@directus/api 20.0.0-rc.1 → 20.1.0

package/dist/utils/merge-permissions.js

@@ -0,0 +1,95 @@
+import { flatten, intersection, isEqual, merge, omit } from 'lodash-es';
+export function mergePermissions(strategy, ...permissions) {
+    const allPermissions = flatten(permissions);
+    const mergedPermissions = allPermissions
+        .reduce((acc, val) => {
+        const key = `${val.collection}__${val.action}__${val.role || '$PUBLIC'}`;
+        const current = acc.get(key);
+        acc.set(key, current ? mergePermission(strategy, current, val) : val);
+        return acc;
+    }, new Map())
+        .values();
+    return Array.from(mergedPermissions);
+}
+export function mergePermission(strategy, currentPerm, newPerm) {
+    const logicalKey = `_${strategy}`;
+    let permissions = currentPerm.permissions;
+    let validation = currentPerm.validation;
+    let fields = currentPerm.fields;
+    let presets = currentPerm.presets;
+    if (newPerm.permissions) {
+        if (currentPerm.permissions && Object.keys(currentPerm.permissions)[0] === logicalKey) {
+            permissions = {
+                [logicalKey]: [
+                    ...currentPerm.permissions[logicalKey],
+                    newPerm.permissions,
+                ],
+            };
+        }
+        else if (currentPerm.permissions) {
+            // Empty {} supersedes other permissions in _OR merge
+            if (strategy === 'or' && (isEqual(currentPerm.permissions, {}) || isEqual(newPerm.permissions, {}))) {
+                permissions = {};
+            }
+            else {
+                permissions = {
+                    [logicalKey]: [currentPerm.permissions, newPerm.permissions],
+                };
+            }
+        }
+        else {
+            permissions = {
+                [logicalKey]: [newPerm.permissions],
+            };
+        }
+    }
+    if (newPerm.validation) {
+        if (currentPerm.validation && Object.keys(currentPerm.validation)[0] === logicalKey) {
+            validation = {
+                [logicalKey]: [
+                    ...currentPerm.validation[logicalKey],
+                    newPerm.validation,
+                ],
+            };
+        }
+        else if (currentPerm.validation) {
+            // Empty {} supersedes other validations in _OR merge
+            if (strategy === 'or' && (isEqual(currentPerm.validation, {}) || isEqual(newPerm.validation, {}))) {
+                validation = {};
+            }
+            else {
+                validation = {
+                    [logicalKey]: [currentPerm.validation, newPerm.validation],
+                };
+            }
+        }
+        else {
+            validation = {
+                [logicalKey]: [newPerm.validation],
+            };
+        }
+    }
+    if (newPerm.fields) {
+        if (Array.isArray(currentPerm.fields) && strategy === 'or') {
+            fields = [...new Set([...currentPerm.fields, ...newPerm.fields])];
+        }
+        else if (Array.isArray(currentPerm.fields) && strategy === 'and') {
+            fields = intersection(currentPerm.fields, newPerm.fields);
+        }
+        else {
+            fields = newPerm.fields;
+        }
+        if (fields.includes('*'))
+            fields = ['*'];
+    }
+    if (newPerm.presets) {
+        presets = merge({}, presets, newPerm.presets);
+    }
+    return omit({
+        ...currentPerm,
+        permissions,
+        validation,
+        fields,
+        presets,
+    }, ['id', 'system']);
+}

package/dist/utils/reduce-schema.d.ts

@@ -1,7 +1,9 @@
-import type { SchemaOverview } from '@directus/types';
-import type { FieldMap } from '../permissions/modules/fetch-allowed-field-map/fetch-allowed-field-map.js';
+import type { Permission, PermissionsAction, SchemaOverview } from '@directus/types';
 /**
  * Reduces the schema based on the included permissions. The resulting object is the schema structure, but with only
- * the allowed collections/fields/relations included based on the passed field map.
+ * the allowed collections/fields/relations included based on the permissions.
+ * @param schema The full project schema
+ * @param actions Array of permissions actions (crud)
+ * @returns Reduced schema
  */
-export declare function reduceSchema(schema: SchemaOverview, fieldMap: FieldMap): SchemaOverview;
+export declare function reduceSchema(schema: SchemaOverview, permissions: Permission[] | null, actions?: PermissionsAction[]): SchemaOverview;

package/dist/utils/reduce-schema.js

@@ -1,20 +1,40 @@
+import { uniq } from 'lodash-es';
 /**
  * Reduces the schema based on the included permissions. The resulting object is the schema structure, but with only
- * the allowed collections/fields/relations included based on the passed field map.
+ * the allowed collections/fields/relations included based on the permissions.
+ * @param schema The full project schema
+ * @param actions Array of permissions actions (crud)
+ * @returns Reduced schema
  */
-export function reduceSchema(schema, fieldMap) {
+export function reduceSchema(schema, permissions, actions = ['create', 'read', 'update', 'delete']) {
     const reduced = {
         collections: {},
         relations: [],
     };
+    const allowedFieldsInCollection = permissions
+        ?.filter((permission) => actions.includes(permission.action))
+        .reduce((acc, permission) => {
+        if (!acc[permission.collection]) {
+            acc[permission.collection] = [];
+        }
+        if (permission.fields) {
+            acc[permission.collection] = uniq([...acc[permission.collection], ...permission.fields]);
+        }
+        return acc;
+    }, {}) ?? {};
     for (const [collectionName, collection] of Object.entries(schema.collections)) {
+        if (!permissions?.some((permission) => permission.collection === collectionName && actions.includes(permission.action))) {
+            continue;
+        }
         const fields = {};
         for (const [fieldName, field] of Object.entries(schema.collections[collectionName].fields)) {
-            if (!fieldMap[collectionName]?.includes('*') && !fieldMap[collectionName]?.includes(fieldName)) {
+            if (!allowedFieldsInCollection[collectionName]?.includes('*') &&
+                !allowedFieldsInCollection[collectionName]?.includes(fieldName)) {
                 continue;
             }
             const o2mRelation = schema.relations.find((relation) => relation.related_collection === collectionName && relation.meta?.one_field === fieldName);
-            if (o2mRelation && !fieldMap[collectionName]) {
+            if (o2mRelation &&
+                !permissions?.some((permission) => permission.collection === o2mRelation.collection && actions.includes(permission.action))) {
                 continue;
             }
             fields[fieldName] = field;
@@ -27,29 +47,29 @@ export function reduceSchema(schema, fieldMap) {
     reduced.relations = schema.relations.filter((relation) => {
         let collectionsAllowed = true;
         let fieldsAllowed = true;
-        if (Object.keys(fieldMap).includes(relation.collection) === false) {
+        if (Object.keys(allowedFieldsInCollection).includes(relation.collection) === false) {
             collectionsAllowed = false;
         }
         if (relation.related_collection &&
-            (Object.keys(fieldMap).includes(relation.related_collection) === false ||
+            (Object.keys(allowedFieldsInCollection).includes(relation.related_collection) === false ||
                 // Ignore legacy permissions with an empty fields array
-                fieldMap[relation.related_collection]?.length === 0)) {
+                allowedFieldsInCollection[relation.related_collection]?.length === 0)) {
             collectionsAllowed = false;
         }
         if (relation.meta?.one_allowed_collections &&
-            relation.meta.one_allowed_collections.every((collection) => Object.keys(fieldMap).includes(collection)) === false) {
+            relation.meta.one_allowed_collections.every((collection) => Object.keys(allowedFieldsInCollection).includes(collection)) === false) {
             collectionsAllowed = false;
         }
-        if (!fieldMap[relation.collection] ||
-            (fieldMap[relation.collection]?.includes('*') === false &&
-                fieldMap[relation.collection]?.includes(relation.field) === false)) {
+        if (!allowedFieldsInCollection[relation.collection] ||
+            (allowedFieldsInCollection[relation.collection]?.includes('*') === false &&
+                allowedFieldsInCollection[relation.collection]?.includes(relation.field) === false)) {
             fieldsAllowed = false;
         }
         if (relation.related_collection &&
             relation.meta?.one_field &&
-            (!fieldMap[relation.related_collection] ||
-                (fieldMap[relation.related_collection]?.includes('*') === false &&
-                    fieldMap[relation.related_collection]?.includes(relation.meta?.one_field) === false))) {
+            (!allowedFieldsInCollection[relation.related_collection] ||
+                (allowedFieldsInCollection[relation.related_collection]?.includes('*') === false &&
+                    allowedFieldsInCollection[relation.related_collection]?.includes(relation.meta?.one_field) === false))) {
             fieldsAllowed = false;
         }
         return collectionsAllowed && fieldsAllowed;

package/dist/utils/verify-session-jwt.js

@@ -12,7 +12,8 @@ export async function verifySessionJWT(payload) {
         .from('directus_sessions')
         .where({
         token: payload['session'],
-        user: payload['id'],
+        user: payload['id'] || null,
+        share: payload['share'] || null,
     })
         .andWhere('expires', '>=', new Date())
         .first();

package/dist/websocket/authenticate.d.ts

@@ -1,4 +1,6 @@
+import type { Accountability } from '@directus/types';
 import type { BasicAuthMessage } from './messages.js';
 import type { AuthenticationState } from './types.js';
 export declare function authenticateConnection(message: BasicAuthMessage & Record<string, any>): Promise<AuthenticationState>;
+export declare function refreshAccountability(accountability: Accountability | null | undefined): Promise<Accountability>;
 export declare function authenticationSuccess(uid?: string | number, refresh_token?: string): string;

package/dist/websocket/authenticate.js

@@ -1,6 +1,7 @@
 import { DEFAULT_AUTH_PROVIDER } from '../constants.js';
 import { AuthenticationService } from '../services/index.js';
 import { getAccountabilityForToken } from '../utils/get-accountability-for-token.js';
+import { getPermissions } from '../utils/get-permissions.js';
 import { getSchema } from '../utils/get-schema.js';
 import { WebSocketError } from './errors.js';
 import { getExpiresAtForToken } from './utils/get-expires-at-for-token.js';
@@ -32,6 +33,17 @@ export async function authenticateConnection(message) {
         throw new WebSocketError('auth', 'AUTH_FAILED', 'Authentication failed.', message['uid']);
     }
 }
+export async function refreshAccountability(accountability) {
+    accountability = accountability ?? {
+        role: null,
+        user: null,
+        admin: false,
+        app: false,
+    };
+    const schema = await getSchema();
+    const permissions = await getPermissions(accountability, schema);
+    return { ...accountability, permissions };
+}
 export function authenticationSuccess(uid, refresh_token) {
     const message = {
         type: 'auth',

package/dist/websocket/controllers/base.d.ts

@@ -32,7 +32,7 @@ export default abstract class SocketController {
     protected getRateLimiter(): RateLimiterAbstract | null;
     private catchInvalidMessages;
     protected handleUpgrade(request: IncomingMessage, socket: internal.Duplex, head: Buffer): Promise<void>;
-    protected handleTokenUpgrade({ request, socket, head }: UpgradeContext, token: string): Promise<void>;
+    protected handleTokenUpgrade({ request, socket, head }: UpgradeContext, token: string | null): Promise<void>;
     protected handleHandshakeUpgrade({ request, socket, head }: UpgradeContext): Promise<void>;
     createClient(ws: WebSocket, { accountability, expires_at }: AuthenticationState): WebSocketClient;
     protected parseMessage(data: string): WebSocketMessage;

package/dist/websocket/controllers/base.js

@@ -101,13 +101,14 @@ export default class SocketController {
         const cookies = request.headers.cookie ? cookie.parse(request.headers.cookie) : {};
         const context = { request, socket, head };
         const sessionCookieName = env['SESSION_COOKIE_NAME'];
-        if (cookies[sessionCookieName]) {
-            const token = cookies[sessionCookieName];
-            await this.handleTokenUpgrade(context, token);
-            return;
-        }
-        if (this.authentication.mode === 'strict') {
-            const token = query['access_token'];
+        if (this.authentication.mode === 'strict' || query['access_token'] || cookies[sessionCookieName]) {
+            let token = null;
+            if (typeof query['access_token'] === 'string') {
+                token = query['access_token'];
+            }
+            else if (typeof cookies[sessionCookieName] === 'string') {
+                token = cookies[sessionCookieName] ?? null;
+            }
             await this.handleTokenUpgrade(context, token);
             return;
         }
@@ -122,16 +123,19 @@ export default class SocketController {
         });
     }
     async handleTokenUpgrade({ request, socket, head }, token) {
-        let accountability, expires_at;
-        try {
-            accountability = await getAccountabilityForToken(token);
-            expires_at = getExpiresAtForToken(token);
-        }
-        catch {
-            accountability = null;
-            expires_at = null;
+        let accountability = null;
+        let expires_at = null;
+        if (token) {
+            try {
+                accountability = await getAccountabilityForToken(token);
+                expires_at = getExpiresAtForToken(token);
+            }
+            catch {
+                accountability = null;
+                expires_at = null;
+            }
         }
-        if (!accountability || !accountability.user) {
+        if (!token || !accountability || !accountability.user) {
             logger.debug('WebSocket upgrade denied - ' + JSON.stringify(accountability || 'invalid'));
             socket.write('HTTP/1.1 401 Unauthorized\r\n\r\n');
             socket.destroy();

package/dist/websocket/controllers/graphql.js

@@ -4,7 +4,7 @@ import { useLogger } from '../../logger.js';
 import { bindPubSub } from '../../services/graphql/subscription.js';
 import { GraphQLService } from '../../services/index.js';
 import { getSchema } from '../../utils/get-schema.js';
-import { authenticateConnection } from '../authenticate.js';
+import { authenticateConnection, refreshAccountability } from '../authenticate.js';
 import { handleWebSocketError } from '../errors.js';
 import { ConnectionParams, WebSocketMessage } from '../messages.js';
 import { getMessageType } from '../utils/message.js';
@@ -64,6 +64,9 @@ export class GraphQLSubscriptionController extends SocketController {
                             client.close(CloseCode.Forbidden, 'Forbidden');
                             return;
                         }
+                        else {
+                            client.accountability = await refreshAccountability(client.accountability);
+                        }
                         await cb(JSON.stringify(message));
                     }
                     catch (error) {

package/dist/websocket/controllers/hooks.js

@@ -7,23 +7,19 @@ export function registerWebSocketEvents() {
     actionsRegistered = true;
     registerActionHooks([
         'items',
-        'access',
         'activity',
         'collections',
         'dashboards',
-        'flows',
         'folders',
         'notifications',
         'operations',
         'panels',
         'permissions',
-        'policies',
         'presets',
         'revisions',
         'roles',
         'settings',
         'shares',
-        'translations',
         'users',
         'versions',
         'webhooks',

package/dist/websocket/controllers/rest.js

@@ -2,6 +2,7 @@ import { useEnv } from '@directus/env';
 import { parseJSON } from '@directus/utils';
 import emitter from '../../emitter.js';
 import { useLogger } from '../../logger.js';
+import { refreshAccountability } from '../authenticate.js';
 import { WebSocketError, handleWebSocketError } from '../errors.js';
 import { WebSocketMessage } from '../messages.js';
 import SocketController from './base.js';
@@ -19,6 +20,7 @@ export class WebSocketController extends SocketController {
         client.on('parsed-message', async (message) => {
             try {
                 message = WebSocketMessage.parse(await emitter.emitFilter('websocket.message', message, { client }));
+                client.accountability = await refreshAccountability(client.accountability);
                 emitter.emitAction('websocket.message', { message, client });
             }
             catch (error) {

package/dist/websocket/handlers/subscribe.js

@@ -4,6 +4,7 @@ import { useBus } from '../../bus/index.js';
 import emitter from '../../emitter.js';
 import { getSchema } from '../../utils/get-schema.js';
 import { sanitizeQuery } from '../../utils/sanitize-query.js';
+import { refreshAccountability } from '../authenticate.js';
 import { WebSocketError, handleWebSocketError } from '../errors.js';
 import { WebSocketSubscribeMessage } from '../messages.js';
 import { getPayload } from '../utils/items.js';
@@ -111,6 +112,7 @@ export class SubscribeHandler {
                     continue;
             }
             try {
+                client.accountability = await refreshAccountability(client.accountability);
                 const result = await getPayload(subscription, client.accountability, schema, event);
                 if (Array.isArray(result?.['data']) && result?.['data']?.length === 0)
                     continue;

package/dist/websocket/utils/items.d.ts

@@ -39,5 +39,5 @@ export declare function getFieldsPayload(subscription: PSubscription, accountabi
  * @param event Event data
  * @returns the fetched data
  */
-export declare function getItemsPayload(subscription: PSubscription, accountability: Accountability | null, schema: SchemaOverview, event?: WebSocketEvent): Promise<string | number | (string | number)[] | import("@directus/types").Item | import("@directus/types").Item[]>;
+export declare function getItemsPayload(subscription: PSubscription, accountability: Accountability | null, schema: SchemaOverview, event?: WebSocketEvent): Promise<string | number | import("@directus/types").Item | (string | number)[] | import("@directus/types").Item[]>;
 export {};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@directus/api",
-  "version": "20.0.0-rc.1",
+  "version": "20.1.0",
   "description": "Directus is a real-time API and App dashboard for managing SQL database content",
   "keywords": [
     "directus",
@@ -59,11 +59,14 @@
   ],
   "dependencies": {
     "@authenio/samlify-node-xmllint": "2.0.0",
-    "@aws-sdk/client-ses": "3.568.0",
+    "@aws-sdk/client-ses": "3.600.0",
     "@godaddy/terminus": "4.12.1",
     "@rollup/plugin-alias": "5.1.0",
     "@rollup/plugin-node-resolve": "15.2.3",
     "@rollup/plugin-virtual": "3.0.2",
+    "@tus/file-store": "1.3.3",
+    "@tus/server": "1.6.0",
+    "@tus/utils": "0.2.0",
     "@types/cookie": "0.6.0",
     "argon2": "0.40.3",
     "async": "3.2.5",
@@ -91,16 +94,16 @@
     "flat": "6.0.1",
     "fs-extra": "11.2.0",
     "glob-to-regexp": "0.4.1",
-    "graphql": "16.8.2",
+    "graphql": "16.9.0",
     "graphql-compose": "9.0.11",
     "graphql-ws": "5.16.0",
     "helmet": "7.1.0",
     "icc": "3.0.0",
-    "inquirer": "9.2.23",
+    "inquirer": "9.3.2",
     "ioredis": "5.4.1",
     "ip-matching": "2.1.2",
     "isolated-vm": "4.7.2",
-    "joi": "17.13.1",
+    "joi": "17.13.3",
     "js-yaml": "4.1.0",
     "js2xmlparser": "5.0.0",
     "json2csv": "5.0.7",
@@ -108,7 +111,7 @@
     "keyv": "4.5.4",
     "knex": "3.1.0",
     "ldapjs": "2.3.3",
-    "liquidjs": "10.13.1",
+    "liquidjs": "10.14.0",
     "lodash-es": "4.17.21",
     "marked": "12.0.2",
     "micromustache": "8.0.3",
@@ -132,7 +135,7 @@
     "pino-http": "9.0.0",
     "pino-http-print": "3.1.0",
     "pino-pretty": "11.2.1",
-    "qs": "6.12.1",
+    "qs": "6.12.2",
     "rate-limiter-flexible": "5.0.3",
     "rollup": "4.17.2",
     "samlify": "2.8.10",
@@ -140,35 +143,35 @@
     "sharp": "0.33.4",
     "snappy": "7.2.2",
     "stream-json": "1.8.0",
-    "tar": "7.2.0",
+    "tar": "7.4.0",
     "tsx": "4.12.0",
     "wellknown": "0.5.0",
-    "ws": "8.17.0",
+    "ws": "8.18.0",
     "zod": "3.23.8",
     "zod-validation-error": "3.3.0",
-    "@directus/app": "13.0.0-rc.1",
-    "@directus/constants": "11.1.0-rc.0",
-    "@directus/errors": "0.4.0-rc.0",
-    "@directus/env": "1.1.7-rc.0",
-    "@directus/extensions-sdk": "11.0.9-rc.0",
-    "@directus/extensions-registry": "1.0.9-rc.0",
-    "@directus/extensions": "2.0.0-rc.0",
+    "@directus/app": "12.2.1",
+    "@directus/constants": "11.0.4",
+    "@directus/env": "1.3.0",
+    "@directus/extensions": "1.0.9",
+    "@directus/extensions-registry": "1.0.9",
     "@directus/format-title": "10.1.2",
-    "@directus/memory": "1.1.0-rc.0",
-    "@directus/pressure": "1.0.21-rc.0",
+    "@directus/errors": "0.3.3",
+    "@directus/memory": "1.0.10",
+    "@directus/extensions-sdk": "11.0.9",
+    "@directus/pressure": "1.0.21",
     "@directus/schema": "11.0.3",
     "@directus/specs": "10.2.10",
-    "@directus/storage-driver-azure": "10.0.23-rc.0",
-    "@directus/storage": "10.0.13",
-    "@directus/storage-driver-cloudinary": "10.0.23-rc.0",
-    "@directus/storage-driver-gcs": "10.0.24-rc.0",
-    "@directus/storage-driver-local": "10.0.20",
-    "@directus/storage-driver-supabase": "1.0.15-rc.0",
-    "@directus/system-data": "2.0.0-rc.0",
-    "@directus/storage-driver-s3": "10.0.24-rc.0",
-    "@directus/utils": "12.0.0-rc.0",
-    "@directus/validation": "0.0.18-rc.0",
-    "directus": "11.0.0-rc.2"
+    "@directus/storage-driver-azure": "10.0.23",
+    "@directus/storage": "10.1.0",
+    "@directus/storage-driver-cloudinary": "10.0.23",
+    "@directus/storage-driver-gcs": "10.0.24",
+    "@directus/storage-driver-local": "10.1.0",
+    "@directus/storage-driver-s3": "10.1.0",
+    "@directus/storage-driver-supabase": "1.0.15",
+    "@directus/system-data": "1.1.0",
+    "@directus/utils": "11.0.10",
+    "@directus/validation": "0.0.18",
+    "directus": "10.13.1"
   },
   "devDependencies": {
     "@ngneat/falso": "7.2.0",
@@ -182,7 +185,7 @@
     "@types/destroy": "1.0.3",
     "@types/encodeurl": "1.0.2",
     "@types/express": "4.17.21",
-    "@types/express-serve-static-core": "4.19.3",
+    "@types/express-serve-static-core": "4.19.5",
     "@types/fs-extra": "11.0.4",
     "@types/glob-to-regexp": "0.4.4",
     "@types/inquirer": "9.0.7",
@@ -209,17 +212,17 @@
     "knex-mock-client": "2.0.1",
     "typescript": "5.4.5",
     "vitest": "1.5.3",
+    "@directus/tsconfig": "1.0.1",
     "@directus/random": "0.2.8",
-    "@directus/types": "12.0.0-rc.0",
-    "@directus/tsconfig": "1.0.1"
+    "@directus/types": "11.2.0"
   },
   "optionalDependencies": {
-    "@keyv/redis": "2.8.4",
-    "mysql2": "3.10.0",
+    "@keyv/redis": "2.8.5",
+    "mysql": "2.18.1",
     "nodemailer-mailgun-transport": "2.1.5",
     "nodemailer-sendgrid": "1.0.3",
     "oracledb": "6.5.1",
-    "pg": "8.11.5",
+    "pg": "8.12.0",
     "sqlite3": "5.1.7",
     "tedious": "18.2.0"
   },
@@ -230,7 +233,6 @@
     "build": "tsc --project tsconfig.prod.json && copyfiles \"src/**/*.{yaml,liquid}\" -u 1 dist",
     "cli": "NODE_ENV=development SERVE_APP=false tsx src/cli/run.ts",
     "dev": "NODE_ENV=development SERVE_APP=true tsx watch --ignore extensions --clear-screen=false src/start.ts",
-    "test": "vitest run",
-    "test:watch": "vitest"
+    "test": "vitest --watch=false"
   }
 }