@directus/api 20.0.0 → 21.0.0-rc.0

package/dist/services/roles.js

@@ -1,441 +1,51 @@
-import { InvalidPayloadError, UnprocessableContentError } from '@directus/errors';
-import { getMatch } from 'ip-matching';
-import { omit } from 'lodash-es';
-import { checkIncreasedUserLimits } from '../telemetry/utils/check-increased-user-limits.js';
-import { getRoleCountsByUsers } from '../telemetry/utils/get-role-counts-by-users.js';
-import {} from '../telemetry/utils/get-user-count.js';
-import { getUserCountsByRoles } from '../telemetry/utils/get-user-counts-by-roles.js';
-import { shouldCheckUserLimits } from '../telemetry/utils/should-check-user-limits.js';
-import { shouldClearCache } from '../utils/should-clear-cache.js';
+import { InvalidPayloadError } from '@directus/errors';
+import { clearSystemCache } from '../cache.js';
+import { fetchRolesTree } from '../permissions/lib/fetch-roles-tree.js';
 import { transaction } from '../utils/transaction.js';
+import { UserIntegrityCheckFlag } from '../utils/validate-user-count-integrity.js';
 import { ItemsService } from './items.js';
-import { PermissionsService } from './permissions/index.js';
+import { AccessService } from './access.js';
 import { PresetsService } from './presets.js';
 import { UsersService } from './users.js';
 export class RolesService extends ItemsService {
     constructor(options) {
         super('directus_roles', options);
     }
-    async checkForOtherAdminRoles(excludeKeys) {
-        // Make sure there's at least one admin role left after this deletion is done
-        const otherAdminRoles = await this.knex
-            .count('*', { as: 'count' })
-            .from('directus_roles')
-            .whereNotIn('id', excludeKeys)
-            .andWhere({ admin_access: true })
-            .first();
-        const otherAdminRolesCount = Number(otherAdminRoles?.count ?? 0);
-        if (otherAdminRolesCount === 0) {
-            throw new UnprocessableContentError({ reason: `You can't delete the last admin role` });
-        }
-    }
-    async checkForOtherAdminUsers(key, users) {
-        const role = await this.knex.select('admin_access').from('directus_roles').where('id', '=', key).first();
-        // No-op if role doesn't exist
-        if (!role)
-            return;
-        const usersBefore = (await this.knex.select('id').from('directus_users').where('role', '=', key)).map((user) => user.id);
-        const usersAdded = [];
-        const usersUpdated = [];
-        const usersCreated = [];
-        const usersRemoved = [];
-        if (Array.isArray(users)) {
-            const usersKept = [];
-            for (const user of users) {
-                if (typeof user === 'string') {
-                    if (usersBefore.includes(user)) {
-                        usersKept.push(user);
-                    }
-                    else {
-                        usersAdded.push({ id: user });
-                    }
-                }
-                else if (user.id) {
-                    if (usersBefore.includes(user.id)) {
-                        usersKept.push(user.id);
-                        usersUpdated.push(user);
-                    }
-                    else {
-                        usersAdded.push(user);
-                    }
-                }
-                else {
-                    usersCreated.push(user);
-                }
-            }
-            usersRemoved.push(...usersBefore.filter((user) => !usersKept.includes(user)));
-        }
-        else {
-            for (const user of users.update) {
-                if (usersBefore.includes(user['id'])) {
-                    usersUpdated.push(user);
-                }
-                else {
-                    usersAdded.push(user);
-                }
-            }
-            usersCreated.push(...users.create);
-            usersRemoved.push(...users.delete);
-        }
-        if (role.admin_access === false || role.admin_access === 0) {
-            // Admin users might have moved in from other role, thus becoming non-admin
-            if (usersAdded.length > 0) {
-                const otherAdminUsers = await this.knex
-                    .count('*', { as: 'count' })
-                    .from('directus_users')
-                    .leftJoin('directus_roles', 'directus_users.role', 'directus_roles.id')
-                    .whereNotIn('directus_users.id', usersAdded.map((user) => user.id))
-                    .andWhere({ 'directus_roles.admin_access': true, status: 'active' })
-                    .first();
-                const otherAdminUsersCount = Number(otherAdminUsers?.count ?? 0);
-                if (otherAdminUsersCount === 0) {
-                    throw new UnprocessableContentError({ reason: `You can't remove the last admin user from the admin role` });
-                }
-            }
-            return;
-        }
-        // Only added or created new users
-        if (usersUpdated.length === 0 && usersRemoved.length === 0)
-            return;
-        // Active admin user(s) about to be created
-        if (usersCreated.some((user) => !('status' in user) || user.status === 'active'))
-            return;
-        const usersDeactivated = [...usersAdded, ...usersUpdated]
-            .filter((user) => 'status' in user && user.status !== 'active')
-            .map((user) => user.id);
-        const usersAddedNonDeactivated = usersAdded
-            .filter((user) => !usersDeactivated.includes(user.id))
-            .map((user) => user.id);
-        // Active user(s) about to become admin
-        if (usersAddedNonDeactivated.length > 0) {
-            const userCount = await this.knex
-                .count('*', { as: 'count' })
-                .from('directus_users')
-                .whereIn('id', usersAddedNonDeactivated)
-                .andWhere({ status: 'active' })
-                .first();
-            if (Number(userCount?.count ?? 0) > 0) {
-                return;
-            }
-        }
-        const otherAdminUsers = await this.knex
-            .count('*', { as: 'count' })
-            .from('directus_users')
-            .leftJoin('directus_roles', 'directus_users.role', 'directus_roles.id')
-            .whereNotIn('directus_users.id', [...usersDeactivated, ...usersRemoved])
-            .andWhere({ 'directus_roles.admin_access': true, status: 'active' })
-            .first();
-        const otherAdminUsersCount = Number(otherAdminUsers?.count ?? 0);
-        if (otherAdminUsersCount === 0) {
-            throw new UnprocessableContentError({ reason: `You can't remove the last admin user from the admin role` });
-        }
-        return;
-    }
-    isIpAccessValid(value) {
-        if (value === undefined)
-            return false;
-        if (value === null)
-            return true;
-        if (Array.isArray(value) && value.length === 0)
-            return true;
-        for (const ip of value) {
-            if (typeof ip !== 'string' || ip.includes('*'))
-                return false;
-            try {
-                const match = getMatch(ip);
-                if (match.type == 'IPMask')
-                    return false;
-            }
-            catch {
-                return false;
-            }
-        }
-        return true;
-    }
-    assertValidIpAccess(partialItem) {
-        if ('ip_access' in partialItem && !this.isIpAccessValid(partialItem['ip_access'])) {
-            throw new InvalidPayloadError({
-                reason: 'IP Access contains an incorrect value. Valid values are: IP addresses, IP ranges and CIDR blocks',
-            });
-        }
-    }
-    getRoleAccessType(data) {
-        if ('admin_access' in data && data['admin_access'] === true) {
-            return 'admin';
-        }
-        else if (('app_access' in data && data['app_access'] === true) || 'app_access' in data === false) {
-            return 'app';
-        }
-        else {
-            return 'api';
-        }
+    // No need to check user integrity in createOne, as the creation of a role itself does not influence the number of
+    // users, as the role of a user is actually updated in the UsersService on the user, which will make sure to
+    // initiate a user integrity check if necessary. Same goes for role nesting check as well as cache clearing.
+    async updateMany(keys, data, opts = {}) {
+        if ('parent' in data) {
+            // If the parent of a role changed we need to make a full integrity check.
+            // Anything related to policies will be checked in the AccessService, where the policies are attached to roles
+            opts.userIntegrityCheckFlags = UserIntegrityCheckFlag.All;
+            opts.onRequireUserIntegrityCheck?.(opts.userIntegrityCheckFlags);
+            await this.validateRoleNesting(keys, data['parent']);
+        }
+        const result = await super.updateMany(keys, data, opts);
+        // Only clear the permissions cache if the parent role has changed
+        // If anything policies related has changed, the cache will be cleared in the AccessService as well
+        if ('parent' in data) {
+            await this.clearCaches();
+        }
+        return result;
     }
-    async createOne(data, opts) {
-        this.assertValidIpAccess(data);
-        if (shouldCheckUserLimits()) {
-            const increasedCounts = {
-                admin: 0,
-                app: 0,
-                api: 0,
-            };
-            const existingIds = [];
-            if ('users' in data) {
-                const type = this.getRoleAccessType(data);
-                increasedCounts[type] += data['users'].length;
-                for (const user of data['users']) {
-                    if (typeof user === 'string') {
-                        existingIds.push(user);
-                    }
-                    else if (typeof user === 'object' && 'id' in user) {
-                        existingIds.push(user['id']);
-                    }
-                }
-            }
-            await checkIncreasedUserLimits(this.knex, increasedCounts, existingIds);
-        }
-        return super.createOne(data, opts);
-    }
-    async createMany(data, opts) {
-        const needsUserLimitCheck = shouldCheckUserLimits();
-        const increasedCounts = {
-            admin: 0,
-            app: 0,
-            api: 0,
-        };
-        const existingIds = [];
-        for (const partialItem of data) {
-            this.assertValidIpAccess(partialItem);
-            if (needsUserLimitCheck && 'users' in partialItem) {
-                const type = this.getRoleAccessType(partialItem);
-                increasedCounts[type] += partialItem['users'].length;
-                for (const user of partialItem['users']) {
-                    if (typeof user === 'string') {
-                        existingIds.push(user);
-                    }
-                    else if (typeof user === 'object' && 'id' in user) {
-                        existingIds.push(user['id']);
-                    }
-                }
-            }
-        }
-        if (needsUserLimitCheck) {
-            await checkIncreasedUserLimits(this.knex, increasedCounts, existingIds);
-        }
-        return super.createMany(data, opts);
-    }
-    async updateOne(key, data, opts) {
-        this.assertValidIpAccess(data);
-        try {
-            if ('users' in data) {
-                await this.checkForOtherAdminUsers(key, data['users']);
-            }
-            if (shouldCheckUserLimits()) {
-                const increasedCounts = {
-                    admin: 0,
-                    app: 0,
-                    api: 0,
-                };
-                let increasedUsers = 0;
-                const existingIds = [];
-                let existingRole = await this.knex
-                    .count('directus_users.id', { as: 'count' })
-                    .select('directus_roles.admin_access', 'directus_roles.app_access')
-                    .from('directus_users')
-                    .where('directus_roles.id', '=', key)
-                    .andWhere('directus_users.status', '=', 'active')
-                    .leftJoin('directus_roles', 'directus_users.role', '=', 'directus_roles.id')
-                    .groupBy('directus_roles.admin_access', 'directus_roles.app_access')
-                    .first();
-                if (!existingRole) {
-                    try {
-                        const role = (await this.knex
-                            .select('admin_access', 'app_access')
-                            .from('directus_roles')
-                            .where('id', '=', key)
-                            .first()) ?? { admin_access: null, app_access: null };
-                        existingRole = { count: 0, ...role };
-                    }
-                    catch {
-                        existingRole = { count: 0, admin_access: null, app_access: null };
-                    }
-                }
-                if ('users' in data) {
-                    const users = data['users'];
-                    if (Array.isArray(users)) {
-                        increasedUsers = users.length - Number(existingRole.count);
-                        for (const user of users) {
-                            if (typeof user === 'string') {
-                                existingIds.push(user);
-                            }
-                            else if (typeof user === 'object' && 'id' in user) {
-                                existingIds.push(user['id']);
-                            }
-                        }
-                    }
-                    else {
-                        increasedUsers += users.create.length;
-                        increasedUsers -= users.delete.length;
-                        const userIds = [];
-                        for (const user of users.update) {
-                            if ('status' in user) {
-                                // account for users being activated and deactivated
-                                if (user['status'] === 'active') {
-                                    increasedUsers++;
-                                }
-                                else {
-                                    increasedUsers--;
-                                }
-                            }
-                            userIds.push(user.id);
-                        }
-                        try {
-                            const existingCounts = await getRoleCountsByUsers(this.knex, userIds);
-                            if (existingRole.admin_access) {
-                                increasedUsers += existingCounts.app + existingCounts.api;
-                            }
-                            else if (existingRole.app_access) {
-                                increasedUsers += existingCounts.admin + existingCounts.api;
-                            }
-                            else {
-                                increasedUsers += existingCounts.admin + existingCounts.app;
-                            }
-                        }
-                        catch {
-                            // ignore failed user call
-                        }
-                    }
-                }
-                let isAccessChanged = false;
-                let accessType = 'api';
-                if ('app_access' in data) {
-                    if (data['app_access'] === true) {
-                        accessType = 'app';
-                        if (!existingRole.app_access)
-                            isAccessChanged = true;
-                    }
-                    else if (existingRole.app_access) {
-                        isAccessChanged = true;
-                    }
-                }
-                else if (existingRole.app_access) {
-                    accessType = 'app';
-                }
-                if ('admin_access' in data) {
-                    if (data['admin_access'] === true) {
-                        accessType = 'admin';
-                        if (!existingRole.admin_access)
-                            isAccessChanged = true;
-                    }
-                    else if (existingRole.admin_access) {
-                        isAccessChanged = true;
-                    }
-                }
-                else if (existingRole.admin_access) {
-                    accessType = 'admin';
-                }
-                if (isAccessChanged) {
-                    increasedCounts[accessType] += Number(existingRole.count);
-                }
-                increasedCounts[accessType] += increasedUsers;
-                await checkIncreasedUserLimits(this.knex, increasedCounts, existingIds);
-            }
-        }
-        catch (err) {
-            (opts || (opts = {})).preMutationError = err;
-        }
-        return super.updateOne(key, data, opts);
-    }
-    async updateBatch(data, opts = {}) {
-        for (const partialItem of data) {
-            this.assertValidIpAccess(partialItem);
-        }
-        const primaryKeyField = this.schema.collections[this.collection].primary;
-        if (!opts.mutationTracker) {
-            opts.mutationTracker = this.createMutationTracker();
-        }
-        const keys = [];
-        try {
-            await transaction(this.knex, async (trx) => {
-                const service = new RolesService({
-                    accountability: this.accountability,
-                    knex: trx,
-                    schema: this.schema,
-                });
-                for (const item of data) {
-                    const combinedOpts = Object.assign({ autoPurgeCache: false }, opts);
-                    keys.push(await service.updateOne(item[primaryKeyField], omit(item, primaryKeyField), combinedOpts));
-                }
-            });
-        }
-        finally {
-            if (shouldClearCache(this.cache, opts, this.collection)) {
-                await this.cache.clear();
-            }
-        }
-        return keys;
-    }
-    async updateMany(keys, data, opts) {
-        this.assertValidIpAccess(data);
-        try {
-            if ('admin_access' in data && data['admin_access'] === false) {
-                await this.checkForOtherAdminRoles(keys);
-            }
-            if (shouldCheckUserLimits() && ('admin_access' in data || 'app_access' in data)) {
-                const existingCounts = await getUserCountsByRoles(this.knex, keys);
-                const increasedCounts = {
-                    admin: 0,
-                    app: 0,
-                    api: 0,
-                };
-                const type = this.getRoleAccessType(data);
-                for (const [existingType, existingCount] of Object.entries(existingCounts)) {
-                    if (existingType === type)
-                        continue;
-                    increasedCounts[type] += existingCount;
-                }
-                await checkIncreasedUserLimits(this.knex, increasedCounts);
-            }
-        }
-        catch (err) {
-            (opts || (opts = {})).preMutationError = err;
-        }
-        return super.updateMany(keys, data, opts);
-    }
-    async updateByQuery(query, data, opts) {
-        this.assertValidIpAccess(data);
-        return super.updateByQuery(query, data, opts);
-    }
-    async deleteMany(keys) {
-        const opts = {};
-        try {
-            await this.checkForOtherAdminRoles(keys);
-        }
-        catch (err) {
-            opts.preMutationError = err;
-        }
+    async deleteMany(keys, opts = {}) {
+        opts.userIntegrityCheckFlags = UserIntegrityCheckFlag.All;
+        opts.onRequireUserIntegrityCheck?.(opts.userIntegrityCheckFlags);
         await transaction(this.knex, async (trx) => {
-            const itemsService = new ItemsService('directus_roles', {
-                knex: trx,
-                accountability: this.accountability,
-                schema: this.schema,
-            });
-            const permissionsService = new PermissionsService({
+            const options = {
                 knex: trx,
                 accountability: this.accountability,
                 schema: this.schema,
-            });
-            const presetsService = new PresetsService({
-                knex: trx,
-                accountability: this.accountability,
-                schema: this.schema,
-            });
-            const usersService = new UsersService({
-                knex: trx,
-                accountability: this.accountability,
-                schema: this.schema,
-            });
+            };
+            const itemsService = new ItemsService('directus_roles', options);
+            const rolesService = new RolesService(options);
+            const accessService = new AccessService(options);
+            const presetsService = new PresetsService(options);
+            const usersService = new UsersService(options);
             // Delete permissions/presets for this role, suspend all remaining users in role
-            await permissionsService.deleteByQuery({
+            await accessService.deleteByQuery({
                 filter: { role: { _in: keys } },
             }, { ...opts, bypassLimits: true });
             await presetsService.deleteByQuery({
@@ -447,8 +57,31 @@ export class RolesService extends ItemsService {
                 status: 'suspended',
                 role: null,
             }, { ...opts, bypassLimits: true });
+            // If the about to be deleted roles are the parent of other roles set those parents to null
+            // Use a newly created RolesService here that works within the current transaction
+            await rolesService.updateByQuery({
+                filter: { parent: { _in: keys } },
+            }, { parent: null });
             await itemsService.deleteMany(keys, opts);
         });
+        // Since nested roles could be updated, clear caches
+        await this.clearCaches();
         return keys;
     }
+    async validateRoleNesting(ids, parent) {
+        if (ids.includes(parent)) {
+            throw new InvalidPayloadError({ reason: 'A role cannot be a parent of itself' });
+        }
+        const roles = await fetchRolesTree(parent, this.knex);
+        if (ids.some((id) => roles.includes(id))) {
+            // The role tree up from the parent already includes this role, so it would create a circular reference
+            throw new InvalidPayloadError({ reason: 'A role cannot have a parent that is already a descendant of itself' });
+        }
+    }
+    async clearCaches(opts) {
+        await clearSystemCache({ autoPurgeCache: opts?.autoPurgeCache });
+        if (this.cache && opts?.autoPurgeCache !== false) {
+            await this.cache.clear();
+        }
+    }
 }

package/dist/services/server.js

@@ -6,7 +6,7 @@ import { Readable } from 'node:stream';
 import { performance } from 'perf_hooks';
 import { getCache } from '../cache.js';
 import getDatabase, { hasDatabaseConnection } from '../database/index.js';
-import { useLogger } from '../logger.js';
+import { useLogger } from '../logger/index.js';
 import getMailer from '../mailer.js';
 import { rateLimiterGlobal } from '../middleware/rate-limiter-global.js';
 import { rateLimiter } from '../middleware/rate-limiter-ip.js';

package/dist/services/shares.d.ts

@@ -1,9 +1,7 @@
 import type { Item, PrimaryKey } from '@directus/types';
 import type { AbstractServiceOptions, LoginResult, MutationOptions } from '../types/index.js';
-import { AuthorizationService } from './authorization.js';
 import { ItemsService } from './items.js';
 export declare class SharesService extends ItemsService {
-    authorizationService: AuthorizationService;
     constructor(options: AbstractServiceOptions);
     createOne(data: Partial<Item>, opts?: MutationOptions): Promise<PrimaryKey>;
     login(payload: Record<string, any>, options?: Partial<{

package/dist/services/shares.js

@@ -2,30 +2,34 @@ import { useEnv } from '@directus/env';
 import { ForbiddenError, InvalidCredentialsError } from '@directus/errors';
 import argon2 from 'argon2';
 import jwt from 'jsonwebtoken';
-import { useLogger } from '../logger.js';
+import { useLogger } from '../logger/index.js';
+import { validateAccess } from '../permissions/modules/validate-access/validate-access.js';
 import { getMilliseconds } from '../utils/get-milliseconds.js';
 import { getSecret } from '../utils/get-secret.js';
 import { md } from '../utils/md.js';
 import { Url } from '../utils/url.js';
 import { userName } from '../utils/user-name.js';
-import { AuthorizationService } from './authorization.js';
 import { ItemsService } from './items.js';
 import { MailService } from './mail/index.js';
 import { UsersService } from './users.js';
 const env = useEnv();
 const logger = useLogger();
 export class SharesService extends ItemsService {
-    authorizationService;
     constructor(options) {
         super('directus_shares', options);
-        this.authorizationService = new AuthorizationService({
-            accountability: this.accountability,
-            knex: this.knex,
-            schema: this.schema,
-        });
     }
     async createOne(data, opts) {
-        await this.authorizationService.checkAccess('share', data['collection'], data['item']);
+        if (this.accountability) {
+            await validateAccess({
+                accountability: this.accountability,
+                action: 'share',
+                collection: data['collection'],
+                primaryKeys: [data['item']],
+            }, {
+                schema: this.schema,
+                knex: this.knex,
+            });
+        }
         return super.createOne(data, opts);
     }
     async login(payload, options) {

package/dist/services/specifications.d.ts

@@ -9,7 +9,7 @@ export declare class SpecificationService {
     schema: SchemaOverview;
     oas: OASSpecsService;
     graphql: GraphQLSpecsService;
-    constructor({ accountability, knex, schema }: AbstractServiceOptions);
+    constructor(options: AbstractServiceOptions);
 }
 interface SpecificationSubService {
     generate: (_?: any) => Promise<any>;
@@ -18,7 +18,7 @@ declare class OASSpecsService implements SpecificationSubService {
     accountability: Accountability | null;
     knex: Knex;
     schema: SchemaOverview;
-    constructor({ knex, schema, accountability }: AbstractServiceOptions);
+    constructor(options: AbstractServiceOptions);
     generate(host?: string): Promise<OpenAPIObject>;
     private generateTags;
     private generatePaths;