@directus/api 19.3.1 → 20.0.0-rc.0

package/dist/permissions/utils/get-unaliased-field-key.js

@@ -0,0 +1,17 @@
+import { parseFilterKey } from '../../utils/parse-filter-key.js';
+/**
+ * Derive the unaliased field key from the given AST node.
+ */
+export function getUnaliasedFieldKey(node) {
+    switch (node.type) {
+        case 'o2m':
+            return node.relation.meta.one_field;
+        case 'a2o':
+        case 'm2o':
+            return node.relation.field;
+        case 'field':
+        case 'functionField':
+            // The field name might still include a function, so process that here as well
+            return parseFilterKey(node.name).fieldName;
+    }
+}

package/dist/permissions/utils/process-permissions.d.ts

@@ -0,0 +1,7 @@
+import type { Accountability, Permission } from '@directus/types';
+export interface ProcessPermissionsOptions {
+    permissions: Permission[];
+    accountability: Pick<Accountability, 'user' | 'role' | 'roles'>;
+    permissionsContext: Record<string, any>;
+}
+export declare function processPermissions({ permissions, accountability, permissionsContext }: ProcessPermissionsOptions): Permission[];

package/dist/permissions/utils/process-permissions.js

@@ -0,0 +1,9 @@
+import { parseFilter, parsePreset } from '@directus/utils';
+export function processPermissions({ permissions, accountability, permissionsContext }) {
+    return permissions.map((permission) => {
+        permission.permissions = parseFilter(permission.permissions, accountability, permissionsContext);
+        permission.validation = parseFilter(permission.validation, accountability, permissionsContext);
+        permission.presets = parsePreset(permission.presets, accountability, permissionsContext);
+        return permission;
+    });
+}

package/dist/permissions/utils/with-cache.d.ts

@@ -0,0 +1,10 @@
+/**
+ * The `pick` parameter can be used to stabilize cache keys, by only using a subset of the available parameters and
+ * ensuring key order.
+ *
+ * If the `pick` function is provided, we pass the picked result to the handler, in order for TypeScript to ensure that
+ * the function only relies on the parameters that are used for generating the cache key.
+ *
+ * @NOTE only uses the first parameter for memoization
+ */
+export declare function withCache<F extends (arg0: Arg0, ...args: any[]) => R, R, Arg0 = Parameters<F>[0]>(namespace: string, handler: F, prepareArg?: (arg0: Arg0) => Arg0): F;

package/dist/permissions/utils/with-cache.js

@@ -0,0 +1,25 @@
+import { getSimpleHash } from '@directus/utils';
+import { useCache } from '../cache.js';
+/**
+ * The `pick` parameter can be used to stabilize cache keys, by only using a subset of the available parameters and
+ * ensuring key order.
+ *
+ * If the `pick` function is provided, we pass the picked result to the handler, in order for TypeScript to ensure that
+ * the function only relies on the parameters that are used for generating the cache key.
+ *
+ * @NOTE only uses the first parameter for memoization
+ */
+export function withCache(namespace, handler, prepareArg) {
+    const cache = useCache();
+    return (async (arg0, ...args) => {
+        arg0 = prepareArg ? prepareArg(arg0) : arg0;
+        const key = namespace + '-' + getSimpleHash(JSON.stringify(arg0));
+        const cached = await cache.get(key);
+        if (cached !== undefined) {
+            return cached;
+        }
+        const res = await handler(arg0, ...args);
+        cache.set(key, res);
+        return res;
+    });
+}

package/dist/services/access.d.ts

@@ -0,0 +1,10 @@
+import type { Item, PrimaryKey } from '@directus/types';
+import type { AbstractServiceOptions, MutationOptions } from '../types/index.js';
+import { ItemsService } from './items.js';
+export declare class AccessService extends ItemsService {
+    constructor(options: AbstractServiceOptions);
+    private clearCaches;
+    createOne(data: Partial<Item>, opts?: MutationOptions): Promise<PrimaryKey>;
+    updateMany(keys: PrimaryKey[], data: Partial<Item>, opts?: MutationOptions): Promise<PrimaryKey[]>;
+    deleteMany(keys: PrimaryKey[], opts?: MutationOptions): Promise<PrimaryKey[]>;
+}

package/dist/services/access.js

@@ -0,0 +1,43 @@
+import { clearSystemCache } from '../cache.js';
+import { UserIntegrityCheckFlag } from '../utils/validate-user-count-integrity.js';
+import { ItemsService } from './items.js';
+export class AccessService extends ItemsService {
+    constructor(options) {
+        super('directus_access', options);
+    }
+    async clearCaches(opts) {
+        await clearSystemCache({ autoPurgeCache: opts?.autoPurgeCache });
+        if (this.cache && opts?.autoPurgeCache !== false) {
+            await this.cache.clear();
+        }
+    }
+    async createOne(data, opts = {}) {
+        // Creating a new policy attachments affects the number of admin/app/api users.
+        // But it can only add app or admin users, so no need to check the remaining admin users.
+        opts.userIntegrityCheckFlags =
+            (opts.userIntegrityCheckFlags ?? UserIntegrityCheckFlag.None) | UserIntegrityCheckFlag.UserLimits;
+        opts.onRequireUserIntegrityCheck?.(opts.userIntegrityCheckFlags);
+        const result = await super.createOne(data, opts);
+        // A new policy has been attached to a user or a role, clear the caches
+        await this.clearCaches();
+        return result;
+    }
+    async updateMany(keys, data, opts = {}) {
+        // Updating policy attachments might affect the number of admin/app/api users
+        opts.userIntegrityCheckFlags = UserIntegrityCheckFlag.All;
+        opts.onRequireUserIntegrityCheck?.(opts.userIntegrityCheckFlags);
+        const result = await super.updateMany(keys, data, { ...opts, userIntegrityCheckFlags: UserIntegrityCheckFlag.All });
+        // Some policy attachments have been updated, clear the caches
+        await this.clearCaches();
+        return result;
+    }
+    async deleteMany(keys, opts = {}) {
+        // Changes here can affect the number of admin/app/api users
+        opts.userIntegrityCheckFlags = UserIntegrityCheckFlag.All;
+        opts.onRequireUserIntegrityCheck?.(opts.userIntegrityCheckFlags);
+        const result = await super.deleteMany(keys, opts);
+        // Some policy attachments have been deleted, clear the caches
+        await this.clearCaches();
+        return result;
+    }
+}

package/dist/services/activity.js

@@ -3,11 +3,13 @@ import { useEnv } from '@directus/env';
 import { ErrorCode, isDirectusError } from '@directus/errors';
 import { uniq } from 'lodash-es';
 import { useLogger } from '../logger.js';
-import { getPermissions } from '../utils/get-permissions.js';
+import { fetchRolesTree } from '../permissions/lib/fetch-roles-tree.js';
+import { fetchGlobalAccess } from '../permissions/modules/fetch-global-access/fetch-global-access.js';
+import { validateAccess } from '../permissions/modules/validate-access/validate-access.js';
+import { createDefaultAccountability } from '../permissions/utils/create-default-accountability.js';
 import { isValidUuid } from '../utils/is-valid-uuid.js';
 import { Url } from '../utils/url.js';
 import { userName } from '../utils/user-name.js';
-import { AuthorizationService } from './authorization.js';
 import { ItemsService } from './items.js';
 import { NotificationsService } from './notifications.js';
 import { UsersService } from './users.js';
@@ -31,19 +33,29 @@ export class ActivityService extends ItemsService {
             for (const mention of mentions) {
                 const userID = mention.substring(1);
                 const user = await this.usersService.readOne(userID, {
-                    fields: ['id', 'first_name', 'last_name', 'email', 'role.id', 'role.admin_access', 'role.app_access'],
+                    fields: ['id', 'first_name', 'last_name', 'email', 'role'],
                 });
-                const accountability = {
+                const roles = await fetchRolesTree(user['role'], this.knex);
+                const globalAccess = await fetchGlobalAccess({ user: user['id'], roles, ip: null }, this.knex);
+                const accountability = createDefaultAccountability({
                     user: userID,
                     role: user['role']?.id ?? null,
-                    admin: user['role']?.admin_access ?? null,
-                    app: user['role']?.app_access ?? null,
-                };
-                accountability.permissions = await getPermissions(accountability, this.schema);
-                const authorizationService = new AuthorizationService({ schema: this.schema, accountability });
+                    roles,
+                    ...globalAccess,
+                });
                 const usersService = new UsersService({ schema: this.schema, accountability });
                 try {
-                    await authorizationService.checkAccess('read', data['collection'], data['item']);
+                    if (this.accountability) {
+                        await validateAccess({
+                            accountability: this.accountability,
+                            action: 'read',
+                            collection: data['collection'],
+                            primaryKeys: [data['item']],
+                        }, {
+                            knex: this.knex,
+                            schema: this.schema,
+                        });
+                    }
                     const templateData = await usersService.readByQuery({
                         fields: ['id', 'first_name', 'last_name', 'email'],
                         filter: { id: { _in: mentions.map((mention) => mention.substring(1)) } },

package/dist/services/assets.d.ts

@@ -1,15 +1,14 @@
 /// <reference types="node" resolution-mode="require"/>
 import type { Range, Stat } from '@directus/storage';
-import type { Accountability } from '@directus/types';
+import type { Accountability, SchemaOverview } from '@directus/types';
 import type { Knex } from 'knex';
 import type { Readable } from 'node:stream';
 import type { AbstractServiceOptions, TransformationSet } from '../types/index.js';
-import { AuthorizationService } from './authorization.js';
 import { FilesService } from './files.js';
 export declare class AssetsService {
     knex: Knex;
     accountability: Accountability | null;
-    authorizationService: AuthorizationService;
+    schema: SchemaOverview;
     filesService: FilesService;
     constructor(options: AbstractServiceOptions);
     getAsset(id: string, transformation?: TransformationSet, range?: Range): Promise<{

package/dist/services/assets.js

@@ -8,24 +8,24 @@ import sharp from 'sharp';
 import { SUPPORTED_IMAGE_TRANSFORM_FORMATS } from '../constants.js';
 import getDatabase from '../database/index.js';
 import { useLogger } from '../logger.js';
+import { validateAccess } from '../permissions/modules/validate-access/validate-access.js';
 import { getStorage } from '../storage/index.js';
 import { getMilliseconds } from '../utils/get-milliseconds.js';
 import { isValidUuid } from '../utils/is-valid-uuid.js';
 import * as TransformationUtils from '../utils/transformations.js';
-import { AuthorizationService } from './authorization.js';
 import { FilesService } from './files.js';
 const env = useEnv();
 const logger = useLogger();
 export class AssetsService {
     knex;
     accountability;
-    authorizationService;
+    schema;
     filesService;
     constructor(options) {
         this.knex = options.knex || getDatabase();
         this.accountability = options.accountability || null;
+        this.schema = options.schema;
         this.filesService = new FilesService({ ...options, accountability: null });
-        this.authorizationService = new AuthorizationService(options);
     }
     async getAsset(id, transformation, range) {
         const storage = await getStorage();
@@ -41,8 +41,13 @@ export class AssetsService {
          */
         if (!isValidUuid(id))
             throw new ForbiddenError();
-        if (systemPublicKeys.includes(id) === false && this.accountability?.admin !== true) {
-            await this.authorizationService.checkAccess('read', 'directus_files', id);
+        if (systemPublicKeys.includes(id) === false && this.accountability) {
+            await validateAccess({
+                accountability: this.accountability,
+                action: 'read',
+                collection: 'directus_files',
+                primaryKeys: [id],
+            }, { knex: this.knex, schema: this.schema });
         }
         const file = (await this.filesService.readOne(id, { limit: 1 }));
         const exists = await storage.location(file.storage).exists(file.filename_disk);

package/dist/services/authentication.js

@@ -1,3 +1,5 @@
+import { fetchRolesTree } from '../permissions/lib/fetch-roles-tree.js';
+import { fetchGlobalAccess } from '../permissions/modules/fetch-global-access/fetch-global-access.js';
 import { Action } from '@directus/constants';
 import { useEnv } from '@directus/env';
 import { InvalidCredentialsError, InvalidOtpError, InvalidProviderError, ServiceUnavailableError, UserSuspendedError, } from '@directus/errors';
@@ -48,10 +50,9 @@ export class AuthenticationService {
             throw err;
         }
         const user = await this.knex
-            .select('u.id', 'u.first_name', 'u.last_name', 'u.email', 'u.password', 'u.status', 'u.role', 'r.admin_access', 'r.app_access', 'u.tfa_secret', 'u.provider', 'u.external_identifier', 'u.auth_data')
-            .from('directus_users as u')
-            .leftJoin('directus_roles as r', 'u.role', 'r.id')
-            .where('u.id', userId)
+            .select('id', 'first_name', 'last_name', 'email', 'password', 'status', 'role', 'tfa_secret', 'provider', 'external_identifier', 'auth_data')
+            .from('directus_users')
+            .where('id', userId)
             .first();
         const updatedPayload = await emitter.emitFilter('auth.login', payload, {
             status: 'pending',
@@ -138,11 +139,13 @@ export class AuthenticationService {
                 throw new InvalidOtpError();
             }
         }
+        const roles = await fetchRolesTree(user.role, this.knex);
+        const globalAccess = await fetchGlobalAccess({ roles, user: user.id, ip: this.accountability?.ip ?? null }, this.knex);
         const tokenPayload = {
             id: user.id,
             role: user.role,
-            app_access: user.app_access,
-            admin_access: user.admin_access,
+            app_access: globalAccess.app,
+            admin_access: globalAccess.admin,
         };
         const refreshToken = nanoid(64);
         const refreshTokenExpiration = new Date(Date.now() + getMilliseconds(env['REFRESH_TOKEN_TTL'], 0));
@@ -217,9 +220,7 @@ export class AuthenticationService {
             user_provider: 'u.provider',
             user_external_identifier: 'u.external_identifier',
             user_auth_data: 'u.auth_data',
-            role_id: 'r.id',
-            role_admin_access: 'r.admin_access',
-            role_app_access: 'r.app_access',
+            user_role: 'u.role',
             share_id: 'd.id',
             share_item: 'd.item',
             share_role: 'd.role',
@@ -232,9 +233,6 @@ export class AuthenticationService {
             .from('directus_sessions AS s')
             .leftJoin('directus_users AS u', 's.user', 'u.id')
             .leftJoin('directus_shares AS d', 's.share', 'd.id')
-            .leftJoin('directus_roles AS r', (join) => {
-            join.onIn('r.id', [this.knex.ref('u.role'), this.knex.ref('d.role')]);
-        })
             .where('s.token', refreshToken)
             .andWhere('s.expires', '>=', new Date())
             .andWhere((subQuery) => {
@@ -258,6 +256,8 @@ export class AuthenticationService {
                 throw new InvalidCredentialsError();
             }
         }
+        const roles = await fetchRolesTree(record.user_role, this.knex);
+        const globalAccess = await fetchGlobalAccess({ user: record.user_id, roles, ip: this.accountability?.ip ?? null }, this.knex);
         if (record.user_id) {
             const provider = getAuthProvider(record.user_provider);
             await provider.refresh({
@@ -270,9 +270,9 @@ export class AuthenticationService {
                 provider: record.user_provider,
                 external_identifier: record.user_external_identifier,
                 auth_data: record.user_auth_data,
-                role: record.role_id,
-                app_access: record.role_app_access,
-                admin_access: record.role_admin_access,
+                role: record.user_role,
+                app_access: globalAccess.app,
+                admin_access: globalAccess.admin,
             });
         }
         let newRefreshToken = record.session_next_token ?? nanoid(64);
@@ -280,9 +280,9 @@ export class AuthenticationService {
         const refreshTokenExpiration = new Date(Date.now() + getMilliseconds(sessionDuration, 0));
         const tokenPayload = {
             id: record.user_id,
-            role: record.role_id,
-            app_access: record.role_app_access,
-            admin_access: record.role_admin_access,
+            role: record.user_role,
+            app_access: globalAccess.app,
+            admin_access: globalAccess.admin,
         };
         if (options?.session) {
             newRefreshToken = await this.updateStatefulSession(record, refreshToken, newRefreshToken, refreshTokenExpiration);

package/dist/services/collections.js

@@ -9,6 +9,8 @@ import { ALIAS_TYPES } from '../constants.js';
 import { getHelpers } from '../database/helpers/index.js';
 import getDatabase, { getSchemaInspector } from '../database/index.js';
 import emitter from '../emitter.js';
+import { fetchAllowedCollections } from '../permissions/modules/fetch-allowed-collections/fetch-allowed-collections.js';
+import { validateAccess } from '../permissions/modules/validate-access/validate-access.js';
 import { getSchema } from '../utils/get-schema.js';
 import { shouldClearCache } from '../utils/should-clear-cache.js';
 import { transaction } from '../utils/transaction.js';
@@ -223,11 +225,13 @@ export class CollectionsService {
                 ...meta,
                 [item.collection]: item.group,
             }), {});
-            let collectionsYouHavePermissionToRead = this.accountability
-                .permissions.filter((permission) => {
-                return permission.action === 'read';
-            })
-                .map(({ collection }) => collection);
+            let collectionsYouHavePermissionToRead = await fetchAllowedCollections({
+                accountability: this.accountability,
+                action: 'read',
+            }, {
+                knex: this.knex,
+                schema: this.schema,
+            });
             for (const collection of collectionsYouHavePermissionToRead) {
                 const group = collectionsGroups[collection];
                 if (group)
@@ -279,18 +283,15 @@ export class CollectionsService {
      * Read many collections by name
      */
     async readMany(collectionKeys) {
-        if (this.accountability && this.accountability.admin !== true) {
-            const permissions = this.accountability.permissions.filter((permission) => {
-                return permission.action === 'read' && collectionKeys.includes(permission.collection);
-            });
-            if (collectionKeys.length !== permissions.length) {
-                const collectionsYouHavePermissionToRead = permissions.map(({ collection }) => collection);
-                for (const collectionKey of collectionKeys) {
-                    if (collectionsYouHavePermissionToRead.includes(collectionKey) === false) {
-                        throw new ForbiddenError();
-                    }
-                }
-            }
+        if (this.accountability) {
+            await Promise.all(collectionKeys.map((collection) => validateAccess({
+                accountability: this.accountability,
+                action: 'read',
+                collection,
+            }, {
+                schema: this.schema,
+                knex: this.knex,
+            })));
         }
         const collections = await this.readByQuery();
         return collections.filter(({ collection }) => collectionKeys.includes(collection));

package/dist/services/fields.d.ts

@@ -17,7 +17,6 @@ export declare class FieldsService {
     cache: Keyv<any> | null;
     systemCache: Keyv<any>;
     constructor(options: AbstractServiceOptions);
-    private get hasReadAccess();
     readAll(collection?: string): Promise<Field[]>;
     readOne(collection: string, field: string): Promise<Record<string, any>>;
     createField(collection: string, field: Partial<Field> & {

package/dist/services/fields.js

@@ -1,4 +1,4 @@
-import { KNEX_TYPES, REGEX_BETWEEN_PARENS, DEFAULT_NUMERIC_PRECISION, DEFAULT_NUMERIC_SCALE, } from '@directus/constants';
+import { DEFAULT_NUMERIC_PRECISION, DEFAULT_NUMERIC_SCALE, KNEX_TYPES, REGEX_BETWEEN_PARENS, } from '@directus/constants';
 import { ForbiddenError, InvalidPayloadError } from '@directus/errors';
 import { createInspector } from '@directus/schema';
 import { addFieldFlag, toArray } from '@directus/utils';
@@ -9,6 +9,9 @@ import { translateDatabaseError } from '../database/errors/translate.js';
 import { getHelpers } from '../database/helpers/index.js';
 import getDatabase, { getSchemaInspector } from '../database/index.js';
 import emitter from '../emitter.js';
+import { fetchPermissions } from '../permissions/lib/fetch-permissions.js';
+import { fetchPolicies } from '../permissions/lib/fetch-policies.js';
+import { validateAccess } from '../permissions/modules/validate-access/validate-access.js';
 import getDefaultValue from '../utils/get-default-value.js';
 import { getSystemFieldRowsWithAuthProviders } from '../utils/get-field-system-rows.js';
 import getLocalType from '../utils/get-local-type.js';
@@ -42,15 +45,17 @@ export class FieldsService {
         this.cache = cache;
         this.systemCache = systemCache;
     }
-    get hasReadAccess() {
-        return !!this.accountability?.permissions?.find((permission) => {
-            return permission.collection === 'directus_fields' && permission.action === 'read';
-        });
-    }
     async readAll(collection) {
         let fields;
-        if (this.accountability && this.accountability.admin !== true && this.hasReadAccess === false) {
-            throw new ForbiddenError();
+        if (this.accountability) {
+            await validateAccess({
+                accountability: this.accountability,
+                action: 'read',
+                collection: 'directus_fields',
+            }, {
+                schema: this.schema,
+                knex: this.knex,
+            });
         }
         const nonAuthorizedItemsService = new ItemsService('directus_fields', {
             knex: this.knex,
@@ -119,12 +124,27 @@ export class FieldsService {
         const result = [...columnsWithSystem, ...aliasFieldsAsField].filter((field) => knownCollections.includes(field.collection));
         // Filter the result so we only return the fields you have read access to
         if (this.accountability && this.accountability.admin !== true) {
-            const permissions = this.accountability.permissions.filter((permission) => {
-                return permission.action === 'read';
-            });
+            const policies = await fetchPolicies(this.accountability, { knex: this.knex, schema: this.schema });
+            const permissions = await fetchPermissions(collection
+                ? {
+                    action: 'read',
+                    policies,
+                    collections: [collection],
+                    accountability: this.accountability,
+                }
+                : {
+                    action: 'read',
+                    policies,
+                    accountability: this.accountability,
+                }, { knex: this.knex, schema: this.schema });
             const allowedFieldsInCollection = {};
             permissions.forEach((permission) => {
-                allowedFieldsInCollection[permission.collection] = permission.fields ?? [];
+                if (!allowedFieldsInCollection[permission.collection]) {
+                    allowedFieldsInCollection[permission.collection] = new Set();
+                }
+                for (const field of permission.fields ?? []) {
+                    allowedFieldsInCollection[permission.collection].add(field);
+                }
             });
             if (collection && collection in allowedFieldsInCollection === false) {
                 throw new ForbiddenError();
@@ -133,9 +153,9 @@ export class FieldsService {
                 if (field.collection in allowedFieldsInCollection === false)
                     return false;
                 const allowedFields = allowedFieldsInCollection[field.collection];
-                if (allowedFields[0] === '*')
+                if (allowedFields.has('*'))
                     return true;
-                return allowedFields.includes(field.field);
+                return allowedFields.has(field.field);
             });
         }
         // Update specific database type overrides
@@ -152,18 +172,27 @@ export class FieldsService {
     }
     async readOne(collection, field) {
         if (this.accountability && this.accountability.admin !== true) {
-            if (this.hasReadAccess === false) {
-                throw new ForbiddenError();
-            }
-            const permissions = this.accountability.permissions.find((permission) => {
-                return permission.action === 'read' && permission.collection === collection;
+            await validateAccess({
+                accountability: this.accountability,
+                action: 'read',
+                collection,
+            }, {
+                schema: this.schema,
+                knex: this.knex,
             });
-            if (!permissions || !permissions.fields)
+            const policies = await fetchPolicies(this.accountability, { knex: this.knex, schema: this.schema });
+            const permissions = await fetchPermissions({ action: 'read', policies, collections: [collection], accountability: this.accountability }, { knex: this.knex, schema: this.schema });
+            let hasAccess = false;
+            for (const permission of permissions) {
+                if (permission.fields) {
+                    if (permission.fields.includes('*') || permission.fields.includes(field)) {
+                        hasAccess = true;
+                        break;
+                    }
+                }
+            }
+            if (!hasAccess) {
                 throw new ForbiddenError();
-            if (permissions.fields.includes('*') === false) {
-                const allowedFields = permissions.fields;
-                if (allowedFields.includes(field) === false)
-                    throw new ForbiddenError();
             }
         }
         let column = undefined;

package/dist/services/files.d.ts

@@ -25,10 +25,6 @@ export declare class FilesService extends ItemsService {
      * Useful for associating metadata with existing file in storage
      */
     createOne(data: Partial<File>, opts?: MutationOptions): Promise<PrimaryKey>;
-    /**
-     * Delete a file
-     */
-    deleteOne(key: PrimaryKey): Promise<PrimaryKey>;
     /**
      * Delete multiple files
      */

package/dist/services/files.js

@@ -16,6 +16,7 @@ import url from 'url';
 import { SUPPORTED_IMAGE_METADATA_FORMATS } from '../constants.js';
 import emitter from '../emitter.js';
 import { useLogger } from '../logger.js';
+import { validateAccess } from '../permissions/modules/validate-access/validate-access.js';
 import { getAxios } from '../request/index.js';
 import { getStorage } from '../storage/index.js';
 import { parseIptc, parseXmp } from '../utils/parse-image-metadata.js';
@@ -276,9 +277,15 @@ export class FilesService extends ItemsService {
      * Import a single file from an external URL
      */
     async importOne(importURL, body) {
-        const fileCreatePermissions = this.accountability?.permissions?.find((permission) => permission.collection === 'directus_files' && permission.action === 'create');
-        if (this.accountability && this.accountability?.admin !== true && !fileCreatePermissions) {
-            throw new ForbiddenError();
+        if (this.accountability) {
+            await validateAccess({
+                accountability: this.accountability,
+                action: 'create',
+                collection: 'directus_files',
+            }, {
+                knex: this.knex,
+                schema: this.schema,
+            });
         }
         let fileResponse;
         try {
@@ -318,13 +325,6 @@ export class FilesService extends ItemsService {
         const key = await super.createOne(data, opts);
         return key;
     }
-    /**
-     * Delete a file
-     */
-    async deleteOne(key) {
-        await this.deleteMany([key]);
-        return key;
-    }
     /**
      * Delete multiple files
      */

package/dist/services/flows.d.ts

@@ -4,8 +4,6 @@ import { ItemsService } from './items.js';
 export declare class FlowsService extends ItemsService<FlowRaw> {
     constructor(options: AbstractServiceOptions);
     createOne(data: Partial<Item>, opts?: MutationOptions): Promise<PrimaryKey>;
-    createMany(data: Partial<Item>[], opts?: MutationOptions): Promise<PrimaryKey[]>;
-    updateBatch(data: Partial<Item>[], opts?: MutationOptions): Promise<PrimaryKey[]>;
     updateMany(keys: PrimaryKey[], data: Partial<Item>, opts?: MutationOptions): Promise<PrimaryKey[]>;
     deleteMany(keys: PrimaryKey[], opts?: MutationOptions): Promise<PrimaryKey[]>;
 }

package/dist/services/flows.js

@@ -5,34 +5,22 @@ export class FlowsService extends ItemsService {
         super('directus_flows', options);
     }
     async createOne(data, opts) {
-        const flowManager = getFlowManager();
         const result = await super.createOne(data, opts);
-        await flowManager.reload();
-        return result;
-    }
-    async createMany(data, opts) {
-        const flowManager = getFlowManager();
-        const result = await super.createMany(data, opts);
-        await flowManager.reload();
-        return result;
-    }
-    async updateBatch(data, opts) {
         const flowManager = getFlowManager();
-        const result = await super.updateBatch(data, opts);
         await flowManager.reload();
         return result;
     }
     async updateMany(keys, data, opts) {
-        const flowManager = getFlowManager();
         const result = await super.updateMany(keys, data, opts);
+        const flowManager = getFlowManager();
         await flowManager.reload();
         return result;
     }
     async deleteMany(keys, opts) {
-        const flowManager = getFlowManager();
         // this is to prevent foreign key constraint error on directus_operations resolve/reject during cascade deletion
         await this.knex('directus_operations').update({ resolve: null, reject: null }).whereIn('flow', keys);
         const result = await super.deleteMany(keys, opts);
+        const flowManager = getFlowManager();
         await flowManager.reload();
         return result;
     }

package/dist/services/graphql/index.d.ts

@@ -20,9 +20,9 @@ export declare class GraphQLService {
     /**
      * Generate the GraphQL schema. Pulls from the schema information generated by the get-schema util.
      */
-    getSchema(): GraphQLSchema;
-    getSchema(type: 'schema'): GraphQLSchema;
-    getSchema(type: 'sdl'): GraphQLSchema | string;
+    getSchema(): Promise<GraphQLSchema>;
+    getSchema(type: 'schema'): Promise<GraphQLSchema>;
+    getSchema(type: 'sdl'): Promise<GraphQLSchema | string>;
     /**
      * Generic resolver that's used for every "regular" items/system query. Converts the incoming GraphQL AST / fragments into
      * Directus' query structure which is then executed by the services.