@directus/api 20.0.0-rc.1 → 20.1.0

package/dist/services/roles.js

@@ -1,51 +1,441 @@
-import { InvalidPayloadError } from '@directus/errors';
-import { clearSystemCache } from '../cache.js';
-import { fetchRolesTree } from '../permissions/lib/fetch-roles-tree.js';
+import { InvalidPayloadError, UnprocessableContentError } from '@directus/errors';
+import { getMatch } from 'ip-matching';
+import { omit } from 'lodash-es';
+import { checkIncreasedUserLimits } from '../telemetry/utils/check-increased-user-limits.js';
+import { getRoleCountsByUsers } from '../telemetry/utils/get-role-counts-by-users.js';
+import {} from '../telemetry/utils/get-user-count.js';
+import { getUserCountsByRoles } from '../telemetry/utils/get-user-counts-by-roles.js';
+import { shouldCheckUserLimits } from '../telemetry/utils/should-check-user-limits.js';
+import { shouldClearCache } from '../utils/should-clear-cache.js';
 import { transaction } from '../utils/transaction.js';
-import { UserIntegrityCheckFlag } from '../utils/validate-user-count-integrity.js';
 import { ItemsService } from './items.js';
-import { AccessService } from './access.js';
+import { PermissionsService } from './permissions/index.js';
 import { PresetsService } from './presets.js';
 import { UsersService } from './users.js';
 export class RolesService extends ItemsService {
     constructor(options) {
         super('directus_roles', options);
     }
-    // No need to check user integrity in createOne, as the creation of a role itself does not influence the number of
-    // users, as the role of a user is actually updated in the UsersService on the user, which will make sure to
-    // initiate a user integrity check if necessary. Same goes for role nesting check as well as cache clearing.
-    async updateMany(keys, data, opts = {}) {
-        if ('parent' in data) {
-            // If the parent of a role changed we need to make a full integrity check.
-            // Anything related to policies will be checked in the AccessService, where the policies are attached to roles
-            opts.userIntegrityCheckFlags = UserIntegrityCheckFlag.All;
-            opts.onRequireUserIntegrityCheck?.(opts.userIntegrityCheckFlags);
-            await this.validateRoleNesting(keys, data['parent']);
-        }
-        const result = await super.updateMany(keys, data, opts);
-        // Only clear the permissions cache if the parent role has changed
-        // If anything policies related has changed, the cache will be cleared in the AccessService as well
-        if ('parent' in data) {
-            await this.clearCaches();
-        }
-        return result;
+    async checkForOtherAdminRoles(excludeKeys) {
+        // Make sure there's at least one admin role left after this deletion is done
+        const otherAdminRoles = await this.knex
+            .count('*', { as: 'count' })
+            .from('directus_roles')
+            .whereNotIn('id', excludeKeys)
+            .andWhere({ admin_access: true })
+            .first();
+        const otherAdminRolesCount = Number(otherAdminRoles?.count ?? 0);
+        if (otherAdminRolesCount === 0) {
+            throw new UnprocessableContentError({ reason: `You can't delete the last admin role` });
+        }
+    }
+    async checkForOtherAdminUsers(key, users) {
+        const role = await this.knex.select('admin_access').from('directus_roles').where('id', '=', key).first();
+        // No-op if role doesn't exist
+        if (!role)
+            return;
+        const usersBefore = (await this.knex.select('id').from('directus_users').where('role', '=', key)).map((user) => user.id);
+        const usersAdded = [];
+        const usersUpdated = [];
+        const usersCreated = [];
+        const usersRemoved = [];
+        if (Array.isArray(users)) {
+            const usersKept = [];
+            for (const user of users) {
+                if (typeof user === 'string') {
+                    if (usersBefore.includes(user)) {
+                        usersKept.push(user);
+                    }
+                    else {
+                        usersAdded.push({ id: user });
+                    }
+                }
+                else if (user.id) {
+                    if (usersBefore.includes(user.id)) {
+                        usersKept.push(user.id);
+                        usersUpdated.push(user);
+                    }
+                    else {
+                        usersAdded.push(user);
+                    }
+                }
+                else {
+                    usersCreated.push(user);
+                }
+            }
+            usersRemoved.push(...usersBefore.filter((user) => !usersKept.includes(user)));
+        }
+        else {
+            for (const user of users.update) {
+                if (usersBefore.includes(user['id'])) {
+                    usersUpdated.push(user);
+                }
+                else {
+                    usersAdded.push(user);
+                }
+            }
+            usersCreated.push(...users.create);
+            usersRemoved.push(...users.delete);
+        }
+        if (role.admin_access === false || role.admin_access === 0) {
+            // Admin users might have moved in from other role, thus becoming non-admin
+            if (usersAdded.length > 0) {
+                const otherAdminUsers = await this.knex
+                    .count('*', { as: 'count' })
+                    .from('directus_users')
+                    .leftJoin('directus_roles', 'directus_users.role', 'directus_roles.id')
+                    .whereNotIn('directus_users.id', usersAdded.map((user) => user.id))
+                    .andWhere({ 'directus_roles.admin_access': true, status: 'active' })
+                    .first();
+                const otherAdminUsersCount = Number(otherAdminUsers?.count ?? 0);
+                if (otherAdminUsersCount === 0) {
+                    throw new UnprocessableContentError({ reason: `You can't remove the last admin user from the admin role` });
+                }
+            }
+            return;
+        }
+        // Only added or created new users
+        if (usersUpdated.length === 0 && usersRemoved.length === 0)
+            return;
+        // Active admin user(s) about to be created
+        if (usersCreated.some((user) => !('status' in user) || user.status === 'active'))
+            return;
+        const usersDeactivated = [...usersAdded, ...usersUpdated]
+            .filter((user) => 'status' in user && user.status !== 'active')
+            .map((user) => user.id);
+        const usersAddedNonDeactivated = usersAdded
+            .filter((user) => !usersDeactivated.includes(user.id))
+            .map((user) => user.id);
+        // Active user(s) about to become admin
+        if (usersAddedNonDeactivated.length > 0) {
+            const userCount = await this.knex
+                .count('*', { as: 'count' })
+                .from('directus_users')
+                .whereIn('id', usersAddedNonDeactivated)
+                .andWhere({ status: 'active' })
+                .first();
+            if (Number(userCount?.count ?? 0) > 0) {
+                return;
+            }
+        }
+        const otherAdminUsers = await this.knex
+            .count('*', { as: 'count' })
+            .from('directus_users')
+            .leftJoin('directus_roles', 'directus_users.role', 'directus_roles.id')
+            .whereNotIn('directus_users.id', [...usersDeactivated, ...usersRemoved])
+            .andWhere({ 'directus_roles.admin_access': true, status: 'active' })
+            .first();
+        const otherAdminUsersCount = Number(otherAdminUsers?.count ?? 0);
+        if (otherAdminUsersCount === 0) {
+            throw new UnprocessableContentError({ reason: `You can't remove the last admin user from the admin role` });
+        }
+        return;
+    }
+    isIpAccessValid(value) {
+        if (value === undefined)
+            return false;
+        if (value === null)
+            return true;
+        if (Array.isArray(value) && value.length === 0)
+            return true;
+        for (const ip of value) {
+            if (typeof ip !== 'string' || ip.includes('*'))
+                return false;
+            try {
+                const match = getMatch(ip);
+                if (match.type == 'IPMask')
+                    return false;
+            }
+            catch {
+                return false;
+            }
+        }
+        return true;
+    }
+    assertValidIpAccess(partialItem) {
+        if ('ip_access' in partialItem && !this.isIpAccessValid(partialItem['ip_access'])) {
+            throw new InvalidPayloadError({
+                reason: 'IP Access contains an incorrect value. Valid values are: IP addresses, IP ranges and CIDR blocks',
+            });
+        }
+    }
+    getRoleAccessType(data) {
+        if ('admin_access' in data && data['admin_access'] === true) {
+            return 'admin';
+        }
+        else if (('app_access' in data && data['app_access'] === true) || 'app_access' in data === false) {
+            return 'app';
+        }
+        else {
+            return 'api';
+        }
     }
-    async deleteMany(keys, opts = {}) {
-        opts.userIntegrityCheckFlags = UserIntegrityCheckFlag.All;
-        opts.onRequireUserIntegrityCheck?.(opts.userIntegrityCheckFlags);
+    async createOne(data, opts) {
+        this.assertValidIpAccess(data);
+        if (shouldCheckUserLimits()) {
+            const increasedCounts = {
+                admin: 0,
+                app: 0,
+                api: 0,
+            };
+            const existingIds = [];
+            if ('users' in data) {
+                const type = this.getRoleAccessType(data);
+                increasedCounts[type] += data['users'].length;
+                for (const user of data['users']) {
+                    if (typeof user === 'string') {
+                        existingIds.push(user);
+                    }
+                    else if (typeof user === 'object' && 'id' in user) {
+                        existingIds.push(user['id']);
+                    }
+                }
+            }
+            await checkIncreasedUserLimits(this.knex, increasedCounts, existingIds);
+        }
+        return super.createOne(data, opts);
+    }
+    async createMany(data, opts) {
+        const needsUserLimitCheck = shouldCheckUserLimits();
+        const increasedCounts = {
+            admin: 0,
+            app: 0,
+            api: 0,
+        };
+        const existingIds = [];
+        for (const partialItem of data) {
+            this.assertValidIpAccess(partialItem);
+            if (needsUserLimitCheck && 'users' in partialItem) {
+                const type = this.getRoleAccessType(partialItem);
+                increasedCounts[type] += partialItem['users'].length;
+                for (const user of partialItem['users']) {
+                    if (typeof user === 'string') {
+                        existingIds.push(user);
+                    }
+                    else if (typeof user === 'object' && 'id' in user) {
+                        existingIds.push(user['id']);
+                    }
+                }
+            }
+        }
+        if (needsUserLimitCheck) {
+            await checkIncreasedUserLimits(this.knex, increasedCounts, existingIds);
+        }
+        return super.createMany(data, opts);
+    }
+    async updateOne(key, data, opts) {
+        this.assertValidIpAccess(data);
+        try {
+            if ('users' in data) {
+                await this.checkForOtherAdminUsers(key, data['users']);
+            }
+            if (shouldCheckUserLimits()) {
+                const increasedCounts = {
+                    admin: 0,
+                    app: 0,
+                    api: 0,
+                };
+                let increasedUsers = 0;
+                const existingIds = [];
+                let existingRole = await this.knex
+                    .count('directus_users.id', { as: 'count' })
+                    .select('directus_roles.admin_access', 'directus_roles.app_access')
+                    .from('directus_users')
+                    .where('directus_roles.id', '=', key)
+                    .andWhere('directus_users.status', '=', 'active')
+                    .leftJoin('directus_roles', 'directus_users.role', '=', 'directus_roles.id')
+                    .groupBy('directus_roles.admin_access', 'directus_roles.app_access')
+                    .first();
+                if (!existingRole) {
+                    try {
+                        const role = (await this.knex
+                            .select('admin_access', 'app_access')
+                            .from('directus_roles')
+                            .where('id', '=', key)
+                            .first()) ?? { admin_access: null, app_access: null };
+                        existingRole = { count: 0, ...role };
+                    }
+                    catch {
+                        existingRole = { count: 0, admin_access: null, app_access: null };
+                    }
+                }
+                if ('users' in data) {
+                    const users = data['users'];
+                    if (Array.isArray(users)) {
+                        increasedUsers = users.length - Number(existingRole.count);
+                        for (const user of users) {
+                            if (typeof user === 'string') {
+                                existingIds.push(user);
+                            }
+                            else if (typeof user === 'object' && 'id' in user) {
+                                existingIds.push(user['id']);
+                            }
+                        }
+                    }
+                    else {
+                        increasedUsers += users.create.length;
+                        increasedUsers -= users.delete.length;
+                        const userIds = [];
+                        for (const user of users.update) {
+                            if ('status' in user) {
+                                // account for users being activated and deactivated
+                                if (user['status'] === 'active') {
+                                    increasedUsers++;
+                                }
+                                else {
+                                    increasedUsers--;
+                                }
+                            }
+                            userIds.push(user.id);
+                        }
+                        try {
+                            const existingCounts = await getRoleCountsByUsers(this.knex, userIds);
+                            if (existingRole.admin_access) {
+                                increasedUsers += existingCounts.app + existingCounts.api;
+                            }
+                            else if (existingRole.app_access) {
+                                increasedUsers += existingCounts.admin + existingCounts.api;
+                            }
+                            else {
+                                increasedUsers += existingCounts.admin + existingCounts.app;
+                            }
+                        }
+                        catch {
+                            // ignore failed user call
+                        }
+                    }
+                }
+                let isAccessChanged = false;
+                let accessType = 'api';
+                if ('app_access' in data) {
+                    if (data['app_access'] === true) {
+                        accessType = 'app';
+                        if (!existingRole.app_access)
+                            isAccessChanged = true;
+                    }
+                    else if (existingRole.app_access) {
+                        isAccessChanged = true;
+                    }
+                }
+                else if (existingRole.app_access) {
+                    accessType = 'app';
+                }
+                if ('admin_access' in data) {
+                    if (data['admin_access'] === true) {
+                        accessType = 'admin';
+                        if (!existingRole.admin_access)
+                            isAccessChanged = true;
+                    }
+                    else if (existingRole.admin_access) {
+                        isAccessChanged = true;
+                    }
+                }
+                else if (existingRole.admin_access) {
+                    accessType = 'admin';
+                }
+                if (isAccessChanged) {
+                    increasedCounts[accessType] += Number(existingRole.count);
+                }
+                increasedCounts[accessType] += increasedUsers;
+                await checkIncreasedUserLimits(this.knex, increasedCounts, existingIds);
+            }
+        }
+        catch (err) {
+            (opts || (opts = {})).preMutationError = err;
+        }
+        return super.updateOne(key, data, opts);
+    }
+    async updateBatch(data, opts = {}) {
+        for (const partialItem of data) {
+            this.assertValidIpAccess(partialItem);
+        }
+        const primaryKeyField = this.schema.collections[this.collection].primary;
+        if (!opts.mutationTracker) {
+            opts.mutationTracker = this.createMutationTracker();
+        }
+        const keys = [];
+        try {
+            await transaction(this.knex, async (trx) => {
+                const service = new RolesService({
+                    accountability: this.accountability,
+                    knex: trx,
+                    schema: this.schema,
+                });
+                for (const item of data) {
+                    const combinedOpts = Object.assign({ autoPurgeCache: false }, opts);
+                    keys.push(await service.updateOne(item[primaryKeyField], omit(item, primaryKeyField), combinedOpts));
+                }
+            });
+        }
+        finally {
+            if (shouldClearCache(this.cache, opts, this.collection)) {
+                await this.cache.clear();
+            }
+        }
+        return keys;
+    }
+    async updateMany(keys, data, opts) {
+        this.assertValidIpAccess(data);
+        try {
+            if ('admin_access' in data && data['admin_access'] === false) {
+                await this.checkForOtherAdminRoles(keys);
+            }
+            if (shouldCheckUserLimits() && ('admin_access' in data || 'app_access' in data)) {
+                const existingCounts = await getUserCountsByRoles(this.knex, keys);
+                const increasedCounts = {
+                    admin: 0,
+                    app: 0,
+                    api: 0,
+                };
+                const type = this.getRoleAccessType(data);
+                for (const [existingType, existingCount] of Object.entries(existingCounts)) {
+                    if (existingType === type)
+                        continue;
+                    increasedCounts[type] += existingCount;
+                }
+                await checkIncreasedUserLimits(this.knex, increasedCounts);
+            }
+        }
+        catch (err) {
+            (opts || (opts = {})).preMutationError = err;
+        }
+        return super.updateMany(keys, data, opts);
+    }
+    async updateByQuery(query, data, opts) {
+        this.assertValidIpAccess(data);
+        return super.updateByQuery(query, data, opts);
+    }
+    async deleteMany(keys) {
+        const opts = {};
+        try {
+            await this.checkForOtherAdminRoles(keys);
+        }
+        catch (err) {
+            opts.preMutationError = err;
+        }
         await transaction(this.knex, async (trx) => {
-            const options = {
+            const itemsService = new ItemsService('directus_roles', {
                 knex: trx,
                 accountability: this.accountability,
                 schema: this.schema,
-            };
-            const itemsService = new ItemsService('directus_roles', options);
-            const rolesService = new RolesService(options);
-            const accessService = new AccessService(options);
-            const presetsService = new PresetsService(options);
-            const usersService = new UsersService(options);
+            });
+            const permissionsService = new PermissionsService({
+                knex: trx,
+                accountability: this.accountability,
+                schema: this.schema,
+            });
+            const presetsService = new PresetsService({
+                knex: trx,
+                accountability: this.accountability,
+                schema: this.schema,
+            });
+            const usersService = new UsersService({
+                knex: trx,
+                accountability: this.accountability,
+                schema: this.schema,
+            });
             // Delete permissions/presets for this role, suspend all remaining users in role
-            await accessService.deleteByQuery({
+            await permissionsService.deleteByQuery({
                 filter: { role: { _in: keys } },
             }, { ...opts, bypassLimits: true });
             await presetsService.deleteByQuery({
@@ -57,31 +447,8 @@ export class RolesService extends ItemsService {
                 status: 'suspended',
                 role: null,
             }, { ...opts, bypassLimits: true });
-            // If the about to be deleted roles are the parent of other roles set those parents to null
-            // Use a newly created RolesService here that works within the current transaction
-            await rolesService.updateByQuery({
-                filter: { parent: { _in: keys } },
-            }, { parent: null });
             await itemsService.deleteMany(keys, opts);
         });
-        // Since nested roles could be updated, clear caches
-        await this.clearCaches();
         return keys;
     }
-    async validateRoleNesting(ids, parent) {
-        if (ids.includes(parent)) {
-            throw new InvalidPayloadError({ reason: 'A role cannot be a parent of itself' });
-        }
-        const roles = await fetchRolesTree(parent, this.knex);
-        if (ids.some((id) => roles.includes(id))) {
-            // The role tree up from the parent already includes this role, so it would create a circular reference
-            throw new InvalidPayloadError({ reason: 'A role cannot have a parent that is already a descendant of itself' });
-        }
-    }
-    async clearCaches(opts) {
-        await clearSystemCache({ autoPurgeCache: opts?.autoPurgeCache });
-        if (this.cache && opts?.autoPurgeCache !== false) {
-            await this.cache.clear();
-        }
-    }
 }

package/dist/services/server.js

@@ -13,6 +13,7 @@ import { rateLimiter } from '../middleware/rate-limiter-ip.js';
 import { SERVER_ONLINE } from '../server.js';
 import { getStorage } from '../storage/index.js';
 import { SettingsService } from './settings.js';
+import { RESUMABLE_UPLOADS } from '../constants.js';
 const env = useEnv();
 const logger = useLogger();
 export class ServerService {
@@ -98,6 +99,11 @@ export class ServerService {
             else {
                 info['websocket'] = false;
             }
+            if (RESUMABLE_UPLOADS.ENABLED) {
+                info['uploads'] = {
+                    chunkSize: RESUMABLE_UPLOADS.CHUNK_SIZE,
+                };
+            }
             info['version'] = version;
         }
         return info;

package/dist/services/shares.d.ts

@@ -1,7 +1,9 @@
 import type { Item, PrimaryKey } from '@directus/types';
 import type { AbstractServiceOptions, LoginResult, MutationOptions } from '../types/index.js';
+import { AuthorizationService } from './authorization.js';
 import { ItemsService } from './items.js';
 export declare class SharesService extends ItemsService {
+    authorizationService: AuthorizationService;
     constructor(options: AbstractServiceOptions);
     createOne(data: Partial<Item>, opts?: MutationOptions): Promise<PrimaryKey>;
     login(payload: Record<string, any>, options?: Partial<{

package/dist/services/shares.js

@@ -3,33 +3,29 @@ import { ForbiddenError, InvalidCredentialsError } from '@directus/errors';
 import argon2 from 'argon2';
 import jwt from 'jsonwebtoken';
 import { useLogger } from '../logger.js';
-import { validateAccess } from '../permissions/modules/validate-access/validate-access.js';
 import { getMilliseconds } from '../utils/get-milliseconds.js';
 import { getSecret } from '../utils/get-secret.js';
 import { md } from '../utils/md.js';
 import { Url } from '../utils/url.js';
 import { userName } from '../utils/user-name.js';
+import { AuthorizationService } from './authorization.js';
 import { ItemsService } from './items.js';
 import { MailService } from './mail/index.js';
 import { UsersService } from './users.js';
 const env = useEnv();
 const logger = useLogger();
 export class SharesService extends ItemsService {
+    authorizationService;
     constructor(options) {
         super('directus_shares', options);
+        this.authorizationService = new AuthorizationService({
+            accountability: this.accountability,
+            knex: this.knex,
+            schema: this.schema,
+        });
     }
     async createOne(data, opts) {
-        if (this.accountability) {
-            await validateAccess({
-                accountability: this.accountability,
-                action: 'share',
-                collection: data['collection'],
-                primaryKeys: [data['item']],
-            }, {
-                schema: this.schema,
-                knex: this.knex,
-            });
-        }
+        await this.authorizationService.checkAccess('share', data['collection'], data['item']);
         return super.createOne(data, opts);
     }
     async login(payload, options) {

package/dist/services/specifications.d.ts

@@ -9,7 +9,7 @@ export declare class SpecificationService {
     schema: SchemaOverview;
     oas: OASSpecsService;
     graphql: GraphQLSpecsService;
-    constructor(options: AbstractServiceOptions);
+    constructor({ accountability, knex, schema }: AbstractServiceOptions);
 }
 interface SpecificationSubService {
     generate: (_?: any) => Promise<any>;
@@ -18,7 +18,7 @@ declare class OASSpecsService implements SpecificationSubService {
     accountability: Accountability | null;
     knex: Knex;
     schema: SchemaOverview;
-    constructor(options: AbstractServiceOptions);
+    constructor({ knex, schema, accountability }: AbstractServiceOptions);
     generate(host?: string): Promise<OpenAPIObject>;
     private generateTags;
     private generatePaths;