npm - @directus/api - Versions diffs - 19.3.1 → 20.0.0-rc.0 - Mend

@directus/api 19.3.1 → 20.0.0-rc.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (285) hide show

package/dist/permissions/modules/fetch-allowed-fields/fetch-allowed-fields.js ADDED Viewed

@@ -0,0 +1,27 @@
+import { uniq } from 'lodash-es';
+import { fetchPermissions } from '../../lib/fetch-permissions.js';
+import { fetchPolicies } from '../../lib/fetch-policies.js';
+import { withCache } from '../../utils/with-cache.js';
+export const fetchAllowedFields = withCache('allowed-fields', _fetchAllowedFields, ({ action, collection, accountability: { user, role, roles, ip, app } }) => ({
+    action,
+    collection,
+    accountability: { user, role, roles, ip, app },
+}));
+/**
+ * Look up all fields that are allowed to be used for the given collection and action for the given
+ * accountability object
+ *
+ * Done by looking up all available policies for the current accountability object, and reading all
+ * permissions that exist for the collection+action+policy combination
+ */
+export async function _fetchAllowedFields({ accountability, action, collection }, { knex, schema }) {
+    const policies = await fetchPolicies(accountability, { knex, schema });
+    const permissions = await fetchPermissions({ action, collections: [collection], policies, accountability }, { knex, schema });
+    const allowedFields = [];
+    for (const { fields } of permissions) {
+        if (!fields)
+            continue;
+        allowedFields.push(...fields);
+    }
+    return uniq(allowedFields).filter((field) => field === '*' || field in (schema.collections[collection]?.fields ?? {}));
+}

package/dist/permissions/modules/fetch-global-access/fetch-global-access.d.ts ADDED Viewed

@@ -0,0 +1,10 @@
+import type { Accountability } from '@directus/types';
+import type { Knex } from 'knex';
+import type { GlobalAccess } from './types.js';
+export declare const fetchGlobalAccess: typeof _fetchGlobalAccess;
+/**
+ * Fetch the global access (eg admin/app access) rules for the given roles, or roles+user combination
+ *
+ * Will fetch roles and user info separately so they can be cached and reused individually
+ */
+export declare function _fetchGlobalAccess(accountability: Pick<Accountability, 'user' | 'roles' | 'ip'>, knex: Knex): Promise<GlobalAccess>;

package/dist/permissions/modules/fetch-global-access/fetch-global-access.js ADDED Viewed

@@ -0,0 +1,23 @@
+import { withCache } from '../../utils/with-cache.js';
+import { fetchGlobalAccessForRoles } from './lib/fetch-global-access-for-roles.js';
+import { fetchGlobalAccessForUser } from './lib/fetch-global-access-for-user.js';
+export const fetchGlobalAccess = withCache('global-access', _fetchGlobalAccess, ({ user, roles, ip }) => ({
+    user,
+    roles,
+    ip,
+}));
+/**
+ * Fetch the global access (eg admin/app access) rules for the given roles, or roles+user combination
+ *
+ * Will fetch roles and user info separately so they can be cached and reused individually
+ */
+export async function _fetchGlobalAccess(accountability, knex) {
+    const access = await fetchGlobalAccessForRoles(accountability, knex);
+    if (accountability.user !== undefined) {
+        const userAccess = await fetchGlobalAccessForUser(accountability, knex);
+        // If app/admin is already true, keep it true
+        access.app ||= userAccess.app;
+        access.admin ||= userAccess.admin;
+    }
+    return access;
+}

package/dist/permissions/modules/fetch-global-access/lib/fetch-global-access-for-roles.d.ts ADDED Viewed

@@ -0,0 +1,5 @@
+import type { Accountability } from '@directus/types';
+import type { Knex } from 'knex';
+import type { GlobalAccess } from '../types.js';
+export declare const fetchGlobalAccessForRoles: typeof _fetchGlobalAccessForRoles;
+export declare function _fetchGlobalAccessForRoles(accountability: Pick<Accountability, 'roles' | 'ip'>, knex: Knex): Promise<GlobalAccess>;

package/dist/permissions/modules/fetch-global-access/lib/fetch-global-access-for-roles.js ADDED Viewed

@@ -0,0 +1,7 @@
+import { withCache } from '../../../utils/with-cache.js';
+import { fetchGlobalAccessForQuery } from '../utils/fetch-global-access-for-query.js';
+export const fetchGlobalAccessForRoles = withCache('global-access-role', _fetchGlobalAccessForRoles, ({ roles, ip }) => ({ roles, ip }));
+export async function _fetchGlobalAccessForRoles(accountability, knex) {
+    const query = knex.where('role', 'in', accountability.roles);
+    return await fetchGlobalAccessForQuery(query, accountability);
+}

package/dist/permissions/modules/fetch-global-access/lib/fetch-global-access-for-user.d.ts ADDED Viewed

@@ -0,0 +1,5 @@
+import type { Accountability } from '@directus/types';
+import type { Knex } from 'knex';
+import type { GlobalAccess } from '../types.js';
+export declare const fetchGlobalAccessForUser: typeof _fetchGlobalAccessForUser;
+export declare function _fetchGlobalAccessForUser(accountability: Pick<Accountability, 'user' | 'ip'>, knex: Knex): Promise<GlobalAccess>;

package/dist/permissions/modules/fetch-global-access/lib/fetch-global-access-for-user.js ADDED Viewed

@@ -0,0 +1,10 @@
+import { withCache } from '../../../utils/with-cache.js';
+import { fetchGlobalAccessForQuery } from '../utils/fetch-global-access-for-query.js';
+export const fetchGlobalAccessForUser = withCache('global-access-user', _fetchGlobalAccessForUser, ({ user, ip }) => ({
+    user,
+    ip,
+}));
+export async function _fetchGlobalAccessForUser(accountability, knex) {
+    const query = knex.where('user', '=', accountability.user);
+    return await fetchGlobalAccessForQuery(query, accountability);
+}

package/dist/permissions/modules/fetch-global-access/types.d.ts ADDED Viewed

@@ -0,0 +1,4 @@
+export interface GlobalAccess {
+    app: boolean;
+    admin: boolean;
+}

package/dist/permissions/modules/fetch-global-access/types.js ADDED Viewed

	@@ -0,0 +1 @@
1	+ export {};

package/dist/permissions/modules/fetch-global-access/utils/fetch-global-access-for-query.d.ts ADDED Viewed

@@ -0,0 +1,4 @@
+import type { Accountability } from '@directus/types';
+import type { Knex } from 'knex';
+import type { GlobalAccess } from '../types.js';
+export declare function fetchGlobalAccessForQuery(query: Knex.QueryBuilder<any, any[]>, accountability: Pick<Accountability, 'ip'>): Promise<GlobalAccess>;

package/dist/permissions/modules/fetch-global-access/utils/fetch-global-access-for-query.js ADDED Viewed

@@ -0,0 +1,27 @@
+import { toBoolean, toArray } from '@directus/utils';
+import { ipInNetworks } from '../../../../utils/ip-in-networks.js';
+export async function fetchGlobalAccessForQuery(query, accountability) {
+    const globalAccess = {
+        app: false,
+        admin: false,
+    };
+    const accessRows = await query
+        .select('directus_policies.admin_access', 'directus_policies.app_access', 'directus_policies.ip_access')
+        .from('directus_access')
+        // @NOTE: `where` clause comes from the caller
+        .leftJoin('directus_policies', 'directus_policies.id', 'directus_access.policy');
+    // Additively merge access permissions
+    for (const { admin_access, app_access, ip_access } of accessRows) {
+        if (accountability.ip && ip_access) {
+            // Skip row if IP is not in the allowed networks
+            const networks = toArray(ip_access);
+            if (!ipInNetworks(accountability.ip, networks))
+                continue;
+        }
+        globalAccess.admin ||= toBoolean(admin_access);
+        globalAccess.app ||= globalAccess.admin || toBoolean(app_access);
+        if (globalAccess.admin)
+            break;
+    }
+    return globalAccess;
+}

package/dist/permissions/modules/fetch-inconsistent-field-map/fetch-inconsistent-field-map.d.ts ADDED Viewed

@@ -0,0 +1,12 @@
+import type { Accountability, PermissionsAction } from '@directus/types';
+import type { Context } from '../../types.js';
+export type FieldMap = Record<string, string[]>;
+export interface FetchInconsistentFieldMapOptions {
+    accountability: Pick<Accountability, 'user' | 'role' | 'roles' | 'ip' | 'admin' | 'app'> | null;
+    action: PermissionsAction;
+}
+/**
+ * Fetch a field map for fields that may or may not be null based on item-by-item permissions.
+ */
+export declare const fetchInconsistentFieldMap: typeof _fetchInconsistentFieldMap;
+export declare function _fetchInconsistentFieldMap({ accountability, action }: FetchInconsistentFieldMapOptions, { knex, schema }: Context): Promise<FieldMap>;

package/dist/permissions/modules/fetch-inconsistent-field-map/fetch-inconsistent-field-map.js ADDED Viewed

@@ -0,0 +1,32 @@
+import { uniq, intersection, difference, pick } from 'lodash-es';
+import { fetchPolicies } from '../../lib/fetch-policies.js';
+import { withCache } from '../../utils/with-cache.js';
+import { fetchPermissions } from '../../lib/fetch-permissions.js';
+/**
+ * Fetch a field map for fields that may or may not be null based on item-by-item permissions.
+ */
+export const fetchInconsistentFieldMap = withCache('inconsistent-field-map', _fetchInconsistentFieldMap, ({ action, accountability }) => ({
+    action,
+    accountability: accountability ? pick(accountability, ['user', 'role', 'roles', 'ip', 'admin', 'app']) : null,
+}));
+export async function _fetchInconsistentFieldMap({ accountability, action }, { knex, schema }) {
+    const fieldMap = {};
+    if (!accountability || accountability.admin) {
+        for (const collection of Object.keys(schema.collections)) {
+            fieldMap[collection] = [];
+        }
+        return fieldMap;
+    }
+    const policies = await fetchPolicies(accountability, { knex, schema });
+    const permissions = await fetchPermissions({ action, policies, accountability }, { knex, schema });
+    const collections = uniq(permissions.map(({ collection }) => collection));
+    for (const collection of collections) {
+        const fields = permissions
+            .filter((permission) => permission.collection === collection)
+            .map((permission) => permission.fields ?? []);
+        const availableEverywhere = intersection(...fields);
+        const availableSomewhere = difference(uniq(fields.flat()), availableEverywhere);
+        fieldMap[collection] = availableSomewhere;
+    }
+    return fieldMap;
+}

package/dist/permissions/modules/fetch-policies-ip-access/fetch-policies-ip-access.d.ts ADDED Viewed

@@ -0,0 +1,4 @@
+import type { Accountability } from '@directus/types';
+import type { Knex } from 'knex';
+export declare const fetchPoliciesIpAccess: typeof _fetchPoliciesIpAccess;
+export declare function _fetchPoliciesIpAccess(accountability: Pick<Accountability, 'user' | 'roles'>, knex: Knex): Promise<string[][]>;

package/dist/permissions/modules/fetch-policies-ip-access/fetch-policies-ip-access.js ADDED Viewed

@@ -0,0 +1,29 @@
+import { toArray } from '@directus/utils';
+import { withCache } from '../../utils/with-cache.js';
+export const fetchPoliciesIpAccess = withCache('policies-ip-access', _fetchPoliciesIpAccess, ({ user, roles }) => ({
+    user,
+    roles,
+}));
+export async function _fetchPoliciesIpAccess(accountability, knex) {
+    const query = knex('directus_access')
+        .select({ ip_access: 'directus_policies.ip_access' })
+        .leftJoin('directus_policies', 'directus_access.policy', 'directus_policies.id')
+        .whereNotNull('directus_policies.ip_access');
+    // No roles and no user means unauthenticated request
+    if (accountability.roles.length === 0 && !accountability.user) {
+        query.where({
+            role: null,
+            user: null,
+        });
+    }
+    else {
+        query.where(function () {
+            if (accountability.user) {
+                this.orWhere('directus_access.user', accountability.user);
+            }
+            this.orWhereIn('directus_access.role', accountability.roles);
+        });
+    }
+    const rows = await query;
+    return rows.filter(({ ip_access }) => ip_access).map(({ ip_access }) => toArray(ip_access));
+}

package/dist/permissions/modules/process-ast/lib/extract-fields-from-children.d.ts ADDED Viewed

@@ -0,0 +1,4 @@
+import type { SchemaOverview } from '@directus/types';
+import type { FieldNode, FunctionFieldNode, NestedCollectionNode } from '../../../../types/ast.js';
+import type { FieldMap, QueryPath } from '../types.js';
+export declare function extractFieldsFromChildren(collection: string, children: (NestedCollectionNode | FieldNode | FunctionFieldNode)[], fieldMap: FieldMap, schema: SchemaOverview, path?: QueryPath): void;

package/dist/permissions/modules/process-ast/lib/extract-fields-from-children.js ADDED Viewed

@@ -0,0 +1,49 @@
+import { getUnaliasedFieldKey } from '../../../utils/get-unaliased-field-key.js';
+import { formatA2oKey } from '../utils/format-a2o-key.js';
+import { getInfoForPath } from '../utils/get-info-for-path.js';
+import { extractFieldsFromQuery } from './extract-fields-from-query.js';
+export function extractFieldsFromChildren(collection, children, fieldMap, schema, path = []) {
+    const info = getInfoForPath(fieldMap, 'other', path, collection);
+    for (const child of children) {
+        info.fields.add(getUnaliasedFieldKey(child));
+        if (child.type === 'a2o') {
+            for (const [collection, children] of Object.entries(child.children)) {
+                extractFieldsFromChildren(collection, children, fieldMap, schema, [
+                    ...path,
+                    formatA2oKey(child.fieldKey, collection),
+                ]);
+            }
+            if (child.query) {
+                for (const [collection, query] of Object.entries(child.query)) {
+                    extractFieldsFromQuery(collection, query, fieldMap, schema, [
+                        ...path,
+                        formatA2oKey(child.fieldKey, collection),
+                    ]);
+                }
+            }
+        }
+        else if (child.type === 'm2o') {
+            extractFieldsFromChildren(child.relation.related_collection, child.children, fieldMap, schema, [
+                ...path,
+                child.fieldKey,
+            ]);
+            extractFieldsFromQuery(child.relation.related_collection, child.query, fieldMap, schema, [
+                ...path,
+                child.fieldKey,
+            ]);
+        }
+        else if (child.type === 'o2m') {
+            extractFieldsFromChildren(child.relation.collection, child.children, fieldMap, schema, [
+                ...path,
+                child.fieldKey,
+            ]);
+            extractFieldsFromQuery(child.relation.collection, child.query, fieldMap, schema, [...path, child.fieldKey]);
+        }
+        else if (child.type === 'functionField') {
+            // functionFields operate on a related o2m collection, we have to make sure we include a
+            // no-field read check to the related collection
+            extractFieldsFromChildren(child.relatedCollection, [], fieldMap, schema, [...path, child.fieldKey]);
+            extractFieldsFromQuery(child.relatedCollection, child.query, fieldMap, schema, [...path, child.fieldKey]);
+        }
+    }
+}

package/dist/permissions/modules/process-ast/lib/extract-fields-from-query.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+import type { Query, SchemaOverview } from '@directus/types';
+import type { CollectionKey, FieldKey, FieldMap } from '../types.js';
+export declare function extractFieldsFromQuery(collection: CollectionKey, query: Query, fieldMap: FieldMap, schema: SchemaOverview, pathPrefix?: FieldKey[]): void;

package/dist/permissions/modules/process-ast/lib/extract-fields-from-query.js ADDED Viewed

@@ -0,0 +1,56 @@
+import { parseFilterKey } from '../../../../utils/parse-filter-key.js';
+import { extractPathsFromQuery } from '../utils/extract-paths-from-query.js';
+import { findRelatedCollection } from '../utils/find-related-collection.js';
+import { getInfoForPath } from '../utils/get-info-for-path.js';
+export function extractFieldsFromQuery(collection, query, fieldMap, schema, pathPrefix = []) {
+    if (!query)
+        return;
+    const { paths: otherPaths, readOnlyPaths } = extractPathsFromQuery(query);
+    const groupedPaths = {
+        other: otherPaths,
+        read: readOnlyPaths,
+    };
+    for (const [group, paths] of Object.entries(groupedPaths)) {
+        for (const path of paths) {
+            /**
+             * Current path stack. For each iteration of the path loop this will be appended with the
+             * current part we're operating on. So when looping over ['category', 'created_by', 'name']
+             * the first iteration it'll be `['category']`, and then `['category', 'created_by']` etc.
+             */
+            const stack = [];
+            /**
+             * Current collection the path part we're operating on lives in. Once we hit a relational
+             * field, this will be updated to the related collection, so we can follow the relational path
+             * left to right.
+             */
+            let collectionContext = collection;
+            for (const part of path) {
+                const info = getInfoForPath(fieldMap, group, [...pathPrefix, ...stack], collectionContext);
+                // A2o specifier field fetch
+                if (part.includes(':')) {
+                    const [fieldKey, collection] = part.split(':');
+                    info.fields.add(fieldKey);
+                    collectionContext = collection;
+                    stack.push(part);
+                    continue;
+                }
+                if (part.startsWith('$FOLLOW(') && part.endsWith(')')) {
+                    // Don't add this implicit relation field to fields, as it will be accounted for in the reverse direction
+                }
+                else {
+                    const { fieldName } = parseFilterKey(part);
+                    info.fields.add(fieldName);
+                }
+                /**
+                 * Related collection for the current part. Is null when the current field isn't a
+                 * relational field.
+                 */
+                const relatedCollection = findRelatedCollection(collectionContext, part, schema);
+                if (relatedCollection) {
+                    collectionContext = relatedCollection;
+                    stack.push(part);
+                }
+            }
+        }
+    }
+}

package/dist/permissions/modules/process-ast/lib/field-map-from-ast.d.ts ADDED Viewed

@@ -0,0 +1,4 @@
+import type { SchemaOverview } from '@directus/types';
+import type { AST } from '../../../../types/ast.js';
+import type { FieldMap } from '../types.js';
+export declare function fieldMapFromAst(ast: AST, schema: SchemaOverview): FieldMap;

package/dist/permissions/modules/process-ast/lib/field-map-from-ast.js ADDED Viewed

@@ -0,0 +1,8 @@
+import { extractFieldsFromChildren } from './extract-fields-from-children.js';
+import { extractFieldsFromQuery } from './extract-fields-from-query.js';
+export function fieldMapFromAst(ast, schema) {
+    const fieldMap = { read: new Map(), other: new Map() };
+    extractFieldsFromChildren(ast.name, ast.children, fieldMap, schema);
+    extractFieldsFromQuery(ast.name, ast.query, fieldMap, schema);
+    return fieldMap;
+}

package/dist/permissions/modules/process-ast/lib/inject-cases.d.ts ADDED Viewed

@@ -0,0 +1,9 @@
+import type { Permission } from '@directus/types';
+import type { AST } from '../../../../types/ast.js';
+/**
+ * Mutates passed AST
+ *
+ * @param ast - Read query AST
+ * @param permissions - Expected to be filtered down for the policies and action already
+ */
+export declare function injectCases(ast: AST, permissions: Permission[]): void;

package/dist/permissions/modules/process-ast/lib/inject-cases.js ADDED Viewed

@@ -0,0 +1,93 @@
+import { getUnaliasedFieldKey } from '../../../utils/get-unaliased-field-key.js';
+import { dedupeAccess } from '../utils/dedupe-access.js';
+import { hasItemPermissions } from '../utils/has-item-permissions.js';
+import { uniq } from 'lodash-es';
+/**
+ * Mutates passed AST
+ *
+ * @param ast - Read query AST
+ * @param permissions - Expected to be filtered down for the policies and action already
+ */
+export function injectCases(ast, permissions) {
+    ast.cases = processChildren(ast.name, ast.children, permissions);
+}
+function processChildren(collection, children, permissions) {
+    // Use uniq here, since there might be multiple duplications due to aliases or functions
+    const requestedKeys = uniq(children.map(getUnaliasedFieldKey));
+    const { cases, caseMap, allowedFields } = getCases(collection, permissions, requestedKeys);
+    // TODO this can be optimized if there is only one rule to skip the whole case/where system,
+    //  since fields that are not allowed at all are already filtered out
+    // TODO this can be optimized if all cases are the same for all requested keys, as those should be
+    //
+    for (const child of children) {
+        // If there's one or more permissions that allow full access to this field, we can safe some
+        // query perf overhead by ignoring the whole case/where system
+        const fieldKey = getUnaliasedFieldKey(child);
+        if (allowedFields.has('*') || allowedFields.has(fieldKey))
+            continue;
+        const globalWhenCase = caseMap['*'];
+        const fieldWhenCase = caseMap[fieldKey];
+        // Validation should catch any fields that are attempted to be read that don't have any access control configured.
+        // When there are no access rules for this field, and no rules for "all" fields `*`, we missed something in the validation
+        // and should abort.
+        if (!globalWhenCase && !fieldWhenCase) {
+            throw new Error(`Cannot extract access permissions for field "${fieldKey}" in collection "${collection}"`);
+        }
+        // Global and field can't both be undefined as per the error check prior
+        child.whenCase = [...(globalWhenCase ?? []), ...(fieldWhenCase ?? [])];
+        if (child.type === 'm2o') {
+            child.cases = processChildren(child.relation.related_collection, child.children, permissions);
+        }
+        if (child.type === 'o2m') {
+            child.cases = processChildren(child.relation.collection, child.children, permissions);
+        }
+        if (child.type === 'a2o') {
+            for (const collection of child.names) {
+                child.cases[collection] = processChildren(collection, child.children[collection] ?? [], permissions);
+            }
+        }
+        if (child.type === 'functionField') {
+            const { cases } = getCases(child.relatedCollection, permissions, []);
+            child.cases = cases;
+        }
+    }
+    return cases;
+}
+function getCases(collection, permissions, requestedKeys) {
+    const permissionsForCollection = permissions.filter((permission) => permission.collection === collection);
+    const rules = dedupeAccess(permissionsForCollection);
+    const cases = [];
+    const caseMap = {};
+    // TODO this can be optimized if there is only one rule to skip the whole case/where system,
+    //  since fields that are not allowed at all are already filtered out
+    // TODO this can be optimized if all cases are the same for all requested keys, as those should be
+    //
+    let index = 0;
+    for (const { rule, fields } of rules) {
+        // If none of the fields in the current permissions rule overlap with the actually requested
+        // fields in the AST, we can ignore this case altogether
+        if (requestedKeys.length > 0 &&
+            fields.has('*') === false &&
+            Array.from(fields).every((field) => requestedKeys.includes(field) === false)) {
+            continue;
+        }
+        if (rule === null)
+            continue;
+        cases.push(rule);
+        for (const field of fields) {
+            caseMap[field] = [...(caseMap[field] ?? []), index];
+        }
+        index++;
+    }
+    // Field that are allowed no matter what conditions exist for the item. These come from
+    // permissions where the item read access is "everything"
+    const allowedFields = new Set(permissionsForCollection
+        .filter((permission) => hasItemPermissions(permission) === false)
+        .map((permission) => permission.fields ?? [])
+        .flat());
+    return {
+        cases,
+        caseMap,
+        allowedFields,
+    };
+}

package/dist/permissions/modules/process-ast/process-ast.d.ts ADDED Viewed

@@ -0,0 +1,9 @@
+import type { Accountability, PermissionsAction } from '@directus/types';
+import type { AST } from '../../../types/ast.js';
+import type { Context } from '../../types.js';
+export interface ProcessAstOptions {
+    ast: AST;
+    action: PermissionsAction;
+    accountability: Accountability | null;
+}
+export declare function processAst(options: ProcessAstOptions, context: Context): Promise<AST>;

package/dist/permissions/modules/process-ast/process-ast.js ADDED Viewed

@@ -0,0 +1,39 @@
+import { fetchPermissions } from '../../lib/fetch-permissions.js';
+import { fetchPolicies } from '../../lib/fetch-policies.js';
+import { fieldMapFromAst } from './lib/field-map-from-ast.js';
+import { injectCases } from './lib/inject-cases.js';
+import { collectionsInFieldMap } from './utils/collections-in-field-map.js';
+import { validatePathPermissions } from './utils/validate-path/validate-path-permissions.js';
+import { validatePathExistence } from './utils/validate-path/validate-path-existence.js';
+export async function processAst(options, context) {
+    // FieldMap is a Map of paths in the AST, with each path containing the collection and fields in
+    // that collection that the AST path tries to access
+    const fieldMap = fieldMapFromAst(options.ast, context.schema);
+    const collections = collectionsInFieldMap(fieldMap);
+    if (!options.accountability || options.accountability.admin) {
+        // Validate the field existence, even if no permissions apply to the current accountability
+        for (const [path, { collection, fields }] of [...fieldMap.read.entries(), ...fieldMap.other.entries()]) {
+            validatePathExistence(path, collection, fields, context.schema);
+        }
+        return options.ast;
+    }
+    const policies = await fetchPolicies(options.accountability, context);
+    const permissions = await fetchPermissions({ action: options.action, policies, collections, accountability: options.accountability }, context);
+    const readPermissions = options.action === 'read'
+        ? permissions
+        : await fetchPermissions({ action: 'read', policies, collections, accountability: options.accountability }, context);
+    // Validate field existence first
+    for (const [path, { collection, fields }] of [...fieldMap.read.entries(), ...fieldMap.other.entries()]) {
+        validatePathExistence(path, collection, fields, context.schema);
+    }
+    // Validate permissions for the fields
+    for (const [path, { collection, fields }] of fieldMap.other.entries()) {
+        validatePathPermissions(path, permissions, collection, fields);
+    }
+    // Validate permission for read only fields
+    for (const [path, { collection, fields }] of fieldMap.read.entries()) {
+        validatePathPermissions(path, readPermissions, collection, fields);
+    }
+    injectCases(options.ast, permissions);
+    return options.ast;
+}

package/dist/permissions/modules/process-ast/types.d.ts ADDED Viewed

@@ -0,0 +1,24 @@
+export type CollectionKey = string;
+export type FieldKey = string;
+export type QueryPath = string[];
+/**
+ * Key is dot-notation QueryPath, f.e. `category.created_by`.
+ * Value contains collection context for that path, and fields fetched within
+ */
+export type FieldMapEntries = Map<string, {
+    collection: CollectionKey;
+    fields: Set<FieldKey>;
+}>;
+/**
+ * FieldMapEntries that require only read permissions and those that require action specific permissions
+ */
+export type FieldMap = {
+    read: FieldMapEntries;
+    other: FieldMapEntries;
+};
+export interface AccessRow {
+    policy: {
+        id: string;
+        ip_access: string[] | null;
+    };
+}

package/dist/permissions/modules/process-ast/types.js ADDED Viewed

	@@ -0,0 +1 @@
1	+ export {};

package/dist/permissions/modules/process-ast/utils/collections-in-field-map.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ import type { CollectionKey, FieldMap } from '../types.js';
2	+ export declare function collectionsInFieldMap(fieldMap: FieldMap): CollectionKey[];

package/dist/permissions/modules/process-ast/utils/collections-in-field-map.js ADDED Viewed

@@ -0,0 +1,7 @@
+export function collectionsInFieldMap(fieldMap) {
+    const collections = new Set();
+    for (const { collection } of [...fieldMap.other.values(), ...fieldMap.read.values()]) {
+        collections.add(collection);
+    }
+    return Array.from(collections);
+}

package/dist/permissions/modules/process-ast/utils/dedupe-access.d.ts ADDED Viewed

@@ -0,0 +1,12 @@
+import type { Filter, Permission } from '@directus/types';
+/**
+ * Deduplicate the permissions sets by merging the field sets based on the access control rules
+ * (`permissions` in Permission rows)
+ *
+ * This allows the cases injection to be more efficient by not having to generate duplicate
+ * case/when clauses for permission sets where the rule access is identical
+ */
+export declare function dedupeAccess(permissions: Permission[]): {
+    rule: Filter;
+    fields: Set<string>;
+}[];

package/dist/permissions/modules/process-ast/utils/dedupe-access.js ADDED Viewed

@@ -0,0 +1,30 @@
+import hash from 'object-hash';
+/**
+ * Deduplicate the permissions sets by merging the field sets based on the access control rules
+ * (`permissions` in Permission rows)
+ *
+ * This allows the cases injection to be more efficient by not having to generate duplicate
+ * case/when clauses for permission sets where the rule access is identical
+ */
+export function dedupeAccess(permissions) {
+    // Map of `ruleHash: fields[]`
+    const map = new Map();
+    for (const permission of permissions) {
+        const rule = permission.permissions ?? {};
+        // Two JS objects can't be equality checked. Object-hash will resort any nested arrays
+        // deterministically meaning that this can be used to compare two rule sets where the array
+        // order does not matter
+        const ruleHash = hash(rule, {
+            algorithm: 'passthrough',
+            unorderedArrays: true,
+        });
+        if (map.has(ruleHash) === false) {
+            map.set(ruleHash, { rule, fields: new Set() });
+        }
+        const info = map.get(ruleHash);
+        for (const field of permission.fields ?? []) {
+            info.fields.add(field);
+        }
+    }
+    return Array.from(map.values());
+}

package/dist/permissions/modules/process-ast/utils/extract-paths-from-query.d.ts ADDED Viewed

@@ -0,0 +1,15 @@
+import type { Query } from '@directus/types';
+/**
+ * Converts the passed Query object into a unique list of path arrays, for example:
+ *
+ * ```
+ * [
+ * 	['author', 'age'],
+ * 	['category']
+ * ]
+ * ```
+ */
+export declare function extractPathsFromQuery(query: Query): {
+    paths: string[][];
+    readOnlyPaths: string[][];
+};