: Context): Promise<string[]>;

package/dist/permissions/lib/fetch-policies.js

@@ -0,0 +1,28 @@
+import { filterPoliciesByIp } from '../utils/filter-policies-by-ip.js';
+import { withCache } from '../utils/with-cache.js';
+export const fetchPolicies = withCache('policies', _fetchPolicies, ({ roles, user, ip }) => ({ roles, user, ip }));
+/**
+ * Fetch the policies associated with the current user accountability
+ */
+export async function _fetchPolicies({ roles, user, ip }, context) {
+    const { AccessService } = await import('../../services/access.js');
+    const accessService = new AccessService(context);
+    let roleFilter;
+    if (roles.length === 0) {
+        // Users without role assumes the Public role permissions along with their attached policies
+        roleFilter = { role: { _null: true }, user: { _null: true } };
+    }
+    else {
+        roleFilter = { role: { _in: roles } };
+    }
+    // If the user is not null, we also want to include the policies attached to the user
+    const filter = user ? { _or: [{ user: { _eq: user } }, roleFilter] } : roleFilter;
+    const accessRows = (await accessService.readByQuery({
+        filter,
+        fields: ['policy.id', 'policy.ip_access'],
+        limit: -1,
+    }));
+    const filteredAccessRows = filterPoliciesByIp(accessRows, ip);
+    const ids = filteredAccessRows.map(({ policy }) => policy.id);
+    return ids;
+}

package/dist/permissions/lib/fetch-roles-tree.d.ts

@@ -0,0 +1,3 @@
+import type { Knex } from 'knex';
+export declare const fetchRolesTree: typeof _fetchRolesTree;
+export declare function _fetchRolesTree(start: string | null, knex: Knex): Promise<string[]>;

package/dist/permissions/lib/fetch-roles-tree.js

@@ -0,0 +1,28 @@
+import { withCache } from '../utils/with-cache.js';
+export const fetchRolesTree = withCache('roles-tree', _fetchRolesTree);
+export async function _fetchRolesTree(start, knex) {
+    if (!start)
+        return [];
+    let parent = start;
+    const roles = [];
+    while (parent) {
+        const role = await knex
+            .select('id', 'parent')
+            .from('directus_roles')
+            .where({ id: parent })
+            .first();
+        if (!role) {
+            break;
+        }
+        roles.push(role.id);
+        // Prevent infinite recursion loops
+        if (role.parent && roles.includes(role.parent) === true) {
+            roles.reverse();
+            const rolesStr = roles.map((role) => `"${role}"`).join('->');
+            throw new Error(`Recursion encountered: role "${role.id}" already exists in tree path ${rolesStr}`);
+        }
+        parent = role.parent;
+    }
+    roles.reverse();
+    return roles;
+}

package/dist/{services/permissions → permissions}/lib/with-app-minimal-permissions.d.ts

@@ -1,2 +1,2 @@
 import type { Accountability, Permission, Query } from '@directus/types';
-export declare function withAppMinimalPermissions(accountability: Accountability | null, permissions: Permission[], filter: Query['filter']): Permission[];
+export declare function withAppMinimalPermissions(accountability: Pick<Accountability, 'app'> | null, permissions: Permission[], filter: Query['filter']): Permission[];

package/dist/permissions/lib/with-app-minimal-permissions.js

@@ -0,0 +1,10 @@
+import { appAccessMinimalPermissions } from '@directus/system-data';
+import { cloneDeep } from 'lodash-es';
+import { filterItems } from '../../utils/filter-items.js';
+export function withAppMinimalPermissions(accountability, permissions, filter) {
+    if (accountability?.app === true) {
+        const filteredAppMinimalPermissions = cloneDeep(filterItems(appAccessMinimalPermissions, filter));
+        return [...permissions, ...filteredAppMinimalPermissions];
+    }
+    return permissions;
+}

package/dist/permissions/modules/fetch-accountability-collection-access/fetch-accountability-collection-access.d.ts

@@ -0,0 +1,7 @@
+import type { Accountability, CollectionAccess } from '@directus/types';
+import type { Context } from '../../types.js';
+/**
+ * Get all permissions + minimal app permissions (if applicable) for the user + role in the current accountability.
+ * The permissions will be filtered by IP access.
+ */
+export declare function fetchAccountabilityCollectionAccess(accountability: Pick<Accountability, 'user' | 'roles' | 'role' | 'ip' | 'admin' | 'app'>, context: Context): Promise<CollectionAccess>;

package/dist/permissions/modules/fetch-accountability-collection-access/fetch-accountability-collection-access.js

@@ -0,0 +1,56 @@
+import { PERMISSION_ACTIONS } from '@directus/constants';
+import { mapValues, uniq } from 'lodash-es';
+import { fetchPermissions } from '../../lib/fetch-permissions.js';
+import { fetchPolicies } from '../../lib/fetch-policies.js';
+/**
+ * Get all permissions + minimal app permissions (if applicable) for the user + role in the current accountability.
+ * The permissions will be filtered by IP access.
+ */
+export async function fetchAccountabilityCollectionAccess(accountability, context) {
+    if (accountability.admin) {
+        return mapValues(context.schema.collections, () => Object.fromEntries(PERMISSION_ACTIONS.map((action) => [
+            action,
+            {
+                access: 'full',
+                fields: ['*'],
+            },
+        ])));
+    }
+    const policies = await fetchPolicies(accountability, context);
+    const permissions = await fetchPermissions({ policies, accountability }, context);
+    const infos = {};
+    for (const perm of permissions) {
+        // Ensure that collection is in infos
+        if (!infos[perm.collection]) {
+            infos[perm.collection] = {
+                read: { access: 'none' },
+                create: { access: 'none' },
+                update: { access: 'none' },
+                delete: { access: 'none' },
+                share: { access: 'none' },
+            };
+        }
+        // Ensure that action with default values is in collection infos
+        if (infos[perm.collection][perm.action]?.access === 'none') {
+            // If a permissions is iterated over it means that the user has access to it, so set access to 'full'
+            // Set access to 'full' initially and refine that whenever a permission with filters is encountered
+            infos[perm.collection][perm.action].access = 'full';
+        }
+        const info = infos[perm.collection][perm.action];
+        // Set access to 'partial' if the permission has filters, which means that the user has conditional access
+        if (info.access === 'full' && perm.permissions && Object.keys(perm.permissions).length > 0) {
+            info.access = 'partial';
+        }
+        if (perm.fields && info.fields?.[0] !== '*') {
+            info.fields = uniq([...(info.fields || []), ...(perm.fields || [])]);
+            if (info.fields.includes('*')) {
+                info.fields = ['*'];
+            }
+        }
+        if (perm.presets) {
+            info.presets = { ...(info.presets ?? {}), ...perm.presets };
+        }
+    }
+    // TODO Should fields by null, undefined or and empty array if no access?
+    return infos;
+}

package/dist/permissions/modules/fetch-accountability-policy-globals/fetch-accountability-policy-globals.d.ts

@@ -0,0 +1,3 @@
+import type { Accountability, Globals } from '@directus/types';
+import type { Context } from '../../types.js';
+export declare function fetchAccountabilityPolicyGlobals(accountability: Pick<Accountability, 'user' | 'roles' | 'ip' | 'admin' | 'app'>, context: Context): Promise<Globals>;

package/dist/permissions/modules/fetch-accountability-policy-globals/fetch-accountability-policy-globals.js

@@ -0,0 +1,16 @@
+import { fetchPolicies } from '../../lib/fetch-policies.js';
+export async function fetchAccountabilityPolicyGlobals(accountability, context) {
+    const policies = await fetchPolicies(accountability, context);
+    // Policies are already filtered down by the accountability IP, so we don't need to check it again
+    const result = await context.knex
+        .select(1)
+        .from('directus_policies')
+        .whereIn('id', policies)
+        .where('enforce_tfa', true)
+        .first();
+    return {
+        app_access: accountability.app,
+        admin_access: accountability.admin,
+        enforce_tfa: !!result,
+    };
+}

package/dist/permissions/modules/fetch-allowed-collections/fetch-allowed-collections.d.ts

@@ -0,0 +1,8 @@
+import type { Accountability, PermissionsAction } from '@directus/types';
+import type { Context } from '../../types.js';
+export interface FetchAllowedCollectionsOptions {
+    action: PermissionsAction;
+    accountability: Pick<Accountability, 'user' | 'role' | 'roles' | 'ip' | 'admin' | 'app'>;
+}
+export declare const fetchAllowedCollections: typeof _fetchAllowedCollections;
+export declare function _fetchAllowedCollections({ action, accountability }: FetchAllowedCollectionsOptions, { knex, schema }: Context): Promise<string[]>;

package/dist/permissions/modules/fetch-allowed-collections/fetch-allowed-collections.js

@@ -0,0 +1,24 @@
+import { uniq } from 'lodash-es';
+import { fetchPolicies } from '../../lib/fetch-policies.js';
+import { withCache } from '../../utils/with-cache.js';
+import { fetchPermissions } from '../../lib/fetch-permissions.js';
+export const fetchAllowedCollections = withCache('allowed-collections', _fetchAllowedCollections, ({ action, accountability: { user, role, roles, ip, admin, app } }) => ({
+    action,
+    accountability: {
+        user,
+        role,
+        roles,
+        ip,
+        admin,
+        app,
+    },
+}));
+export async function _fetchAllowedCollections({ action, accountability }, { knex, schema }) {
+    if (accountability.admin) {
+        return Object.keys(schema.collections);
+    }
+    const policies = await fetchPolicies(accountability, { knex, schema });
+    const permissions = await fetchPermissions({ action, policies, accountability }, { knex, schema });
+    const collections = permissions.map(({ collection }) => collection);
+    return uniq(collections);
+}

package/dist/permissions/modules/fetch-allowed-field-map/fetch-allowed-field-map.d.ts

@@ -0,0 +1,9 @@
+import type { Accountability, PermissionsAction } from '@directus/types';
+import type { Context } from '../../types.js';
+export type FieldMap = Record<string, string[]>;
+export interface FetchAllowedFieldMapOptions {
+    accountability: Pick<Accountability, 'user' | 'role' | 'roles' | 'ip' | 'admin' | 'app'>;
+    action: PermissionsAction;
+}
+export declare const fetchAllowedFieldMap: typeof _fetchAllowedFieldMap;
+export declare function _fetchAllowedFieldMap({ accountability, action }: FetchAllowedFieldMapOptions, { knex, schema }: Context): Promise<FieldMap>;

package/dist/permissions/modules/fetch-allowed-field-map/fetch-allowed-field-map.js

@@ -0,0 +1,31 @@
+import { uniq } from 'lodash-es';
+import { fetchPolicies } from '../../lib/fetch-policies.js';
+import { withCache } from '../../utils/with-cache.js';
+import { fetchPermissions } from '../../lib/fetch-permissions.js';
+export const fetchAllowedFieldMap = withCache('allowed-field-map', _fetchAllowedFieldMap, ({ action, accountability: { user, role, roles, ip, admin, app } }) => ({
+    action,
+    accountability: { user, role, roles, ip, admin, app },
+}));
+export async function _fetchAllowedFieldMap({ accountability, action }, { knex, schema }) {
+    const fieldMap = {};
+    if (accountability.admin) {
+        for (const [collection, { fields }] of Object.entries(schema.collections)) {
+            fieldMap[collection] = Object.keys(fields);
+        }
+        return fieldMap;
+    }
+    const policies = await fetchPolicies(accountability, { knex, schema });
+    const permissions = await fetchPermissions({ action, policies, accountability }, { knex, schema });
+    for (const { collection, fields } of permissions) {
+        if (!fieldMap[collection]) {
+            fieldMap[collection] = [];
+        }
+        if (fields) {
+            fieldMap[collection].push(...fields);
+        }
+    }
+    for (const [collection, fields] of Object.entries(fieldMap)) {
+        fieldMap[collection] = uniq(fields);
+    }
+    return fieldMap;
+}

package/dist/permissions/modules/fetch-allowed-fields/fetch-allowed-fields.d.ts

@@ -0,0 +1,16 @@
+import type { Accountability, PermissionsAction } from '@directus/types';
+import type { Context } from '../../types.js';
+export interface FetchAllowedFieldsOptions {
+    collection: string;
+    action: PermissionsAction;
+    accountability: Pick<Accountability, 'user' | 'role' | 'roles' | 'ip' | 'app'>;
+}
+export declare const fetchAllowedFields: typeof _fetchAllowedFields;
+/**
+ * Look up all fields that are allowed to be used for the given collection and action for the given
+ * accountability object
+ *
+ * Done by looking up all available policies for the current accountability object, and reading all
+ * permissions that exist for the collection+action+policy combination
+ */
+export declare function _fetchAllowedFields({ accountability, action, collection }: FetchAllowedFieldsOptions, { knex, schema }: Context): Promise<string[]>;