@directus/api 20.0.0-rc.1 → 20.0.0

package/dist/app.js

@@ -10,7 +10,6 @@ import path from 'path';
 import qs from 'qs';
 import { registerAuthProviders } from './auth.js';
 import activityRouter from './controllers/activity.js';
-import accessRouter from './controllers/access.js';
 import assetsRouter from './controllers/assets.js';
 import authRouter from './controllers/auth.js';
 import collectionsRouter from './controllers/collections.js';
@@ -27,7 +26,6 @@ import notificationsRouter from './controllers/notifications.js';
 import operationsRouter from './controllers/operations.js';
 import panelsRouter from './controllers/panels.js';
 import permissionsRouter from './controllers/permissions.js';
-import policiesRouter from './controllers/policies.js';
 import presetsRouter from './controllers/presets.js';
 import relationsRouter from './controllers/relations.js';
 import revisionsRouter from './controllers/revisions.js';
@@ -37,6 +35,7 @@ import serverRouter from './controllers/server.js';
 import settingsRouter from './controllers/settings.js';
 import sharesRouter from './controllers/shares.js';
 import translationsRouter from './controllers/translations.js';
+import { default as tusRouter, scheduleTusCleanup } from './controllers/tus.js';
 import usersRouter from './controllers/users.js';
 import utilsRouter from './controllers/utils.js';
 import versionsRouter from './controllers/versions.js';
@@ -48,9 +47,11 @@ import { getFlowManager } from './flows.js';
 import { createExpressLogger, useLogger } from './logger.js';
 import authenticate from './middleware/authenticate.js';
 import cache from './middleware/cache.js';
+import { checkIP } from './middleware/check-ip.js';
 import cors from './middleware/cors.js';
 import errorHandler from './middleware/error-handler.js';
 import extractToken from './middleware/extract-token.js';
+import getPermissions from './middleware/get-permissions.js';
 import rateLimiterGlobal from './middleware/rate-limiter-global.js';
 import rateLimiter from './middleware/rate-limiter-ip.js';
 import sanitizeQuery from './middleware/sanitize-query.js';
@@ -197,20 +198,24 @@ export default async function createApp() {
     }
     app.get('/server/ping', (_req, res) => res.send('pong'));
     app.use(authenticate);
+    app.use(checkIP);
     app.use(sanitizeQuery);
     app.use(cache);
     app.use(schema);
+    app.use(getPermissions);
     await emitter.emitInit('middlewares.after', { app });
     await emitter.emitInit('routes.before', { app });
     app.use('/auth', authRouter);
     app.use('/graphql', graphqlRouter);
     app.use('/activity', activityRouter);
-    app.use('/access', accessRouter);
     app.use('/assets', assetsRouter);
     app.use('/collections', collectionsRouter);
     app.use('/dashboards', dashboardsRouter);
     app.use('/extensions', extensionsRouter);
     app.use('/fields', fieldsRouter);
+    if (env['TUS_ENABLED'] === true) {
+        app.use('/files/tus', tusRouter);
+    }
     app.use('/files', filesRouter);
     app.use('/flows', flowsRouter);
     app.use('/folders', foldersRouter);
@@ -219,7 +224,6 @@ export default async function createApp() {
     app.use('/operations', operationsRouter);
     app.use('/panels', panelsRouter);
     app.use('/permissions', permissionsRouter);
-    app.use('/policies', policiesRouter);
     app.use('/presets', presetsRouter);
     app.use('/translations', translationsRouter);
     app.use('/relations', relationsRouter);
@@ -241,6 +245,7 @@ export default async function createApp() {
     app.use(errorHandler);
     await emitter.emitInit('routes.after', { app });
     initTelemetry();
+    scheduleTusCleanup();
     await emitter.emitInit('app.after', { app });
     return app;
 }

package/dist/auth/drivers/ldap.js

@@ -3,17 +3,16 @@ import { ErrorCode, InvalidCredentialsError, InvalidPayloadError, InvalidProvide
 import { Router } from 'express';
 import Joi from 'joi';
 import ldap from 'ldapjs';
-import { REFRESH_COOKIE_OPTIONS, SESSION_COOKIE_OPTIONS } from '../../constants.js';
 import getDatabase from '../../database/index.js';
 import emitter from '../../emitter.js';
 import { useLogger } from '../../logger.js';
 import { respond } from '../../middleware/respond.js';
-import { createDefaultAccountability } from '../../permissions/utils/create-default-accountability.js';
 import { AuthenticationService } from '../../services/authentication.js';
 import { UsersService } from '../../services/users.js';
 import asyncHandler from '../../utils/async-handler.js';
 import { getIPFromReq } from '../../utils/get-ip-from-req.js';
 import { AuthDriver } from '../auth.js';
+import { REFRESH_COOKIE_OPTIONS, SESSION_COOKIE_OPTIONS } from '../../constants.js';
 // 0x2: ACCOUNTDISABLE
 // 0x10: LOCKOUT
 // 0x800000: PASSWORD_EXPIRED
@@ -296,9 +295,10 @@ export function createLDAPAuthRouter(provider) {
     }).unknown();
     router.post('/', asyncHandler(async (req, res, next) => {
         const env = useEnv();
-        const accountability = createDefaultAccountability({
+        const accountability = {
             ip: getIPFromReq(req),
-        });
+            role: null,
+        };
         const userAgent = req.get('user-agent')?.substring(0, 1024);
         if (userAgent)
             accountability.userAgent = userAgent;

package/dist/auth/drivers/local.js

@@ -1,12 +1,11 @@
-import { useEnv } from '@directus/env';
 import { InvalidCredentialsError, InvalidPayloadError } from '@directus/errors';
 import argon2 from 'argon2';
 import { Router } from 'express';
 import Joi from 'joi';
 import { performance } from 'perf_hooks';
 import { REFRESH_COOKIE_OPTIONS, SESSION_COOKIE_OPTIONS } from '../../constants.js';
+import { useEnv } from '@directus/env';
 import { respond } from '../../middleware/respond.js';
-import { createDefaultAccountability } from '../../permissions/utils/create-default-accountability.js';
 import { AuthenticationService } from '../../services/authentication.js';
 import asyncHandler from '../../utils/async-handler.js';
 import { getIPFromReq } from '../../utils/get-ip-from-req.js';
@@ -48,9 +47,10 @@ export function createLocalAuthRouter(provider) {
     router.post('/', asyncHandler(async (req, res, next) => {
         const STALL_TIME = env['LOGIN_STALL_TIME'];
         const timeStart = performance.now();
-        const accountability = createDefaultAccountability({
+        const accountability = {
             ip: getIPFromReq(req),
-        });
+            role: null,
+        };
         const userAgent = req.get('user-agent')?.substring(0, 1024);
         if (userAgent)
             accountability.userAgent = userAgent;

package/dist/auth/drivers/oauth2.js

@@ -11,16 +11,15 @@ import getDatabase from '../../database/index.js';
 import emitter from '../../emitter.js';
 import { useLogger } from '../../logger.js';
 import { respond } from '../../middleware/respond.js';
-import { createDefaultAccountability } from '../../permissions/utils/create-default-accountability.js';
 import { AuthenticationService } from '../../services/authentication.js';
 import { UsersService } from '../../services/users.js';
 import asyncHandler from '../../utils/async-handler.js';
 import { getConfigFromEnv } from '../../utils/get-config-from-env.js';
 import { getIPFromReq } from '../../utils/get-ip-from-req.js';
-import { getSecret } from '../../utils/get-secret.js';
 import { isLoginRedirectAllowed } from '../../utils/is-login-redirect-allowed.js';
 import { Url } from '../../utils/url.js';
 import { LocalAuthDriver } from './local.js';
+import { getSecret } from '../../utils/get-secret.js';
 export class OAuth2AuthDriver extends LocalAuthDriver {
     client;
     redirectUrl;
@@ -252,9 +251,10 @@ export function createOAuth2AuthRouter(providerName) {
             throw new InvalidCredentialsError();
         }
         const { verifier, redirect, prompt } = tokenData;
-        const accountability = createDefaultAccountability({
+        const accountability = {
             ip: getIPFromReq(req),
-        });
+            role: null,
+        };
         const userAgent = req.get('user-agent')?.substring(0, 1024);
         if (userAgent)
             accountability.userAgent = userAgent;

package/dist/auth/drivers/openid.js

@@ -11,7 +11,6 @@ import getDatabase from '../../database/index.js';
 import emitter from '../../emitter.js';
 import { useLogger } from '../../logger.js';
 import { respond } from '../../middleware/respond.js';
-import { createDefaultAccountability } from '../../permissions/utils/create-default-accountability.js';
 import { AuthenticationService } from '../../services/authentication.js';
 import { UsersService } from '../../services/users.js';
 import asyncHandler from '../../utils/async-handler.js';
@@ -273,7 +272,10 @@ export function createOpenIDAuthRouter(providerName) {
             throw new InvalidCredentialsError();
         }
         const { verifier, redirect, prompt } = tokenData;
-        const accountability = createDefaultAccountability({ ip: getIPFromReq(req) });
+        const accountability = {
+            ip: getIPFromReq(req),
+            role: null,
+        };
         const userAgent = req.get('user-agent')?.substring(0, 1024);
         if (userAgent)
             accountability.userAgent = userAgent;

package/dist/cache.js

@@ -8,7 +8,6 @@ import { compress, decompress } from './utils/compress.js';
 import { getConfigFromEnv } from './utils/get-config-from-env.js';
 import { getMilliseconds } from './utils/get-milliseconds.js';
 import { validateEnv } from './utils/validate-env.js';
-import { clearCache as clearPermissionCache } from './permissions/cache.js';
 import { createRequire } from 'node:module';
 const logger = useLogger();
 const env = useEnv();
@@ -67,8 +66,6 @@ export async function clearSystemCache(opts) {
     }
     await sharedSchemaCache.clear();
     await localSchemaCache.clear();
-    // Since a lot of cached permission function rely on the schema it needs to be cleared as well
-    await clearPermissionCache();
     messenger.publish('schemaChanged', { autoPurgeCache: opts?.autoPurgeCache });
 }
 export async function setSystemCache(key, value, ttl) {

package/dist/cli/commands/bootstrap/index.js

@@ -3,13 +3,11 @@ import getDatabase, { hasDatabaseConnection, isInstalled, validateDatabaseConnec
 import runMigrations from '../../../database/migrations/run.js';
 import installDatabase from '../../../database/seeds/run.js';
 import { useLogger } from '../../../logger.js';
-import { AccessService } from '../../../services/access.js';
-import { PoliciesService } from '../../../services/policies.js';
 import { RolesService } from '../../../services/roles.js';
 import { SettingsService } from '../../../services/settings.js';
 import { UsersService } from '../../../services/users.js';
 import { getSchema } from '../../../utils/get-schema.js';
-import { defaultAdminPolicy, defaultAdminRole, defaultAdminUser } from '../../utils/defaults.js';
+import { defaultAdminRole, defaultAdminUser } from '../../utils/defaults.js';
 export default async function bootstrap({ skipAdminInit }) {
     const logger = useLogger();
     logger.info('Initializing bootstrap...');
@@ -60,12 +58,8 @@ async function createDefaultAdmin(schema) {
     const env = useEnv();
     const { nanoid } = await import('nanoid');
     logger.info('Setting up first admin role...');
-    const accessService = new AccessService({ schema });
-    const policiesService = new PoliciesService({ schema });
     const rolesService = new RolesService({ schema });
     const role = await rolesService.createOne(defaultAdminRole);
-    const policy = await policiesService.createOne(defaultAdminPolicy);
-    await accessService.createOne({ policy, role });
     logger.info('Adding first admin user...');
     const usersService = new UsersService({ schema });
     let adminEmail = env['ADMIN_EMAIL'];
@@ -78,5 +72,5 @@ async function createDefaultAdmin(schema) {
         adminPassword = nanoid(12);
         logger.info(`No admin password provided. Defaulting to "${adminPassword}"`);
     }
-    await usersService.createOne({ ...defaultAdminUser, email: adminEmail, password: adminPassword, role });
+    await usersService.createOne({ email: adminEmail, password: adminPassword, role, ...defaultAdminUser });
 }

package/dist/cli/commands/init/index.js

@@ -9,7 +9,7 @@ import runSeed from '../../../database/seeds/run.js';
 import { generateHash } from '../../../utils/generate-hash.js';
 import createDBConnection from '../../utils/create-db-connection.js';
 import createEnv from '../../utils/create-env/index.js';
-import { defaultAdminPolicy, defaultAdminRole, defaultAdminUser } from '../../utils/defaults.js';
+import { defaultAdminRole, defaultAdminUser } from '../../utils/defaults.js';
 import { drivers, getDriverForClient } from '../../utils/drivers.js';
 import { databaseQuestions } from './questions.js';
 export default async function init() {
@@ -79,17 +79,18 @@ export default async function init() {
         },
     ]);
     firstUser.password = await generateHash(firstUser.password);
-    const role = randomUUID();
-    const policy = randomUUID();
-    await db('directus_roles').insert({ ...defaultAdminRole, id: role });
-    await db('directus_policies').insert({ ...defaultAdminPolicy, id: policy });
-    await db('directus_access').insert({ id: randomUUID(), role, policy });
+    const userID = randomUUID();
+    const roleID = randomUUID();
+    await db('directus_roles').insert({
+        id: roleID,
+        ...defaultAdminRole,
+    });
     await db('directus_users').insert({
-        ...defaultAdminUser,
-        id: randomUUID(),
+        id: userID,
         email: firstUser.email,
         password: firstUser.password,
-        role,
+        role: roleID,
+        ...defaultAdminUser,
     });
     await db.destroy();
     process.stdout.write(`\nYour project has been created at ${chalk.green(rootPath)}.\n`);

package/dist/cli/utils/defaults.d.ts

@@ -1,4 +1,11 @@
-import type { Policy, Role, User } from '@directus/types';
-export declare const defaultAdminRole: Partial<Role>;
-export declare const defaultAdminUser: Partial<User>;
-export declare const defaultAdminPolicy: Partial<Policy>;
+export declare const defaultAdminRole: {
+    name: string;
+    icon: string;
+    admin_access: boolean;
+    description: string;
+};
+export declare const defaultAdminUser: {
+    status: string;
+    first_name: string;
+    last_name: string;
+};

package/dist/cli/utils/defaults.js

@@ -1,6 +1,7 @@
 export const defaultAdminRole = {
     name: 'Administrator',
     icon: 'verified',
+    admin_access: true,
     description: '$t:admin_description',
 };
 export const defaultAdminUser = {
@@ -8,10 +9,3 @@ export const defaultAdminUser = {
     first_name: 'Admin',
     last_name: 'User',
 };
-export const defaultAdminPolicy = {
-    name: 'Administrator',
-    icon: 'verified',
-    admin_access: true,
-    app_access: true,
-    description: '$t:admin_description',
-};

package/dist/constants.d.ts

@@ -6,7 +6,7 @@ export declare const FILTER_VARIABLES: string[];
 export declare const ALIAS_TYPES: string[];
 export declare const DEFAULT_AUTH_PROVIDER = "default";
 export declare const COLUMN_TRANSFORMS: string[];
-export declare const GENERATE_SPECIAL: readonly ["uuid", "date-created", "role-created", "user-created"];
+export declare const GENERATE_SPECIAL: string[];
 export declare const UUID_REGEX = "[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}";
 export declare const REFRESH_COOKIE_OPTIONS: CookieOptions;
 export declare const SESSION_COOKIE_OPTIONS: CookieOptions;
@@ -15,3 +15,11 @@ export declare const OAS_REQUIRED_SCHEMAS: string[];
 export declare const SUPPORTED_IMAGE_TRANSFORM_FORMATS: string[];
 /** Formats where metadata extraction is supported */
 export declare const SUPPORTED_IMAGE_METADATA_FORMATS: string[];
+/** Resumable uploads */
+export declare const RESUMABLE_UPLOADS: {
+    ENABLED: boolean;
+    CHUNK_SIZE: number;
+    MAX_SIZE: number;
+    EXPIRATION_TIME: number;
+    SCHEDULE: string;
+};

package/dist/constants.js

@@ -1,5 +1,7 @@
 import { getMilliseconds } from './utils/get-milliseconds.js';
 import { useEnv } from '@directus/env';
+import { toBoolean } from '@directus/utils';
+import bytes from 'bytes';
 const env = useEnv();
 export const SYSTEM_ASSET_ALLOW_LIST = [
     {
@@ -77,3 +79,11 @@ export const SUPPORTED_IMAGE_METADATA_FORMATS = [
     'image/tiff',
     'image/avif',
 ];
+/** Resumable uploads */
+export const RESUMABLE_UPLOADS = {
+    ENABLED: toBoolean(env['TUS_ENABLED']),
+    CHUNK_SIZE: bytes(env['TUS_CHUNK_SIZE']),
+    MAX_SIZE: bytes(env['FILES_MAX_UPLOAD_SIZE']),
+    EXPIRATION_TIME: getMilliseconds(env['TUS_UPLOAD_EXPIRATION'], 600_000 /* 10min */),
+    SCHEDULE: String(env['TUS_CLEANUP_SCHEDULE']),
+};

package/dist/controllers/auth.js

@@ -5,7 +5,6 @@ import { createLDAPAuthRouter, createLocalAuthRouter, createOAuth2AuthRouter, cr
 import { DEFAULT_AUTH_PROVIDER, REFRESH_COOKIE_OPTIONS, SESSION_COOKIE_OPTIONS } from '../constants.js';
 import { useLogger } from '../logger.js';
 import { respond } from '../middleware/respond.js';
-import { createDefaultAccountability } from '../permissions/utils/create-default-accountability.js';
 import { AuthenticationService } from '../services/authentication.js';
 import { UsersService } from '../services/users.js';
 import asyncHandler from '../utils/async-handler.js';
@@ -72,7 +71,10 @@ function getCurrentRefreshToken(req, mode) {
     return undefined;
 }
 router.post('/refresh', asyncHandler(async (req, res, next) => {
-    const accountability = createDefaultAccountability({ ip: getIPFromReq(req) });
+    const accountability = {
+        ip: getIPFromReq(req),
+        role: null,
+    };
     const userAgent = req.get('user-agent')?.substring(0, 1024);
     if (userAgent)
         accountability.userAgent = userAgent;
@@ -109,7 +111,10 @@ router.post('/refresh', asyncHandler(async (req, res, next) => {
     return next();
 }), respond);
 router.post('/logout', asyncHandler(async (req, res, next) => {
-    const accountability = createDefaultAccountability({ ip: getIPFromReq(req) });
+    const accountability = {
+        ip: getIPFromReq(req),
+        role: null,
+    };
     const userAgent = req.get('user-agent')?.substring(0, 1024);
     if (userAgent)
         accountability.userAgent = userAgent;
@@ -140,7 +145,10 @@ router.post('/password/request', asyncHandler(async (req, _res, next) => {
     if (typeof req.body.email !== 'string') {
         throw new InvalidPayloadError({ reason: `"email" field is required` });
     }
-    const accountability = createDefaultAccountability({ ip: getIPFromReq(req) });
+    const accountability = {
+        ip: getIPFromReq(req),
+        role: null,
+    };
     const userAgent = req.get('user-agent')?.substring(0, 1024);
     if (userAgent)
         accountability.userAgent = userAgent;
@@ -169,7 +177,10 @@ router.post('/password/reset', asyncHandler(async (req, _res, next) => {
     if (typeof req.body.password !== 'string') {
         throw new InvalidPayloadError({ reason: `"password" field is required` });
     }
-    const accountability = createDefaultAccountability({ ip: getIPFromReq(req) });
+    const accountability = {
+        ip: getIPFromReq(req),
+        role: null,
+    };
     const userAgent = req.get('user-agent')?.substring(0, 1024);
     if (userAgent)
         accountability.userAgent = userAgent;

package/dist/controllers/permissions.js

@@ -1,12 +1,10 @@
-import { ErrorCode, ForbiddenError, isDirectusError } from '@directus/errors';
+import { ErrorCode, isDirectusError } from '@directus/errors';
 import express from 'express';
-import getDatabase from '../database/index.js';
 import { respond } from '../middleware/respond.js';
 import useCollection from '../middleware/use-collection.js';
 import { validateBatch } from '../middleware/validate-batch.js';
-import { fetchAccountabilityCollectionAccess } from '../permissions/modules/fetch-accountability-collection-access/fetch-accountability-collection-access.js';
 import { MetaService } from '../services/meta.js';
-import { PermissionsService } from '../services/permissions.js';
+import { PermissionsService } from '../services/permissions/index.js';
 import asyncHandler from '../utils/async-handler.js';
 import { sanitizeQuery } from '../utils/sanitize-query.js';
 const router = express.Router();
@@ -71,16 +69,6 @@ const readHandler = asyncHandler(async (req, res, next) => {
 });
 router.get('/', validateBatch('read'), readHandler, respond);
 router.search('/', validateBatch('read'), readHandler, respond);
-router.get('/me', asyncHandler(async (req, res, next) => {
-    if (!req.accountability?.user && !req.accountability?.role)
-        throw new ForbiddenError();
-    const result = await fetchAccountabilityCollectionAccess(req.accountability, {
-        schema: req.schema,
-        knex: getDatabase(),
-    });
-    res.locals['payload'] = { data: result };
-    return next();
-}), respond);
 router.get('/:pk', asyncHandler(async (req, res, next) => {
     if (req.path.endsWith('me'))
         return next();

package/dist/controllers/roles.js

@@ -1,4 +1,4 @@
-import { ErrorCode, ForbiddenError, isDirectusError } from '@directus/errors';
+import { ErrorCode, isDirectusError } from '@directus/errors';
 import express from 'express';
 import { respond } from '../middleware/respond.js';
 import useCollection from '../middleware/use-collection.js';
@@ -57,27 +57,6 @@ const readHandler = asyncHandler(async (req, res, next) => {
 });
 router.get('/', validateBatch('read'), readHandler, respond);
 router.search('/', validateBatch('read'), readHandler, respond);
-router.get('/me', asyncHandler(async (req, res, next) => {
-    if (!req.accountability?.user && !req.accountability?.role)
-        throw new ForbiddenError();
-    const service = new RolesService({
-        accountability: req.accountability,
-        schema: req.schema,
-    });
-    const query = { ...req.sanitizedQuery, limit: -1 };
-    try {
-        const roles = await service.readMany(req.accountability.roles, query);
-        res.locals['payload'] = { data: roles || null };
-    }
-    catch (error) {
-        if (isDirectusError(error, ErrorCode.Forbidden)) {
-            res.locals['payload'] = { data: req.accountability.roles.map((id) => ({ id })) };
-            return next();
-        }
-        throw error;
-    }
-    return next();
-}), respond);
 router.get('/:pk', asyncHandler(async (req, res, next) => {
     const service = new RolesService({
         accountability: req.accountability,

package/dist/controllers/{access.d.ts → tus.d.ts}

@@ -1,2 +1,3 @@
+export declare function scheduleTusCleanup(): void;
 declare const router: import("express-serve-static-core").Router;
 export default router;

package/dist/controllers/tus.js

@@ -0,0 +1,72 @@
+import { Router } from 'express';
+import { getSchema } from '../utils/get-schema.js';
+import { scheduleSynchronizedJob, validateCron } from '../utils/schedule.js';
+import { createTusServer } from '../services/tus/index.js';
+import { AuthorizationService } from '../services/authorization.js';
+import asyncHandler from '../utils/async-handler.js';
+import { ForbiddenError } from '@directus/errors';
+import { RESUMABLE_UPLOADS } from '../constants.js';
+const mapAction = (method) => {
+    switch (method) {
+        case 'POST':
+            return 'create';
+        case 'PATCH':
+            return 'update';
+        case 'DELETE':
+            return 'delete';
+        default:
+            return 'read';
+    }
+};
+const checkFileAccess = asyncHandler(async (req, _res, next) => {
+    const auth = new AuthorizationService({
+        accountability: req.accountability,
+        schema: req.schema,
+    });
+    if (!req.accountability?.admin) {
+        const action = mapAction(req.method);
+        if (action === 'create') {
+            // checkAccess doesnt seem to work as expected for "create" actions
+            const hasPermission = Boolean(req.accountability?.permissions?.find((permission) => {
+                return permission.collection === 'directus_files' && permission.action === action;
+            }));
+            if (!hasPermission)
+                throw new ForbiddenError();
+        }
+        else {
+            try {
+                await auth.checkAccess(action, 'directus_files');
+            }
+            catch (e) {
+                throw new ForbiddenError();
+            }
+        }
+    }
+    return next();
+});
+const handler = asyncHandler(async (req, res) => {
+    const tusServer = await createTusServer({
+        schema: req.schema,
+        accountability: req.accountability,
+    });
+    await tusServer.handle(req, res);
+});
+export function scheduleTusCleanup() {
+    if (!RESUMABLE_UPLOADS.ENABLED)
+        return;
+    if (validateCron(RESUMABLE_UPLOADS.SCHEDULE)) {
+        scheduleSynchronizedJob('tus-cleanup', RESUMABLE_UPLOADS.SCHEDULE, async () => {
+            const tusServer = await createTusServer({
+                schema: await getSchema(),
+            });
+            await tusServer.cleanUpExpiredUploads();
+        });
+    }
+}
+const router = Router();
+router.post('/', checkFileAccess, handler);
+router.patch('/:id', checkFileAccess, handler);
+router.delete('/:id', checkFileAccess, handler);
+router.options('/:id', checkFileAccess, handler);
+router.head('/:id', checkFileAccess, handler);
+export default router;

package/dist/controllers/users.js

@@ -7,6 +7,7 @@ import useCollection from '../middleware/use-collection.js';
 import { validateBatch } from '../middleware/validate-batch.js';
 import { AuthenticationService } from '../services/authentication.js';
 import { MetaService } from '../services/meta.js';
+import { RolesService } from '../services/roles.js';
 import { TFAService } from '../services/tfa.js';
 import { UsersService } from '../services/users.js';
 import asyncHandler from '../utils/async-handler.js';
@@ -261,6 +262,33 @@ router.post('/me/tfa/enable/', asyncHandler(async (req, _res, next) => {
     if (!req.body.otp) {
         throw new InvalidPayloadError({ reason: `"otp" is required` });
     }
+    // Override permissions only when enforce TFA is enabled in role
+    if (req.accountability.role) {
+        const rolesService = new RolesService({
+            schema: req.schema,
+        });
+        const role = (await rolesService.readOne(req.accountability.role));
+        if (role && role.enforce_tfa) {
+            const existingPermission = await req.accountability.permissions?.find((p) => p.collection === 'directus_users' && p.action === 'update');
+            if (existingPermission) {
+                existingPermission.fields = ['tfa_secret'];
+                existingPermission.permissions = { id: { _eq: req.accountability.user } };
+                existingPermission.presets = null;
+                existingPermission.validation = null;
+            }
+            else {
+                (req.accountability.permissions || (req.accountability.permissions = [])).push({
+                    action: 'update',
+                    collection: 'directus_users',
+                    fields: ['tfa_secret'],
+                    permissions: { id: { _eq: req.accountability.user } },
+                    presets: null,
+                    role: req.accountability.role,
+                    validation: null,
+                });
+            }
+        }
+    }
     const service = new TFAService({
         accountability: req.accountability,
         schema: req.schema,
@@ -275,6 +303,33 @@ router.post('/me/tfa/disable', asyncHandler(async (req, _res, next) => {
     if (!req.body.otp) {
         throw new InvalidPayloadError({ reason: `"otp" is required` });
     }
+    // Override permissions only when enforce TFA is enabled in role
+    if (req.accountability.role) {
+        const rolesService = new RolesService({
+            schema: req.schema,
+        });
+        const role = (await rolesService.readOne(req.accountability.role));
+        if (role && role.enforce_tfa) {
+            const existingPermission = await req.accountability.permissions?.find((p) => p.collection === 'directus_users' && p.action === 'update');
+            if (existingPermission) {
+                existingPermission.fields = ['tfa_secret'];
+                existingPermission.permissions = { id: { _eq: req.accountability.user } };
+                existingPermission.presets = null;
+                existingPermission.validation = null;
+            }
+            else {
+                (req.accountability.permissions || (req.accountability.permissions = [])).push({
+                    action: 'update',
+                    collection: 'directus_users',
+                    fields: ['tfa_secret'],
+                    permissions: { id: { _eq: req.accountability.user } },
+                    presets: null,
+                    role: req.accountability.role,
+                    validation: null,
+                });
+            }
+        }
+    }
     const service = new TFAService({
         accountability: req.accountability,
         schema: req.schema,

package/dist/database/helpers/fn/types.d.ts

@@ -1,10 +1,9 @@
-import type { Filter, Query, SchemaOverview } from '@directus/types';
+import type { Query, SchemaOverview } from '@directus/types';
 import type { Knex } from 'knex';
 import { DatabaseHelper } from '../types.js';
 export type FnHelperOptions = {
     type: string | undefined;
     query: Query | undefined;
-    cases: Filter[] | undefined;
     originalCollectionName: string | undefined;
 };
 export declare abstract class FnHelper extends DatabaseHelper {

package/dist/database/helpers/fn/types.js

@@ -28,7 +28,7 @@ export class FnHelper extends DatabaseHelper {
                     collection: relation.collection,
                 },
             };
-            countQuery = applyFilter(this.knex, this.schema, countQuery, options.query.filter, relation.collection, aliasMap, options.cases ?? []).query;
+            countQuery = applyFilter(this.knex, this.schema, countQuery, options.query.filter, relation.collection, aliasMap).query;
         }
         return this.knex.raw('(' + countQuery.toQuery() + ')');
     }