npm - @directus/api - Versions diffs - 19.3.1 → 20.0.0-rc.0 - Mend

@directus/api 19.3.1 → 20.0.0-rc.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (285) hide show

package/dist/services/graphql/index.js CHANGED Viewed

@@ -11,6 +11,9 @@ import { clearSystemCache, getCache } from '../../cache.js';
 import { DEFAULT_AUTH_PROVIDER, GENERATE_SPECIAL, REFRESH_COOKIE_OPTIONS, SESSION_COOKIE_OPTIONS, } from '../../constants.js';
 import getDatabase from '../../database/index.js';
 import { rateLimiter } from '../../middleware/rate-limiter-registration.js';
+import { fetchAllowedFieldMap } from '../../permissions/modules/fetch-allowed-field-map/fetch-allowed-field-map.js';
+import { fetchInconsistentFieldMap } from '../../permissions/modules/fetch-inconsistent-field-map/fetch-inconsistent-field-map.js';
+import { createDefaultAccountability } from '../../permissions/utils/create-default-accountability.js';
 import { generateHash } from '../../utils/generate-hash.js';
 import { getGraphQLType } from '../../utils/get-graphql-type.js';
 import { getIPFromReq } from '../../utils/get-ip-from-req.js';
@@ -48,6 +51,9 @@ import { GraphQLVoid } from './types/void.js';
 import { addPathToValidationError } from './utils/add-path-to-validation-error.js';
 import processError from './utils/process-error.js';
 import { sanitizeGraphqlSchema } from './utils/sanitize-gql-schema.js';
+import { fetchAccountabilityCollectionAccess } from '../../permissions/modules/fetch-accountability-collection-access/fetch-accountability-collection-access.js';
+import { fetchAccountabilityPolicyGlobals } from '../../permissions/modules/fetch-accountability-policy-globals/fetch-accountability-policy-globals.js';
+import { RolesService } from '../roles.js';
 const env = useEnv();
 const validationRules = Array.from(specifiedRules);
 if (env['GRAPHQL_INTROSPECTION'] === false) {
@@ -80,7 +86,7 @@ export class GraphQLService {
      * Execute a GraphQL structure
      */
     async execute({ document, variables, operationName, contextValue, }) {
-        const schema = this.getSchema();
+        const schema = await this.getSchema();
         const validationErrors = validate(schema, document, validationRules).map((validationError) => addPathToValidationError(validationError));
         if (validationErrors.length > 0) {
             throw new GraphQLValidationError({ errors: validationErrors });
@@ -108,7 +114,7 @@ export class GraphQLService {
             formattedResult.extensions = result['extensions'];
         return formattedResult;
     }
-    getSchema(type = 'schema') {
+    async getSchema(type = 'schema') {
         const key = `${this.scope}_${type}_${this.accountability?.role}_${this.accountability?.user}`;
         const cachedSchema = cache.get(key);
         if (cachedSchema)
@@ -116,20 +122,53 @@ export class GraphQLService {
         // eslint-disable-next-line @typescript-eslint/no-this-alias
         const self = this;
         const schemaComposer = new SchemaComposer();
+        let schema;
         const sanitizedSchema = sanitizeGraphqlSchema(this.schema);
-        const schema = {
-            read: this.accountability?.admin === true
-                ? sanitizedSchema
-                : reduceSchema(sanitizedSchema, this.accountability?.permissions || null, ['read']),
-            create: this.accountability?.admin === true
-                ? sanitizedSchema
-                : reduceSchema(sanitizedSchema, this.accountability?.permissions || null, ['create']),
-            update: this.accountability?.admin === true
-                ? sanitizedSchema
-                : reduceSchema(sanitizedSchema, this.accountability?.permissions || null, ['update']),
-            delete: this.accountability?.admin === true
-                ? sanitizedSchema
-                : reduceSchema(sanitizedSchema, this.accountability?.permissions || null, ['delete']),
+        if (!this.accountability || this.accountability.admin) {
+            schema = {
+                read: sanitizedSchema,
+                create: sanitizedSchema,
+                update: sanitizedSchema,
+                delete: sanitizedSchema,
+            };
+        }
+        else {
+            schema = {
+                read: reduceSchema(sanitizedSchema, await fetchAllowedFieldMap({
+                    accountability: this.accountability,
+                    action: 'read',
+                }, { schema: this.schema, knex: this.knex })),
+                create: reduceSchema(sanitizedSchema, await fetchAllowedFieldMap({
+                    accountability: this.accountability,
+                    action: 'create',
+                }, { schema: this.schema, knex: this.knex })),
+                update: reduceSchema(sanitizedSchema, await fetchAllowedFieldMap({
+                    accountability: this.accountability,
+                    action: 'update',
+                }, { schema: this.schema, knex: this.knex })),
+                delete: reduceSchema(sanitizedSchema, await fetchAllowedFieldMap({
+                    accountability: this.accountability,
+                    action: 'delete',
+                }, { schema: this.schema, knex: this.knex })),
+            };
+        }
+        const inconsistentFields = {
+            read: await fetchInconsistentFieldMap({
+                accountability: this.accountability,
+                action: 'read',
+            }, { schema: this.schema, knex: this.knex }),
+            create: await fetchInconsistentFieldMap({
+                accountability: this.accountability,
+                action: 'create',
+            }, { schema: this.schema, knex: this.knex }),
+            update: await fetchInconsistentFieldMap({
+                accountability: this.accountability,
+                action: 'update',
+            }, { schema: this.schema, knex: this.knex }),
+            delete: await fetchInconsistentFieldMap({
+                accountability: this.accountability,
+                action: 'delete',
+            }, { schema: this.schema, knex: this.knex }),
         };
         const subscriptionEventType = schemaComposer.createEnumTC({
             name: 'EventEnum',
@@ -300,16 +339,18 @@ export class GraphQLService {
                     name: action === 'read' ? collection.collection : `${action}_${collection.collection}`,
                     fields: Object.values(collection.fields).reduce((acc, field) => {
                         let type = getGraphQLType(field.type, field.special);
+                        const fieldIsInconsistent = inconsistentFields[action][collection.collection]?.includes(field.field);
                         // GraphQL doesn't differentiate between not-null and has-to-be-submitted. We
                         // can't non-null in update, as that would require every not-nullable field to be
                         // submitted on updates
                         if (field.nullable === false &&
                             !field.defaultValue &&
                             !GENERATE_SPECIAL.some((flag) => field.special.includes(flag)) &&
+                            fieldIsInconsistent === false &&
                             action !== 'update') {
                             type = new GraphQLNonNull(type);
                         }
-                        if (collection.primary === field.field) {
+                        if (collection.primary === field.field && fieldIsInconsistent === false) {
                             // permissions IDs need to be nullable https://github.com/directus/directus/issues/20509
                             if (collection.collection === 'directus_permissions') {
                                 type = GraphQLID;
@@ -1762,7 +1803,7 @@ export class GraphQLService {
                         accountability: this.accountability,
                         scope: args['scope'] ?? 'items',
                     });
-                    return service.getSchema('sdl');
+                    return await service.getSchema('sdl');
                 },
             },
             server_ping: {
@@ -1815,7 +1856,7 @@ export class GraphQLService {
                     otp: GraphQLString,
                 },
                 resolve: async (_, args, { req, res }) => {
-                    const accountability = { role: null };
+                    const accountability = createDefaultAccountability();
                     if (req?.ip)
                         accountability.ip = req.ip;
                     const userAgent = req?.get('user-agent');
@@ -1855,7 +1896,7 @@ export class GraphQLService {
                     mode: AuthMode,
                 },
                 resolve: async (_, args, { req, res }) => {
-                    const accountability = { role: null };
+                    const accountability = createDefaultAccountability();
                     if (req?.ip)
                         accountability.ip = req.ip;
                     const userAgent = req?.get('user-agent');
@@ -1913,7 +1954,7 @@ export class GraphQLService {
                     mode: AuthMode,
                 },
                 resolve: async (_, args, { req, res }) => {
-                    const accountability = { role: null };
+                    const accountability = createDefaultAccountability();
                     if (req?.ip)
                         accountability.ip = req.ip;
                     const userAgent = req?.get('user-agent');
@@ -1963,7 +2004,7 @@ export class GraphQLService {
                     reset_url: GraphQLString,
                 },
                 resolve: async (_, args, { req }) => {
-                    const accountability = { role: null };
+                    const accountability = createDefaultAccountability();
                     if (req?.ip)
                         accountability.ip = req.ip;
                     const userAgent = req?.get('user-agent');
@@ -1991,7 +2032,7 @@ export class GraphQLService {
                     password: new GraphQLNonNull(GraphQLString),
                 },
                 resolve: async (_, args, { req }) => {
-                    const accountability = { role: null };
+                    const accountability = createDefaultAccountability();
                     if (req?.ip)
                         accountability.ip = req.ip;
                     const userAgent = req?.get('user-agent');
@@ -2632,6 +2673,69 @@ export class GraphQLService {
                 },
             });
         }
+        if ('directus_permissions' in schema.read.collections) {
+            schemaComposer.Query.addFields({
+                permissions_me: {
+                    type: schemaComposer.createScalarTC({
+                        name: 'permissions_me_type',
+                        parseValue: (value) => value,
+                        serialize: (value) => value,
+                    }),
+                    resolve: async (_, _args, __, _info) => {
+                        if (!this.accountability?.user && !this.accountability?.role)
+                            return null;
+                        const result = await fetchAccountabilityCollectionAccess(this.accountability, {
+                            schema: this.schema,
+                            knex: getDatabase(),
+                        });
+                        return result;
+                    },
+                },
+            });
+        }
+        if ('directus_roles' in schema.read.collections) {
+            schemaComposer.Query.addFields({
+                roles_me: {
+                    type: ReadCollectionTypes['directus_roles'].List,
+                    resolve: async (_, args, __, info) => {
+                        if (!this.accountability?.user && !this.accountability?.role)
+                            return null;
+                        const service = new RolesService({
+                            accountability: this.accountability,
+                            schema: this.schema,
+                        });
+                        const selections = this.replaceFragmentsInSelections(info.fieldNodes[0]?.selectionSet?.selections, info.fragments);
+                        const query = this.getQuery(args, selections || [], info.variableValues);
+                        query.limit = -1;
+                        const roles = await service.readMany(this.accountability.roles, query);
+                        return roles;
+                    },
+                },
+            });
+        }
+        if ('directus_policies' in schema.read.collections) {
+            schemaComposer.Query.addFields({
+                policies_me_globals: {
+                    type: schemaComposer.createObjectTC({
+                        name: 'policy_me_globals_type',
+                        fields: {
+                            enforce_tfa: 'Boolean',
+                            app_access: 'Boolean',
+                            admin_access: 'Boolean',
+                        },
+                    }),
+                    resolve: async (_, _args, __, _info) => {
+                        if (!this.accountability?.user && !this.accountability?.role)
+                            return null;
+                        const result = await fetchAccountabilityPolicyGlobals(this.accountability, {
+                            schema: this.schema,
+                            knex: getDatabase(),
+                        });
+                        return result;
+                    },
+                },
+            });
+        }
         if ('directus_users' in schema.update.collections && this.accountability?.user) {
             schemaComposer.Mutation.addFields({
                 update_users_me: {

package/dist/services/graphql/subscription.js CHANGED Viewed

@@ -1,7 +1,6 @@
 import { EventEmitter, on } from 'events';
 import { useBus } from '../../bus/index.js';
 import { getSchema } from '../../utils/get-schema.js';
-import { refreshAccountability } from '../../websocket/authenticate.js';
 import { getPayload } from '../../websocket/utils/items.js';
 const messages = createPubSub(new EventEmitter());
 export function bindPubSub() {
@@ -19,7 +18,6 @@ export function createSubscriptionGenerator(self, event) {
             if ('event' in args && eventData['action'] !== args['event']) {
                 continue; // skip filtered events
             }
-            const accountability = await refreshAccountability(self.accountability);
             const schema = await getSchema();
             const subscription = {
                 collection: eventData['collection'],
@@ -35,7 +33,7 @@ export function createSubscriptionGenerator(self, event) {
             if (eventData['action'] === 'create') {
                 try {
                     subscription.item = eventData['key'];
-                    const result = await getPayload(subscription, accountability, schema, eventData);
+                    const result = await getPayload(subscription, self.accountability, schema, eventData);
                     yield {
                         [event]: {
                             key: eventData['key'],
@@ -52,7 +50,7 @@ export function createSubscriptionGenerator(self, event) {
                 for (const key of eventData['keys']) {
                     try {
                         subscription.item = key;
-                        const result = await getPayload(subscription, accountability, schema, eventData);
+                        const result = await getPayload(subscription, self.accountability, schema, eventData);
                         yield {
                             [event]: {
                                 key,

package/dist/services/import-export.js CHANGED Viewed

@@ -15,12 +15,13 @@ import StreamArray from 'stream-json/streamers/StreamArray.js';
 import getDatabase from '../database/index.js';
 import emitter from '../emitter.js';
 import { useLogger } from '../logger.js';
+import { validateAccess } from '../permissions/modules/validate-access/validate-access.js';
 import { getDateFormatted } from '../utils/get-date-formatted.js';
+import { getService } from '../utils/get-service.js';
 import { transaction } from '../utils/transaction.js';
 import { Url } from '../utils/url.js';
 import { userName } from '../utils/user-name.js';
 import { FilesService } from './files.js';
-import { ItemsService } from './items.js';
 import { NotificationsService } from './notifications.js';
 import { UsersService } from './users.js';
 const env = useEnv();
@@ -37,10 +38,23 @@ export class ImportService {
     async import(collection, mimetype, stream) {
         if (this.accountability?.admin !== true && isSystemCollection(collection))
             throw new ForbiddenError();
-        const createPermissions = this.accountability?.permissions?.find((permission) => permission.collection === collection && permission.action === 'create');
-        const updatePermissions = this.accountability?.permissions?.find((permission) => permission.collection === collection && permission.action === 'update');
-        if (this.accountability?.admin !== true && (!createPermissions || !updatePermissions)) {
-            throw new ForbiddenError();
+        if (this.accountability) {
+            await validateAccess({
+                accountability: this.accountability,
+                action: 'create',
+                collection,
+            }, {
+                schema: this.schema,
+                knex: this.knex,
+            });
+            await validateAccess({
+                accountability: this.accountability,
+                action: 'update',
+                collection,
+            }, {
+                schema: this.schema,
+                knex: this.knex,
+            });
         }
         switch (mimetype) {
             case 'application/json':
@@ -52,11 +66,11 @@ export class ImportService {
                 throw new UnsupportedMediaTypeError({ mediaType: mimetype, where: 'file import' });
         }
     }
-    importJSON(collection, stream) {
+    async importJSON(collection, stream) {
         const extractJSON = StreamArray.withParser();
         const nestedActionEvents = [];
         return transaction(this.knex, (trx) => {
-            const service = new ItemsService(collection, {
+            const service = getService(collection, {
                 knex: trx,
                 schema: this.schema,
                 accountability: this.accountability,
@@ -94,7 +108,7 @@ export class ImportService {
             throw new Error('Failed to create temporary file for import');
         const nestedActionEvents = [];
         return transaction(this.knex, (trx) => {
-            const service = new ItemsService(collection, {
+            const service = getService(collection, {
                 knex: trx,
                 schema: this.schema,
                 accountability: this.accountability,
@@ -213,7 +227,7 @@ export class ExportService {
             };
             const database = getDatabase();
             await transaction(database, async (trx) => {
-                const service = new ItemsService(collection, {
+                const service = getService(collection, {
                     accountability: this.accountability,
                     schema: this.schema,
                     knex: trx,

package/dist/services/index.d.ts CHANGED Viewed

@@ -1,7 +1,7 @@
+export * from './access.js';
 export * from './activity.js';
 export * from './assets.js';
 export * from './authentication.js';
-export * from './authorization.js';
 export * from './collections.js';
 export * from './dashboards.js';
 export * from './extensions.js';
@@ -18,7 +18,8 @@ export * from './notifications.js';
 export * from './operations.js';
 export * from './panels.js';
 export * from './payload.js';
-export * from './permissions/index.js';
+export * from './permissions.js';
+export * from './policies.js';
 export * from './presets.js';
 export * from './relations.js';
 export * from './revisions.js';

package/dist/services/index.js CHANGED Viewed

@@ -1,7 +1,7 @@
+export * from './access.js';
 export * from './activity.js';
 export * from './assets.js';
 export * from './authentication.js';
-export * from './authorization.js';
 export * from './collections.js';
 export * from './dashboards.js';
 export * from './extensions.js';
@@ -18,7 +18,8 @@ export * from './notifications.js';
 export * from './operations.js';
 export * from './panels.js';
 export * from './payload.js';
-export * from './permissions/index.js';
+export * from './permissions.js';
+export * from './policies.js';
 export * from './presets.js';
 export * from './relations.js';
 export * from './revisions.js';

package/dist/services/items.d.ts CHANGED Viewed

@@ -19,6 +19,10 @@ export declare class ItemsService<Item extends AnyItem = AnyItem> implements Abs
     schema: SchemaOverview;
     cache: Keyv<any> | null;
     constructor(collection: string, options: AbstractServiceOptions);
+    /**
+     * Create a fork of the current service, allowing instantiation with different options.
+     */
+    private fork;
     createMutationTracker(initialCount?: number): MutationTracker;
     getKeysByQuery(query: Query): Promise<PrimaryKey[]>;
     /**
@@ -27,62 +31,84 @@ export declare class ItemsService<Item extends AnyItem = AnyItem> implements Abs
     createOne(data: Partial<Item>, opts?: MutationOptions): Promise<PrimaryKey>;
     /**
      * Create multiple new items at once. Inserts all provided records sequentially wrapped in a transaction.
+     *
+     * Uses `this.createOne` under the hood.
      */
     createMany(data: Partial<Item>[], opts?: MutationOptions): Promise<PrimaryKey[]>;
     /**
-     * Get items by query
+     * Get items by query.
      */
     readByQuery(query: Query, opts?: QueryOptions): Promise<Item[]>;
     /**
-     * Get single item by primary key
+     * Get single item by primary key.
+     *
+     * Uses `this.readByQuery` under the hood.
      */
     readOne(key: PrimaryKey, query?: Query, opts?: QueryOptions): Promise<Item>;
     /**
-     * Get multiple items by primary keys
+     * Get multiple items by primary keys.
+     *
+     * Uses `this.readByQuery` under the hood.
      */
     readMany(keys: PrimaryKey[], query?: Query, opts?: QueryOptions): Promise<Item[]>;
     /**
-     * Update multiple items by query
+     * Update multiple items by query.
+     *
+     * Uses `this.updateMany` under the hood.
      */
     updateByQuery(query: Query, data: Partial<Item>, opts?: MutationOptions): Promise<PrimaryKey[]>;
     /**
-     * Update a single item by primary key
+     * Update a single item by primary key.
+     *
+     * Uses `this.updateMany` under the hood.
      */
     updateOne(key: PrimaryKey, data: Partial<Item>, opts?: MutationOptions): Promise<PrimaryKey>;
     /**
-     * Update multiple items in a single transaction
+     * Update multiple items in a single transaction.
+     *
+     * Uses `this.updateOne` under the hood.
      */
     updateBatch(data: Partial<Item>[], opts?: MutationOptions): Promise<PrimaryKey[]>;
     /**
-     * Update many items by primary key, setting all items to the same change
+     * Update many items by primary key, setting all items to the same change.
      */
     updateMany(keys: PrimaryKey[], data: Partial<Item>, opts?: MutationOptions): Promise<PrimaryKey[]>;
     /**
-     * Upsert a single item
+     * Upsert a single item.
+     *
+     * Uses `this.createOne` / `this.updateOne` under the hood.
      */
     upsertOne(payload: Partial<Item>, opts?: MutationOptions): Promise<PrimaryKey>;
     /**
-     * Upsert many items
+     * Upsert many items.
+     *
+     * Uses `this.upsertOne` under the hood.
      */
     upsertMany(payloads: Partial<Item>[], opts?: MutationOptions): Promise<PrimaryKey[]>;
     /**
-     * Delete multiple items by query
+     * Delete multiple items by query.
+     *
+     * Uses `this.deleteMany` under the hood.
      */
     deleteByQuery(query: Query, opts?: MutationOptions): Promise<PrimaryKey[]>;
     /**
-     * Delete a single item by primary key
+     * Delete a single item by primary key.
+     *
+     * Uses `this.deleteMany` under the hood.
      */
     deleteOne(key: PrimaryKey, opts?: MutationOptions): Promise<PrimaryKey>;
     /**
-     * Delete multiple items by primary key
+     * Delete multiple items by primary key.
      */
     deleteMany(keys: PrimaryKey[], opts?: MutationOptions): Promise<PrimaryKey[]>;
     /**
-     * Read/treat collection as singleton
+     * Read/treat collection as singleton.
      */
     readSingleton(query: Query, opts?: QueryOptions): Promise<Partial<Item>>;
     /**
-     * Upsert/treat collection as singleton
+     * Upsert/treat collection as singleton.
+     *
+     * Uses `this.createOne` / `this.updateOne` under the hood.
      */
     upsertSingleton(data: Partial<Item>, opts?: MutationOptions): Promise<PrimaryKey>;
 }