@directus/api 20.0.0 → 21.0.0-rc.0

package/dist/telemetry/lib/get-report.js

@@ -2,11 +2,11 @@ import { useEnv } from '@directus/env';
 import { version } from 'directus/version';
 import { getHelpers } from '../../database/helpers/index.js';
 import { getDatabase, getDatabaseClient } from '../../database/index.js';
+import { fetchUserCount } from '../../utils/fetch-user-count/fetch-user-count.js';
 import { getExtensionCount } from '../utils/get-extension-count.js';
 import { getFieldCount } from '../utils/get-field-count.js';
 import { getFilesizeSum } from '../utils/get-filesize-sum.js';
 import { getItemCount } from '../utils/get-item-count.js';
-import { getUserCount } from '../utils/get-user-count.js';
 import { getUserItemCount } from '../utils/get-user-item-count.js';
 const basicCountTasks = [
     { collection: 'directus_dashboards' },
@@ -27,7 +27,7 @@ export const getReport = async () => {
     const helpers = getHelpers(db);
     const [basicCounts, userCounts, userItemCount, fieldsCounts, extensionsCounts, databaseSize, filesizes] = await Promise.all([
         getItemCount(db, basicCountTasks),
-        getUserCount(db),
+        fetchUserCount({ knex: db }),
         getUserItemCount(db),
         getFieldCount(db),
         getExtensionCount(db),

package/dist/telemetry/lib/track.js

@@ -1,6 +1,6 @@
 import { getNodeEnv } from '@directus/utils/node';
 import { setTimeout } from 'timers/promises';
-import { useLogger } from '../../logger.js';
+import { useLogger } from '../../logger/index.js';
 import { getRandomWaitTime } from '../utils/get-random-wait-time.js';
 import { getReport } from './get-report.js';
 import { sendReport } from './send-report.js';

package/dist/telemetry/utils/check-user-limits.d.ts

@@ -0,0 +1,5 @@
+import { type UserCount } from '../../utils/fetch-user-count/fetch-user-count.js';
+/**
+ * Ensure that user limits are not reached
+ */
+export declare function checkUserLimits(userCounts: UserCount): Promise<void>;

package/dist/telemetry/utils/check-user-limits.js

@@ -0,0 +1,19 @@
+import { useEnv } from '@directus/env';
+import { LimitExceededError } from '@directus/errors';
+import {} from '../../utils/fetch-user-count/fetch-user-count.js';
+const env = useEnv();
+/**
+ * Ensure that user limits are not reached
+ */
+export async function checkUserLimits(userCounts) {
+    if (userCounts.admin > Number(env['USERS_ADMIN_ACCESS_LIMIT'])) {
+        throw new LimitExceededError({ category: 'Active Admin users' });
+    }
+    // Both app and admin users count against the app access limit
+    if (userCounts.app + userCounts.admin > Number(env['USERS_APP_ACCESS_LIMIT'])) {
+        throw new LimitExceededError({ category: 'Active App users' });
+    }
+    if (userCounts.api > Number(env['USERS_API_ACCESS_LIMIT'])) {
+        throw new LimitExceededError({ category: 'Active API users' });
+    }
+}

package/dist/types/ast.d.ts

@@ -1,4 +1,4 @@
-import type { Query, Relation } from '@directus/types';
+import type { Filter, Query, Relation } from '@directus/types';
 export type M2ONode = {
     type: 'm2o';
     name: string;
@@ -8,6 +8,14 @@ export type M2ONode = {
     relation: Relation;
     parentKey: string;
     relatedKey: string;
+    /**
+     * Which permission cases have to be met on the current item for this field to return a value
+     */
+    whenCase: number[];
+    /**
+     * Permissions rules for the item access of the children of this item.
+     */
+    cases: Filter[];
 };
 export type A2MNode = {
     type: 'a2o';
@@ -24,6 +32,16 @@ export type A2MNode = {
     fieldKey: string;
     relation: Relation;
     parentKey: string;
+    /**
+     * Which permission cases have to be met on the current item for this field to return a value
+     */
+    whenCase: number[];
+    /**
+     * Permissions rules for the item access of the children of this item.
+     */
+    cases: {
+        [collection: string]: Filter[];
+    };
 };
 export type O2MNode = {
     type: 'o2m';
@@ -34,12 +52,24 @@ export type O2MNode = {
     relation: Relation;
     parentKey: string;
     relatedKey: string;
+    /**
+     * Which permission cases have to be met on the current item for this field to return a value
+     */
+    whenCase: number[];
+    /**
+     * Permissions rules for the item access of the children of this item.
+     */
+    cases: Filter[];
 };
 export type NestedCollectionNode = M2ONode | O2MNode | A2MNode;
 export type FieldNode = {
     type: 'field';
     name: string;
     fieldKey: string;
+    /**
+     * Which permission cases have to be met on the current item for this field to return a value
+     */
+    whenCase: number[];
 };
 export type FunctionFieldNode = {
     type: 'functionField';
@@ -47,10 +77,22 @@ export type FunctionFieldNode = {
     fieldKey: string;
     query: Query;
     relatedCollection: string;
+    /**
+     * Which permission cases have to be met on the current item for this field to return a value
+     */
+    whenCase: number[];
+    /**
+     * Permissions rules for the item access of the related collection of this item.
+     */
+    cases: Filter[];
 };
 export type AST = {
     type: 'root';
     name: string;
     children: (NestedCollectionNode | FieldNode | FunctionFieldNode)[];
     query: Query;
+    /**
+     * Permissions rules for the item access of the children of this item.
+     */
+    cases: Filter[];
 };

package/dist/types/items.d.ts

@@ -1,6 +1,7 @@
 import type { DirectusError } from '@directus/errors';
 import type { EventContext, PrimaryKey } from '@directus/types';
 import type { MutationTracker } from '../services/items.js';
+import type { UserIntegrityCheckFlag } from '../utils/validate-user-count-integrity.js';
 export type MutationOptions = {
     /**
      * Callback function that's fired whenever a revision is made in the mutation
@@ -33,6 +34,16 @@ export type MutationOptions = {
     mutationTracker?: MutationTracker | undefined;
     preMutationError?: DirectusError | undefined;
     bypassAutoIncrementSequenceReset?: boolean;
+    /**
+     * Indicate that the top level mutation needs to perform a user integrity check before commiting the transaction
+     * This is a combination of flags
+     * @see UserIntegrityCheckFlag
+     */
+    userIntegrityCheckFlags?: UserIntegrityCheckFlag;
+    /**
+     * Callback function that is called whenever a mutation requires a user integrity check to be made
+     */
+    onRequireUserIntegrityCheck?: ((flags: UserIntegrityCheckFlag) => void) | undefined;
 };
 export type ActionEventParams = {
     event: string | string[];

package/dist/utils/apply-diff.js

@@ -4,7 +4,7 @@ import { flushCaches } from '../cache.js';
 import { getHelpers } from '../database/helpers/index.js';
 import getDatabase from '../database/index.js';
 import emitter from '../emitter.js';
-import { useLogger } from '../logger.js';
+import { useLogger } from '../logger/index.js';
 import { CollectionsService } from '../services/collections.js';
 import { FieldsService } from '../services/fields.js';
 import { RelationsService } from '../services/relations.js';

package/dist/utils/apply-query.d.ts

@@ -5,7 +5,7 @@ export declare const generateAlias: (size?: number | undefined) => string;
 /**
  * Apply the Query to a given Knex query builder instance
  */
-export default function applyQuery(knex: Knex, collection: string, dbQuery: Knex.QueryBuilder, query: Query, schema: SchemaOverview, options?: {
+export default function applyQuery(knex: Knex, collection: string, dbQuery: Knex.QueryBuilder, query: Query, schema: SchemaOverview, cases: Filter[], options?: {
     aliasMap?: AliasMap;
     isInnerQuery?: boolean;
     hasMultiRelationalSort?: boolean | undefined;
@@ -32,10 +32,11 @@ export declare function applySort(knex: Knex, schema: SchemaOverview, rootQuery:
 };
 export declare function applyLimit(knex: Knex, rootQuery: Knex.QueryBuilder, limit: any): void;
 export declare function applyOffset(knex: Knex, rootQuery: Knex.QueryBuilder, offset: any): void;
-export declare function applyFilter(knex: Knex, schema: SchemaOverview, rootQuery: Knex.QueryBuilder, rootFilter: Filter, collection: string, aliasMap: AliasMap): {
+export declare function applyFilter(knex: Knex, schema: SchemaOverview, rootQuery: Knex.QueryBuilder, rootFilter: Filter, collection: string, aliasMap: AliasMap, cases: Filter[]): {
     query: Knex.QueryBuilder<any, any>;
     hasJoins: boolean;
     hasMultiRelationalFilter: boolean;
 };
-export declare function applySearch(knex: Knex, schema: SchemaOverview, dbQuery: Knex.QueryBuilder, searchQuery: string, collection: string): Promise<void>;
+export declare function applySearch(knex: Knex, schema: SchemaOverview, dbQuery: Knex.QueryBuilder, searchQuery: string, collection: string): void;
 export declare function applyAggregate(schema: SchemaOverview, dbQuery: Knex.QueryBuilder, aggregate: Aggregate, collection: string, hasJoins: boolean): void;
+export declare function joinFilterWithCases(filter: Filter | null | undefined, cases: Filter[]): Filter | null;

package/dist/utils/apply-query.js

@@ -14,7 +14,7 @@ export const generateAlias = customAlphabet('abcdefghijklmnopqrstuvwxyz', 5);
 /**
  * Apply the Query to a given Knex query builder instance
  */
-export default function applyQuery(knex, collection, dbQuery, query, schema, options) {
+export default function applyQuery(knex, collection, dbQuery, query, schema, cases, options) {
     const aliasMap = options?.aliasMap ?? Object.create(null);
     let hasJoins = false;
     let hasMultiRelationalFilter = false;
@@ -37,8 +37,14 @@ export default function applyQuery(knex, collection, dbQuery, query, schema, opt
     if (query.group) {
         dbQuery.groupBy(query.group.map((column) => getColumn(knex, collection, column, false, schema)));
     }
-    if (query.filter) {
-        const filterResult = applyFilter(knex, schema, dbQuery, query.filter, collection, aliasMap);
+    // `cases` are the permissions cases that are required for the current data set. We're
+    // dynamically adding those into the filters that the user provided to enforce the permission
+    // rules. You should be able to read an item if one or more of the cases matches. The actual case
+    // is reused in the column selection case/when to dynamically return or nullify the field values
+    // you're actually allowed to read
+    const filter = joinFilterWithCases(query.filter, cases);
+    if (filter) {
+        const filterResult = applyFilter(knex, schema, dbQuery, filter, collection, aliasMap, cases);
         if (!hasJoins) {
             hasJoins = filterResult.hasJoins;
         }
@@ -226,7 +232,7 @@ export function applyOffset(knex, rootQuery, offset) {
         getHelpers(knex).schema.applyOffset(rootQuery, offset);
     }
 }
-export function applyFilter(knex, schema, rootQuery, rootFilter, collection, aliasMap) {
+export function applyFilter(knex, schema, rootQuery, rootFilter, collection, aliasMap, cases) {
     const helpers = getHelpers(knex);
     const relations = schema.relations;
     let hasJoins = false;
@@ -235,12 +241,23 @@ export function applyFilter(knex, schema, rootQuery, rootFilter, collection, ali
     addWhereClauses(knex, rootQuery, rootFilter, collection);
     return { query: rootQuery, hasJoins, hasMultiRelationalFilter };
     function addJoins(dbQuery, filter, collection) {
-        for (const [key, value] of Object.entries(filter)) {
+        // eslint-disable-next-line prefer-const
+        for (let [key, value] of Object.entries(filter)) {
             if (key === '_or' || key === '_and') {
                 // If the _or array contains an empty object (full permissions), we should short-circuit and ignore all other
                 // permission checks, as {} already matches full permissions.
                 if (key === '_or' && value.some((subFilter) => Object.keys(subFilter).length === 0)) {
-                    continue;
+                    // But only do so, if the value is not equal to `cases` (since then this is not permission related at all)
+                    // or the length of value is 1, ie. only the empty filter.
+                    // If the length is more than one it means that some items (and fields) might now be available, so
+                    // the joins are required for the case/when construction.
+                    if (value !== cases || value.length === 1) {
+                        continue;
+                    }
+                    else {
+                        // Otherwise we can at least filter out all empty filters that would not add joins anyway
+                        value = value.filter((subFilter) => Object.keys(subFilter).length > 0);
+                    }
                 }
                 value.forEach((subFilter) => {
                     addJoins(dbQuery, subFilter, collection);
@@ -311,7 +328,7 @@ export function applyFilter(knex, schema, rootQuery, rootFilter, collection, ali
                             .select({ [field]: column })
                             .from(collection)
                             .whereNotNull(column);
-                        applyQuery(knex, relation.collection, subQueryKnex, { filter }, schema);
+                        applyQuery(knex, relation.collection, subQueryKnex, { filter }, schema, cases);
                     };
                     const childKey = Object.keys(value)?.[0];
                     if (childKey === '_none') {
@@ -551,7 +568,7 @@ export function applyFilter(knex, schema, rootQuery, rootFilter, collection, ali
         }
     }
 }
-export async function applySearch(knex, schema, dbQuery, searchQuery, collection) {
+export function applySearch(knex, schema, dbQuery, searchQuery, collection) {
     const { number: numberHelper } = getHelpers(knex);
     const fields = Object.entries(schema.collections[collection].fields);
     dbQuery.andWhere(function () {
@@ -627,6 +644,18 @@ export function applyAggregate(schema, dbQuery, aggregate, collection, hasJoins)
         }
     }
 }
+export function joinFilterWithCases(filter, cases) {
+    if (cases.length > 0 && !filter) {
+        return { _or: cases };
+    }
+    else if (filter && cases.length === 0) {
+        return filter ?? null;
+    }
+    else if (filter && cases.length > 0) {
+        return { _and: [filter, { _or: cases }] };
+    }
+    return null;
+}
 function getFilterPath(key, value) {
     const path = [key];
     const childKey = Object.keys(value)[0];

package/dist/utils/delete-from-require-cache.js

@@ -1,5 +1,5 @@
 import { createRequire } from 'node:module';
-import { useLogger } from '../logger.js';
+import { useLogger } from '../logger/index.js';
 const require = createRequire(import.meta.url);
 export function deleteFromRequireCache(modulePath) {
     const logger = useLogger();

package/dist/utils/fetch-user-count/fetch-access-lookup.d.ts

@@ -0,0 +1,17 @@
+import type { PrimaryKey } from '@directus/types';
+import type { Knex } from 'knex';
+export interface AccessLookup {
+    role: string | null;
+    user: string | null;
+    app_access: boolean | number;
+    admin_access: boolean | number;
+}
+export interface FetchAccessLookupOptions {
+    excludeAccessRows?: PrimaryKey[];
+    excludePolicies?: PrimaryKey[];
+    excludeUsers?: PrimaryKey[];
+    excludeRoles?: PrimaryKey[];
+    adminOnly?: boolean;
+    knex: Knex;
+}
+export declare function fetchAccessLookup(options: FetchAccessLookupOptions): Promise<AccessLookup[]>;

package/dist/utils/fetch-user-count/fetch-access-lookup.js

@@ -0,0 +1,22 @@
+export async function fetchAccessLookup(options) {
+    let query = options.knex
+        .select('directus_access.role', 'directus_access.user', 'directus_policies.app_access', 'directus_policies.admin_access')
+        .from('directus_access')
+        .leftJoin('directus_policies', 'directus_access.policy', 'directus_policies.id');
+    if (options.excludeAccessRows && options.excludeAccessRows.length > 0) {
+        query = query.whereNotIn('directus_access.id', options.excludeAccessRows);
+    }
+    if (options.excludePolicies && options.excludePolicies.length > 0) {
+        query = query.whereNotIn('directus_access.policy', options.excludePolicies);
+    }
+    if (options.excludeUsers && options.excludeUsers.length > 0) {
+        query = query.where((q) => q.whereNotIn('directus_access.user', options.excludeUsers).orWhereNull('directus_access.user'));
+    }
+    if (options.excludeRoles && options.excludeRoles.length > 0) {
+        query = query.where((q) => q.whereNotIn('directus_access.role', options.excludeRoles).orWhereNull('directus_access.role'));
+    }
+    if (options.adminOnly) {
+        query = query.where('directus_policies.admin_access', 1);
+    }
+    return query;
+}

package/dist/utils/fetch-user-count/fetch-access-roles.d.ts

@@ -0,0 +1,16 @@
+import type { PrimaryKey } from '@directus/types';
+import type { Knex } from 'knex';
+export interface FetchAccessRolesOptions {
+    adminRoles: Set<string>;
+    appRoles: Set<string>;
+    excludeRoles?: PrimaryKey[];
+}
+/**
+ * Return a set of roles that allow app or admin access, if itself or any of its parents do
+ */
+export declare function fetchAccessRoles(options: FetchAccessRolesOptions, context: {
+    knex: Knex;
+}): Promise<{
+    adminRoles: Set<string>;
+    appRoles: Set<string>;
+}>;

package/dist/utils/fetch-user-count/fetch-access-roles.js

@@ -0,0 +1,37 @@
+/**
+ * Return a set of roles that allow app or admin access, if itself or any of its parents do
+ */
+export async function fetchAccessRoles(options, context) {
+    // Only fetch the roles that have a parent, as otherwise those roles should already be included in at least one of the input set
+    const allChildRoles = await context.knex
+        .select('id', 'parent')
+        .from('directus_roles')
+        .whereNotNull('parent')
+        .whereNotIn('id', options.excludeRoles ?? []);
+    const adminRoles = new Set(options.adminRoles);
+    const appRoles = new Set(options.appRoles);
+    const remainingRoles = new Set(allChildRoles);
+    let hasChanged = remainingRoles.size > 0;
+    // This loop accounts for the undefined order in which the roles are returned, as there is the possibility
+    // of a role parent not being in the set of roles yet, so we need to iterate over the roles multiple times
+    // until no further roles are added to the sets
+    while (hasChanged) {
+        hasChanged = false;
+        for (const role of remainingRoles) {
+            if (adminRoles.has(role.parent)) {
+                adminRoles.add(role.id);
+                remainingRoles.delete(role);
+                hasChanged = true;
+            }
+            if (appRoles.has(role.parent)) {
+                appRoles.add(role.id);
+                remainingRoles.delete(role);
+                hasChanged = true;
+            }
+        }
+    }
+    return {
+        adminRoles,
+        appRoles,
+    };
+}

package/dist/utils/fetch-user-count/fetch-active-users.d.ts

@@ -0,0 +1,6 @@
+import type { Knex } from 'knex';
+export interface ActiveUser {
+    id: string;
+    role: string | null;
+}
+export declare function fetchActiveUsers(knex: Knex): Promise<ActiveUser[]>;

package/dist/utils/fetch-user-count/fetch-active-users.js

@@ -0,0 +1,3 @@
+export async function fetchActiveUsers(knex) {
+    return await knex.select('id', 'role').from('directus_users').where('status', 'active');
+}

package/dist/utils/fetch-user-count/fetch-user-count.d.ts

@@ -0,0 +1,12 @@
+import { type FetchAccessLookupOptions } from './fetch-access-lookup.js';
+export interface FetchUserCountOptions extends FetchAccessLookupOptions {
+}
+export interface UserCount {
+    admin: number;
+    app: number;
+    api: number;
+}
+/**
+ * Returns counts of all active users in the system grouped by admin, app, and api access
+ */
+export declare function fetchUserCount(options: FetchUserCountOptions): Promise<UserCount>;

package/dist/utils/fetch-user-count/fetch-user-count.js

@@ -0,0 +1,57 @@
+import { toBoolean } from '@directus/utils';
+import { fetchAccessLookup } from './fetch-access-lookup.js';
+import { fetchAccessRoles } from './fetch-access-roles.js';
+import { getUserCountQuery } from './get-user-count-query.js';
+/**
+ * Returns counts of all active users in the system grouped by admin, app, and api access
+ */
+export async function fetchUserCount(options) {
+    const accessRows = await fetchAccessLookup(options);
+    const adminRoles = new Set(accessRows.filter((row) => toBoolean(row.admin_access) && row.role !== null).map((row) => row.role));
+    const appRoles = new Set(accessRows
+        .filter((row) => !toBoolean(row.admin_access) && toBoolean(row.app_access) && row.role !== null)
+        .map((row) => row.role));
+    // All users that are directly granted rights through a connected policy
+    const adminUsers = new Set(accessRows.filter((row) => toBoolean(row.admin_access) && row.user !== null).map((row) => row.user));
+    // Some roles might be granted access rights through nesting, so determine all roles that grant admin or app access,
+    // including nested roles
+    const { adminRoles: allAdminRoles, appRoles: allAppRoles } = await fetchAccessRoles({
+        adminRoles,
+        appRoles,
+        ...options,
+    }, { knex: options.knex });
+    // All users that are granted admin rights through a role, but not directly
+    const adminCountQuery = getUserCountQuery(options.knex, {
+        includeRoles: Array.from(allAdminRoles),
+        excludeIds: [...adminUsers, ...(options.excludeUsers ?? [])],
+    });
+    if (options.adminOnly) {
+        // Shortcut for only counting admin users
+        const adminResult = await adminCountQuery;
+        return {
+            admin: Number(adminResult?.['count'] ?? 0) + adminUsers.size,
+            app: 0,
+            api: 0,
+        };
+    }
+    const appUsers = new Set(accessRows
+        .filter((row) => !toBoolean(row.admin_access) && toBoolean(row.app_access) && row.user !== null)
+        .map((row) => row.user));
+    // All users that are granted app rights through a role, but not directly, and that aren't admin users
+    const appCountQuery = getUserCountQuery(options.knex, {
+        includeRoles: Array.from(allAppRoles),
+        excludeRoles: Array.from(allAdminRoles),
+        excludeIds: [...appUsers, ...adminUsers, ...(options.excludeUsers ?? [])],
+    });
+    const allCountQuery = getUserCountQuery(options.knex, {
+        excludeIds: options.excludeUsers ?? [],
+    });
+    const [adminResult, appResult, allResult] = await Promise.all([adminCountQuery, appCountQuery, allCountQuery]);
+    const adminCount = Number(adminResult?.['count'] ?? 0) + adminUsers.size;
+    const appCount = Number(appResult?.['count'] ?? 0) + appUsers.size;
+    return {
+        admin: adminCount,
+        app: appCount,
+        api: Number(allResult?.['count'] ?? 0) - adminCount - appCount,
+    };
+}

package/dist/utils/fetch-user-count/get-user-count-query.d.ts

@@ -0,0 +1,20 @@
+import type { PrimaryKey } from '@directus/types';
+import type { Knex } from 'knex';
+export interface GetUserCountOptions {
+    excludeIds?: PrimaryKey[];
+    excludeRoles?: PrimaryKey[];
+    includeRoles?: PrimaryKey[];
+}
+export declare function getUserCountQuery(knex: Knex, options: GetUserCountOptions): Promise<{
+    count: number;
+}> | Knex.QueryBuilder<any, {
+    _base: {};
+    _hasSelection: true;
+    _keys: never;
+    _aliases: {};
+    _single: false;
+    _intersectProps: {
+        count?: string | number;
+    };
+    _unionProps: undefined;
+}>;

package/dist/utils/fetch-user-count/get-user-count-query.js

@@ -0,0 +1,17 @@
+export function getUserCountQuery(knex, options) {
+    // Safety check for an empty list of includeRoles, which would otherwise return all users
+    if (options.includeRoles && options.includeRoles.length === 0) {
+        return Promise.resolve({ count: 0 });
+    }
+    let query = knex('directus_users').count({ count: '*' }).as('count').where('status', 'active');
+    if (options.excludeIds && options.excludeIds.length > 0) {
+        query = query.whereNotIn('id', options.excludeIds);
+    }
+    if (options.excludeRoles && options.excludeRoles.length > 0) {
+        query = query.whereNotIn('role', options.excludeRoles);
+    }
+    if (options.includeRoles && options.includeRoles.length > 0) {
+        query = query.whereIn('role', options.includeRoles);
+    }
+    return query.first();
+}

package/dist/utils/get-accountability-for-role.js

@@ -1,40 +1,31 @@
-import { getPermissions } from './get-permissions.js';
+import { fetchRolesTree } from '../permissions/lib/fetch-roles-tree.js';
+import { fetchGlobalAccess } from '../permissions/modules/fetch-global-access/fetch-global-access.js';
+import { createDefaultAccountability } from '../permissions/utils/create-default-accountability.js';
 export async function getAccountabilityForRole(role, context) {
-    let generatedAccountability = context.accountability;
+    let generatedAccountability;
     if (role === null) {
-        generatedAccountability = {
-            role: null,
-            user: null,
-            admin: false,
-            app: false,
-        };
-        generatedAccountability.permissions = await getPermissions(generatedAccountability, context.schema);
+        generatedAccountability = createDefaultAccountability();
     }
     else if (role === 'system') {
-        generatedAccountability = {
-            user: null,
-            role: null,
+        generatedAccountability = createDefaultAccountability({
             admin: true,
             app: true,
-            permissions: [],
-        };
+        });
     }
     else {
-        const roleInfo = await context.database
-            .select(['app_access', 'admin_access'])
-            .from('directus_roles')
-            .where({ id: role })
-            .first();
-        if (!roleInfo) {
+        const roles = await fetchRolesTree(role, context.database);
+        // The roles tree should always include the passed role. If it doesn't, it's because it
+        // couldn't be read from the database and therefore doesn't exist
+        if (roles.length === 0) {
             throw new Error(`Configured role "${role}" isn't a valid role ID or doesn't exist.`);
         }
-        generatedAccountability = {
+        const globalAccess = await fetchGlobalAccess({ user: null, roles, ip: context.accountability?.ip ?? null }, context.database);
+        generatedAccountability = createDefaultAccountability({
             role,
+            roles,
             user: null,
-            admin: roleInfo.admin_access === 1 || roleInfo.admin_access === '1' || roleInfo.admin_access === true,
-            app: roleInfo.app_access === 1 || roleInfo.app_access === '1' || roleInfo.app_access === true,
-        };
-        generatedAccountability.permissions = await getPermissions(generatedAccountability, context.schema);
+            ...globalAccess,
+        });
     }
     return generatedAccountability;
 }