npm - @directus/api - Versions diffs - 20.0.0-rc.0 → 20.0.0 - Mend

@directus/api 20.0.0-rc.0 → 20.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (291) hide show

package/dist/services/payload.js CHANGED Viewed

@@ -9,7 +9,6 @@ import { parse as wktToGeoJSON } from 'wellknown';
 import { getHelpers } from '../database/helpers/index.js';
 import getDatabase from '../database/index.js';
 import { generateHash } from '../utils/generate-hash.js';
-import { UserIntegrityCheckFlag } from '../utils/validate-user-count-integrity.js';
 /**
  * Process a given payload for a collection to ensure the special fields (hash, uuid, date etc) are
  * handled correctly.
@@ -318,7 +317,6 @@ export class PayloadService {
             return relation.collection === this.collection;
         });
         const revisions = [];
-        let userIntegrityCheckFlags = UserIntegrityCheckFlag.None;
         const nestedActionEvents = [];
         const payload = cloneDeep(data);
         // Only process related records that are actually in the payload
@@ -364,7 +362,6 @@ export class PayloadService {
                 if (Object.keys(fieldsToUpdate).length > 0) {
                     await service.updateOne(relatedPrimaryKey, relatedRecord, {
                         onRevisionCreate: (pk) => revisions.push(pk),
-                        onRequireUserIntegrityCheck: (flags) => (userIntegrityCheckFlags |= flags),
                         bypassEmitAction: (params) => opts?.bypassEmitAction ? opts.bypassEmitAction(params) : nestedActionEvents.push(params),
                         emitEvents: opts?.emitEvents,
                         mutationTracker: opts?.mutationTracker,
@@ -374,7 +371,6 @@ export class PayloadService {
             else {
                 relatedPrimaryKey = await service.createOne(relatedRecord, {
                     onRevisionCreate: (pk) => revisions.push(pk),
-                    onRequireUserIntegrityCheck: (flags) => (userIntegrityCheckFlags |= flags),
                     bypassEmitAction: (params) => opts?.bypassEmitAction ? opts.bypassEmitAction(params) : nestedActionEvents.push(params),
                     emitEvents: opts?.emitEvents,
                     mutationTracker: opts?.mutationTracker,
@@ -383,7 +379,7 @@ export class PayloadService {
             // Overwrite the nested object with just the primary key, so the parent level can be saved correctly
             payload[relation.field] = relatedPrimaryKey;
         }
-        return { payload, revisions, nestedActionEvents, userIntegrityCheckFlags };
+        return { payload, revisions, nestedActionEvents };
     }
     /**
      * Save/update all nested related m2o items inside the payload
@@ -392,7 +388,6 @@ export class PayloadService {
         const payload = cloneDeep(data);
         // All the revisions saved on this level
         const revisions = [];
-        let userIntegrityCheckFlags = UserIntegrityCheckFlag.None;
         const nestedActionEvents = [];
         // Many to one relations that exist on the current collection
         const relations = this.schema.relations.filter((relation) => {
@@ -429,7 +424,6 @@ export class PayloadService {
                 if (Object.keys(fieldsToUpdate).length > 0) {
                     await service.updateOne(relatedPrimaryKey, relatedRecord, {
                         onRevisionCreate: (pk) => revisions.push(pk),
-                        onRequireUserIntegrityCheck: (flags) => (userIntegrityCheckFlags |= flags),
                         bypassEmitAction: (params) => opts?.bypassEmitAction ? opts.bypassEmitAction(params) : nestedActionEvents.push(params),
                         emitEvents: opts?.emitEvents,
                         mutationTracker: opts?.mutationTracker,
@@ -439,7 +433,6 @@ export class PayloadService {
             else {
                 relatedPrimaryKey = await service.createOne(relatedRecord, {
                     onRevisionCreate: (pk) => revisions.push(pk),
-                    onRequireUserIntegrityCheck: (flags) => (userIntegrityCheckFlags |= flags),
                     bypassEmitAction: (params) => opts?.bypassEmitAction ? opts.bypassEmitAction(params) : nestedActionEvents.push(params),
                     emitEvents: opts?.emitEvents,
                     mutationTracker: opts?.mutationTracker,
@@ -448,14 +441,13 @@ export class PayloadService {
             // Overwrite the nested object with just the primary key, so the parent level can be saved correctly
             payload[relation.field] = relatedPrimaryKey;
         }
-        return { payload, revisions, nestedActionEvents, userIntegrityCheckFlags };
+        return { payload, revisions, nestedActionEvents };
     }
     /**
      * Recursively save/update all nested related o2m items
      */
     async processO2M(data, parent, opts) {
         const revisions = [];
-        let userIntegrityCheckFlags = UserIntegrityCheckFlag.None;
         const nestedActionEvents = [];
         const relations = this.schema.relations.filter((relation) => {
             return relation.related_collection === this.collection;
@@ -524,7 +516,6 @@ export class PayloadService {
                 }
                 savedPrimaryKeys.push(...(await service.upsertMany(recordsToUpsert, {
                     onRevisionCreate: (pk) => revisions.push(pk),
-                    onRequireUserIntegrityCheck: (flags) => (userIntegrityCheckFlags |= flags),
                     bypassEmitAction: (params) => opts?.bypassEmitAction ? opts.bypassEmitAction(params) : nestedActionEvents.push(params),
                     emitEvents: opts?.emitEvents,
                     mutationTracker: opts?.mutationTracker,
@@ -549,7 +540,6 @@ export class PayloadService {
                 if (relation.meta.one_deselect_action === 'delete') {
                     // There's no revision for a deletion
                     await service.deleteByQuery(query, {
-                        onRequireUserIntegrityCheck: (flags) => (userIntegrityCheckFlags |= flags),
                         bypassEmitAction: (params) => opts?.bypassEmitAction ? opts.bypassEmitAction(params) : nestedActionEvents.push(params),
                         emitEvents: opts?.emitEvents,
                         mutationTracker: opts?.mutationTracker,
@@ -558,7 +548,6 @@ export class PayloadService {
                 else {
                     await service.updateByQuery(query, { [relation.field]: null }, {
                         onRevisionCreate: (pk) => revisions.push(pk),
-                        onRequireUserIntegrityCheck: (flags) => (userIntegrityCheckFlags |= flags),
                         bypassEmitAction: (params) => opts?.bypassEmitAction ? opts.bypassEmitAction(params) : nestedActionEvents.push(params),
                         emitEvents: opts?.emitEvents,
                         mutationTracker: opts?.mutationTracker,
@@ -601,7 +590,6 @@ export class PayloadService {
                     }
                     await service.createMany(createPayload, {
                         onRevisionCreate: (pk) => revisions.push(pk),
-                        onRequireUserIntegrityCheck: (flags) => (userIntegrityCheckFlags |= flags),
                         bypassEmitAction: (params) => opts?.bypassEmitAction ? opts.bypassEmitAction(params) : nestedActionEvents.push(params),
                         emitEvents: opts?.emitEvents,
                         mutationTracker: opts?.mutationTracker,
@@ -615,7 +603,6 @@ export class PayloadService {
                             [relation.field]: parent || payload[currentPrimaryKeyField],
                         }, {
                             onRevisionCreate: (pk) => revisions.push(pk),
-                            onRequireUserIntegrityCheck: (flags) => (userIntegrityCheckFlags |= flags),
                             bypassEmitAction: (params) => opts?.bypassEmitAction ? opts.bypassEmitAction(params) : nestedActionEvents.push(params),
                             emitEvents: opts?.emitEvents,
                             mutationTracker: opts?.mutationTracker,
@@ -641,7 +628,6 @@ export class PayloadService {
                     };
                     if (relation.meta.one_deselect_action === 'delete') {
                         await service.deleteByQuery(query, {
-                            onRequireUserIntegrityCheck: (flags) => (userIntegrityCheckFlags |= flags),
                             bypassEmitAction: (params) => opts?.bypassEmitAction ? opts.bypassEmitAction(params) : nestedActionEvents.push(params),
                             emitEvents: opts?.emitEvents,
                             mutationTracker: opts?.mutationTracker,
@@ -650,7 +636,6 @@ export class PayloadService {
                     else {
                         await service.updateByQuery(query, { [relation.field]: null }, {
                             onRevisionCreate: (pk) => revisions.push(pk),
-                            onRequireUserIntegrityCheck: (flags) => (userIntegrityCheckFlags |= flags),
                             bypassEmitAction: (params) => opts?.bypassEmitAction ? opts.bypassEmitAction(params) : nestedActionEvents.push(params),
                             emitEvents: opts?.emitEvents,
                             mutationTracker: opts?.mutationTracker,
@@ -659,7 +644,7 @@ export class PayloadService {
                 }
             }
         }
-        return { revisions, nestedActionEvents, userIntegrityCheckFlags };
+        return { revisions, nestedActionEvents };
     }
     /**
      * Transforms the input partial payload to match the output structure, to have consistency

package/dist/services/{permissions.d.ts → permissions/index.d.ts} RENAMED Viewed

@@ -1,10 +1,12 @@
-import type { Item, ItemPermissions, PrimaryKey, Query } from '@directus/types';
-import type { AbstractServiceOptions, MutationOptions } from '../types/index.js';
-import type { QueryOptions } from './items.js';
-import { ItemsService } from './items.js';
+import type { Item, ItemPermissions, PermissionsAction, PrimaryKey, Query } from '@directus/types';
+import type Keyv from 'keyv';
+import type { AbstractServiceOptions, MutationOptions } from '../../types/index.js';
+import type { QueryOptions } from '../items.js';
+import { ItemsService } from '../items.js';
 export declare class PermissionsService extends ItemsService {
+    systemCache: Keyv<any>;
     constructor(options: AbstractServiceOptions);
-    private clearCaches;
+    getAllowedFields(action: PermissionsAction, collection?: string): Record<string, string[]>;
     readByQuery(query: Query, opts?: QueryOptions): Promise<Partial<Item>[]>;
     createOne(data: Partial<Item>, opts?: MutationOptions): Promise<PrimaryKey>;
     createMany(data: Partial<Item>[], opts?: MutationOptions): Promise<PrimaryKey[]>;

package/dist/services/{permissions.js → permissions/index.js} RENAMED Viewed

@@ -1,17 +1,32 @@
 import { ForbiddenError } from '@directus/errors';
-import { clearSystemCache } from '../cache.js';
-import { withAppMinimalPermissions } from '../permissions/lib/with-app-minimal-permissions.js';
-import { validateAccess } from '../permissions/modules/validate-access/validate-access.js';
-import { ItemsService } from './items.js';
+import { clearSystemCache, getCache } from '../../cache.js';
+import { AuthorizationService } from '../authorization.js';
+import { ItemsService } from '../items.js';
+import { withAppMinimalPermissions } from './lib/with-app-minimal-permissions.js';
 export class PermissionsService extends ItemsService {
+    systemCache;
     constructor(options) {
         super('directus_permissions', options);
+        const { systemCache } = getCache();
+        this.systemCache = systemCache;
     }
-    async clearCaches(opts) {
-        await clearSystemCache({ autoPurgeCache: opts?.autoPurgeCache });
-        if (this.cache && opts?.autoPurgeCache !== false) {
-            await this.cache.clear();
+    getAllowedFields(action, collection) {
+        const results = this.accountability?.permissions?.filter((permission) => {
+            let matchesCollection = true;
+            if (collection) {
+                matchesCollection = permission.collection === collection;
+            }
+            const matchesAction = permission.action === action;
+            return collection ? matchesCollection && matchesAction : matchesAction;
+        }) ?? [];
+        const fieldsPerCollection = {};
+        for (const result of results) {
+            const { collection, fields } = result;
+            if (!fieldsPerCollection[collection])
+                fieldsPerCollection[collection] = [];
+            fieldsPerCollection[collection].push(...(fields ?? []));
         }
+        return fieldsPerCollection;
     }
     async readByQuery(query, opts) {
         const result = (await super.readByQuery(query, opts));
@@ -19,32 +34,50 @@ export class PermissionsService extends ItemsService {
     }
     async createOne(data, opts) {
         const res = await super.createOne(data, opts);
-        await this.clearCaches(opts);
+        await clearSystemCache({ autoPurgeCache: opts?.autoPurgeCache });
+        if (this.cache && opts?.autoPurgeCache !== false) {
+            await this.cache.clear();
+        }
         return res;
     }
     async createMany(data, opts) {
         const res = await super.createMany(data, opts);
-        await this.clearCaches(opts);
+        await clearSystemCache({ autoPurgeCache: opts?.autoPurgeCache });
+        if (this.cache && opts?.autoPurgeCache !== false) {
+            await this.cache.clear();
+        }
         return res;
     }
     async updateBatch(data, opts) {
         const res = await super.updateBatch(data, opts);
-        await this.clearCaches(opts);
+        await clearSystemCache({ autoPurgeCache: opts?.autoPurgeCache });
+        if (this.cache && opts?.autoPurgeCache !== false) {
+            await this.cache.clear();
+        }
         return res;
     }
     async updateMany(keys, data, opts) {
         const res = await super.updateMany(keys, data, opts);
-        await this.clearCaches(opts);
+        await clearSystemCache({ autoPurgeCache: opts?.autoPurgeCache });
+        if (this.cache && opts?.autoPurgeCache !== false) {
+            await this.cache.clear();
+        }
         return res;
     }
     async upsertMany(payloads, opts) {
         const res = await super.upsertMany(payloads, opts);
-        await this.clearCaches(opts);
+        await clearSystemCache({ autoPurgeCache: opts?.autoPurgeCache });
+        if (this.cache && opts?.autoPurgeCache !== false) {
+            await this.cache.clear();
+        }
         return res;
     }
     async deleteMany(keys, opts) {
         const res = await super.deleteMany(keys, opts);
-        await this.clearCaches(opts);
+        await clearSystemCache({ autoPurgeCache: opts?.autoPurgeCache });
+        if (this.cache && opts?.autoPurgeCache !== false) {
+            await this.cache.clear();
+        }
         return res;
     }
     async getItemPermissions(collection, primaryKey) {
@@ -82,25 +115,16 @@ export class PermissionsService extends ItemsService {
                 updateAction = 'create';
             }
         }
+        const authorizationService = new AuthorizationService({
+            knex: this.knex,
+            accountability: this.accountability,
+            schema: this.schema,
+        });
         await Promise.all(Object.keys(itemPermissions).map((key) => {
             const action = key;
             const checkAction = action === 'update' ? updateAction : action;
-            if (!this.accountability) {
-                itemPermissions[action].access = true;
-                return Promise.resolve();
-            }
-            const opts = {
-                accountability: this.accountability,
-                action: checkAction,
-                collection,
-            };
-            if (primaryKey) {
-                opts.primaryKeys = [primaryKey];
-            }
-            return validateAccess(opts, {
-                schema: this.schema,
-                knex: this.knex,
-            })
+            return authorizationService
+                .checkAccess(checkAction, collection, primaryKey)
                 .then(() => (itemPermissions[action].access = true))
                 .catch(() => { });
         }));

package/dist/{permissions → services/permissions}/lib/with-app-minimal-permissions.d.ts RENAMED Viewed

@@ -1,2 +1,2 @@
 import type { Accountability, Permission, Query } from '@directus/types';
-export declare function withAppMinimalPermissions(accountability: Pick<Accountability, 'app'> | null, permissions: Permission[], filter: Query['filter']): Permission[];
+export declare function withAppMinimalPermissions(accountability: Accountability | null, permissions: Permission[], filter: Query['filter']): Permission[];

package/dist/services/permissions/lib/with-app-minimal-permissions.js ADDED Viewed

@@ -0,0 +1,13 @@
+import { appAccessMinimalPermissions } from '@directus/system-data';
+import { filterItems } from '../../../utils/filter-items.js';
+import { mergePermissions } from '../../../utils/merge-permissions.js';
+export function withAppMinimalPermissions(accountability, permissions, filter) {
+    if (accountability?.app === true) {
+        const filteredAppMinimalPermissions = filterItems(appAccessMinimalPermissions.map((permission) => ({
+            ...permission,
+            role: accountability.role,
+        })), filter);
+        return mergePermissions('or', permissions, filteredAppMinimalPermissions);
+    }
+    return permissions;
+}

package/dist/services/relations.d.ts CHANGED Viewed

@@ -5,8 +5,10 @@ import type { Knex } from 'knex';
 import type { Helpers } from '../database/helpers/index.js';
 import type { AbstractServiceOptions, MutationOptions } from '../types/index.js';
 import { ItemsService, type QueryOptions } from './items.js';
+import { PermissionsService } from './permissions/index.js';
 export declare class RelationsService {
     knex: Knex;
+    permissionsService: PermissionsService;
     schemaInspector: SchemaInspector;
     accountability: Accountability | null;
     schema: SchemaOverview;
@@ -30,6 +32,10 @@ export declare class RelationsService {
      * Delete an existing relationship
      */
     deleteOne(collection: string, field: string, opts?: MutationOptions): Promise<void>;
+    /**
+     * Whether or not the current user has read access to relations
+     */
+    private get hasReadAccess();
     /**
      * Combine raw schema foreign key information with Directus relations meta rows to form final
      * Relation objects

package/dist/services/relations.js CHANGED Viewed

@@ -6,15 +6,14 @@ import { clearSystemCache, getCache } from '../cache.js';
 import { getHelpers } from '../database/helpers/index.js';
 import getDatabase, { getSchemaInspector } from '../database/index.js';
 import emitter from '../emitter.js';
-import { fetchAllowedFieldMap } from '../permissions/modules/fetch-allowed-field-map/fetch-allowed-field-map.js';
-import { fetchAllowedFields } from '../permissions/modules/fetch-allowed-fields/fetch-allowed-fields.js';
-import { validateAccess } from '../permissions/modules/validate-access/validate-access.js';
 import { getDefaultIndexName } from '../utils/get-default-index-name.js';
 import { getSchema } from '../utils/get-schema.js';
 import { transaction } from '../utils/transaction.js';
 import { ItemsService } from './items.js';
+import { PermissionsService } from './permissions/index.js';
 export class RelationsService {
     knex;
+    permissionsService;
     schemaInspector;
     accountability;
     schema;
@@ -23,6 +22,7 @@ export class RelationsService {
     helpers;
     constructor(options) {
         this.knex = options.knex || getDatabase();
+        this.permissionsService = new PermissionsService(options);
         this.schemaInspector = options.knex ? createInspector(options.knex) : getSchemaInspector();
         this.schema = options.schema;
         this.accountability = options.accountability || null;
@@ -37,15 +37,8 @@ export class RelationsService {
         this.helpers = getHelpers(this.knex);
     }
     async readAll(collection, opts) {
-        if (this.accountability) {
-            await validateAccess({
-                accountability: this.accountability,
-                action: 'read',
-                collection: 'directus_relations',
-            }, {
-                knex: this.knex,
-                schema: this.schema,
-            });
+        if (this.accountability && this.accountability.admin !== true && this.hasReadAccess === false) {
+            throw new ForbiddenError();
         }
         const metaReadQuery = {
             limit: -1,
@@ -71,17 +64,18 @@ export class RelationsService {
     }
     async readOne(collection, field) {
         if (this.accountability && this.accountability.admin !== true) {
-            await validateAccess({
-                accountability: this.accountability,
-                action: 'read',
-                collection: 'directus_relations',
-            }, {
-                schema: this.schema,
-                knex: this.knex,
+            if (this.hasReadAccess === false) {
+                throw new ForbiddenError();
+            }
+            const permissions = this.accountability.permissions?.find((permission) => {
+                return permission.action === 'read' && permission.collection === collection;
             });
-            const allowedFields = await fetchAllowedFields({ collection, action: 'read', accountability: this.accountability }, { schema: this.schema, knex: this.knex });
-            if (allowedFields.includes('*') === false && allowedFields.includes(field) === false) {
+            if (!permissions || !permissions.fields)
                 throw new ForbiddenError();
+            if (permissions.fields.includes('*') === false) {
+                const allowedFields = permissions.fields;
+                if (allowedFields.includes(field) === false)
+                    throw new ForbiddenError();
             }
         }
         const metaRow = await this.relationsItemService.readByQuery({
@@ -363,6 +357,14 @@ export class RelationsService {
             }
         }
     }
+    /**
+     * Whether or not the current user has read access to relations
+     */
+    get hasReadAccess() {
+        return !!this.accountability?.permissions?.find((permission) => {
+            return permission.collection === 'directus_relations' && permission.action === 'read';
+        });
+    }
     /**
      * Combine raw schema foreign key information with Directus relations meta rows to form final
      * Relation objects
@@ -411,11 +413,12 @@ export class RelationsService {
     async filterForbidden(relations) {
         if (this.accountability === null || this.accountability?.admin === true)
             return relations;
-        const allowedFields = await fetchAllowedFieldMap({
-            accountability: this.accountability,
-            action: 'read',
-        }, { schema: this.schema, knex: this.knex });
-        const allowedCollections = Object.keys(allowedFields);
+        const allowedCollections = this.accountability.permissions
+            ?.filter((permission) => {
+            return permission.action === 'read';
+        })
+            .map(({ collection }) => collection) ?? [];
+        const allowedFields = this.permissionsService.getAllowedFields('read');
         relations = toArray(relations);
         return relations.filter((relation) => {
             let collectionsAllowed = true;

package/dist/services/roles.d.ts CHANGED Viewed

@@ -1,10 +1,18 @@
-import type { Item, PrimaryKey } from '@directus/types';
+import type { Item, PrimaryKey, Query } from '@directus/types';
 import type { AbstractServiceOptions, MutationOptions } from '../types/index.js';
 import { ItemsService } from './items.js';
 export declare class RolesService extends ItemsService {
     constructor(options: AbstractServiceOptions);
+    private checkForOtherAdminRoles;
+    private checkForOtherAdminUsers;
+    private isIpAccessValid;
+    private assertValidIpAccess;
+    private getRoleAccessType;
+    createOne(data: Partial<Item>, opts?: MutationOptions): Promise<PrimaryKey>;
+    createMany(data: Partial<Item>[], opts?: MutationOptions): Promise<PrimaryKey[]>;
+    updateOne(key: PrimaryKey, data: Partial<Item>, opts?: MutationOptions): Promise<PrimaryKey>;
+    updateBatch(data: Partial<Item>[], opts?: MutationOptions): Promise<PrimaryKey[]>;
     updateMany(keys: PrimaryKey[], data: Partial<Item>, opts?: MutationOptions): Promise<PrimaryKey[]>;
-    deleteMany(keys: PrimaryKey[], opts?: MutationOptions): Promise<PrimaryKey[]>;
-    private validateRoleNesting;
-    private clearCaches;
+    updateByQuery(query: Query, data: Partial<Item>, opts?: MutationOptions | undefined): Promise<PrimaryKey[]>;
+    deleteMany(keys: PrimaryKey[]): Promise<PrimaryKey[]>;
 }