npm - @directus/api - Versions diffs - 20.0.0 → 21.0.0-rc.0 - Mend

@directus/api 20.0.0 → 21.0.0-rc.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (330) hide show

package/dist/permissions/types.d.ts ADDED Viewed

@@ -0,0 +1,6 @@
+import type { SchemaOverview } from '@directus/types';
+import type { Knex } from 'knex';
+export interface Context {
+    schema: SchemaOverview;
+    knex: Knex;
+}

package/dist/permissions/types.js ADDED Viewed

	@@ -0,0 +1 @@
1	+ export {};

package/dist/permissions/utils/create-default-accountability.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ import type { Accountability } from '@directus/types';
2	+ export declare function createDefaultAccountability(overrides?: Partial<Accountability>): Accountability;

package/dist/permissions/utils/create-default-accountability.js ADDED Viewed

@@ -0,0 +1,11 @@
+export function createDefaultAccountability(overrides) {
+    return {
+        role: null,
+        user: null,
+        roles: [],
+        admin: false,
+        app: false,
+        ip: null,
+        ...overrides,
+    };
+}

package/dist/permissions/utils/extract-required-dynamic-variable-context.d.ts ADDED Viewed

@@ -0,0 +1,8 @@
+import type { Permission } from '@directus/types';
+export interface RequiredPermissionContext {
+    $CURRENT_USER: Set<string>;
+    $CURRENT_ROLE: Set<string>;
+    $CURRENT_ROLES: Set<string>;
+    $CURRENT_POLICIES: Set<string>;
+}
+export declare function extractRequiredDynamicVariableContext(permissions: Permission[]): RequiredPermissionContext;

package/dist/permissions/utils/extract-required-dynamic-variable-context.js ADDED Viewed

@@ -0,0 +1,27 @@
+import { deepMap } from '@directus/utils';
+export function extractRequiredDynamicVariableContext(permissions) {
+    const permissionContext = {
+        $CURRENT_USER: new Set(),
+        $CURRENT_ROLE: new Set(),
+        $CURRENT_ROLES: new Set(),
+        $CURRENT_POLICIES: new Set(),
+    };
+    for (const permission of permissions) {
+        deepMap(permission.permissions, extractPermissionData);
+        deepMap(permission.validation, extractPermissionData);
+        deepMap(permission.presets, extractPermissionData);
+    }
+    return permissionContext;
+    function extractPermissionData(val) {
+        for (const placeholder of [
+            '$CURRENT_USER',
+            '$CURRENT_ROLE',
+            '$CURRENT_ROLES',
+            '$CURRENT_POLICIES',
+        ]) {
+            if (typeof val === 'string' && val.startsWith(`${placeholder}.`)) {
+                permissionContext[placeholder].add(val.replace(`${placeholder}.`, ''));
+            }
+        }
+    }
+}

package/dist/permissions/utils/fetch-dynamic-variable-context.d.ts ADDED Viewed

@@ -0,0 +1,9 @@
+import type { Accountability, Permission } from '@directus/types';
+import type { Context } from '../types.js';
+export declare const fetchDynamicVariableContext: typeof _fetchDynamicVariableContext;
+export interface FetchDynamicVariableContext {
+    accountability: Pick<Accountability, 'user' | 'role' | 'roles'>;
+    policies: string[];
+    permissions: Permission[];
+}
+export declare function _fetchDynamicVariableContext(options: FetchDynamicVariableContext, context: Context): Promise<Record<string, any>>;

package/dist/permissions/utils/fetch-dynamic-variable-context.js ADDED Viewed

@@ -0,0 +1,43 @@
+import { extractRequiredDynamicVariableContext } from './extract-required-dynamic-variable-context.js';
+import { withCache } from './with-cache.js';
+export const fetchDynamicVariableContext = withCache('permission-dynamic-variables', _fetchDynamicVariableContext, ({ policies, permissions, accountability: { user, role, roles } }) => ({
+    policies,
+    permissions,
+    accountability: {
+        user,
+        role,
+        roles,
+    },
+}));
+export async function _fetchDynamicVariableContext(options, context) {
+    const { UsersService } = await import('../../services/users.js');
+    const { RolesService } = await import('../../services/roles.js');
+    const { PoliciesService } = await import('../../services/policies.js');
+    const contextData = {};
+    const permissionContext = extractRequiredDynamicVariableContext(options.permissions);
+    if (options.accountability.user && (permissionContext.$CURRENT_USER?.size ?? 0) > 0) {
+        const usersService = new UsersService(context);
+        contextData['$CURRENT_USER'] = await usersService.readOne(options.accountability.user, {
+            fields: Array.from(permissionContext.$CURRENT_USER),
+        });
+    }
+    if (options.accountability.role && (permissionContext.$CURRENT_ROLE?.size ?? 0) > 0) {
+        const rolesService = new RolesService(context);
+        contextData['$CURRENT_ROLE'] = await rolesService.readOne(options.accountability.role, {
+            fields: Array.from(permissionContext.$CURRENT_ROLE),
+        });
+    }
+    if (options.accountability.roles.length > 0 && (permissionContext.$CURRENT_ROLES?.size ?? 0) > 0) {
+        const rolesService = new RolesService(context);
+        contextData['$CURRENT_ROLES'] = await rolesService.readMany(options.accountability.roles, {
+            fields: Array.from(permissionContext.$CURRENT_ROLES),
+        });
+    }
+    if (options.policies.length > 0 && (permissionContext.$CURRENT_POLICIES?.size ?? 0) > 0) {
+        const policiesService = new PoliciesService(context);
+        contextData['$CURRENT_POLICIES'] = await policiesService.readMany(options.policies, {
+            fields: Array.from(permissionContext.$CURRENT_POLICIES),
+        });
+    }
+    return contextData;
+}

package/dist/permissions/utils/filter-policies-by-ip.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ import type { AccessRow } from '../modules/process-ast/types.js';
2	+ export declare function filterPoliciesByIp(policies: AccessRow[], ip: string \| null \| undefined): AccessRow[];

package/dist/permissions/utils/filter-policies-by-ip.js ADDED Viewed

@@ -0,0 +1,15 @@
+import { ipInNetworks } from '../../utils/ip-in-networks.js';
+export function filterPoliciesByIp(policies, ip) {
+    return policies.filter(({ policy }) => {
+        // Keep policies that don't have an ip address allow list configured
+        if (!policy.ip_access || policy.ip_access.length === 0) {
+            return true;
+        }
+        // If the client's IP address is unknown, we can't validate it against the allow list and will
+        // have to default to the more secure option of preventing access
+        if (!ip) {
+            return false;
+        }
+        return ipInNetworks(ip, policy.ip_access);
+    });
+}

package/dist/permissions/utils/get-unaliased-field-key.d.ts ADDED Viewed

@@ -0,0 +1,5 @@
+import type { FieldNode, FunctionFieldNode, NestedCollectionNode } from '../../types/index.js';
+/**
+ * Derive the unaliased field key from the given AST node.
+ */
+export declare function getUnaliasedFieldKey(node: NestedCollectionNode | FieldNode | FunctionFieldNode): string;

package/dist/permissions/utils/get-unaliased-field-key.js ADDED Viewed

@@ -0,0 +1,17 @@
+import { parseFilterKey } from '../../utils/parse-filter-key.js';
+/**
+ * Derive the unaliased field key from the given AST node.
+ */
+export function getUnaliasedFieldKey(node) {
+    switch (node.type) {
+        case 'o2m':
+            return node.relation.meta.one_field;
+        case 'a2o':
+        case 'm2o':
+            return node.relation.field;
+        case 'field':
+        case 'functionField':
+            // The field name might still include a function, so process that here as well
+            return parseFilterKey(node.name).fieldName;
+    }
+}

package/dist/permissions/utils/process-permissions.d.ts ADDED Viewed

@@ -0,0 +1,7 @@
+import type { Accountability, Permission } from '@directus/types';
+export interface ProcessPermissionsOptions {
+    permissions: Permission[];
+    accountability: Pick<Accountability, 'user' | 'role' | 'roles'>;
+    permissionsContext: Record<string, any>;
+}
+export declare function processPermissions({ permissions, accountability, permissionsContext }: ProcessPermissionsOptions): Permission[];

package/dist/permissions/utils/process-permissions.js ADDED Viewed

@@ -0,0 +1,9 @@
+import { parseFilter, parsePreset } from '@directus/utils';
+export function processPermissions({ permissions, accountability, permissionsContext }) {
+    return permissions.map((permission) => {
+        permission.permissions = parseFilter(permission.permissions, accountability, permissionsContext);
+        permission.validation = parseFilter(permission.validation, accountability, permissionsContext);
+        permission.presets = parsePreset(permission.presets, accountability, permissionsContext);
+        return permission;
+    });
+}

package/dist/permissions/utils/with-cache.d.ts ADDED Viewed

@@ -0,0 +1,10 @@
+/**
+ * The `pick` parameter can be used to stabilize cache keys, by only using a subset of the available parameters and
+ * ensuring key order.
+ *
+ * If the `pick` function is provided, we pass the picked result to the handler, in order for TypeScript to ensure that
+ * the function only relies on the parameters that are used for generating the cache key.
+ *
+ * @NOTE only uses the first parameter for memoization
+ */
+export declare function withCache<F extends (arg0: Arg0, ...args: any[]) => R, R, Arg0 = Parameters<F>[0]>(namespace: string, handler: F, prepareArg?: (arg0: Arg0) => Arg0): F;

package/dist/permissions/utils/with-cache.js ADDED Viewed

@@ -0,0 +1,25 @@
+import { getSimpleHash } from '@directus/utils';
+import { useCache } from '../cache.js';
+/**
+ * The `pick` parameter can be used to stabilize cache keys, by only using a subset of the available parameters and
+ * ensuring key order.
+ *
+ * If the `pick` function is provided, we pass the picked result to the handler, in order for TypeScript to ensure that
+ * the function only relies on the parameters that are used for generating the cache key.
+ *
+ * @NOTE only uses the first parameter for memoization
+ */
+export function withCache(namespace, handler, prepareArg) {
+    const cache = useCache();
+    return (async (arg0, ...args) => {
+        arg0 = prepareArg ? prepareArg(arg0) : arg0;
+        const key = namespace + '-' + getSimpleHash(JSON.stringify(arg0));
+        const cached = await cache.get(key);
+        if (cached !== undefined) {
+            return cached;
+        }
+        const res = await handler(arg0, ...args);
+        cache.set(key, res);
+        return res;
+    });
+}

package/dist/request/is-denied-ip.js CHANGED Viewed

@@ -1,6 +1,6 @@
 import { useEnv } from '@directus/env';
 import os from 'node:os';
-import { useLogger } from '../logger.js';
+import { useLogger } from '../logger/index.js';
 import { ipInNetworks } from '../utils/ip-in-networks.js';
 export function isDeniedIp(ip) {
     const env = useEnv();

package/dist/server.js CHANGED Viewed

@@ -10,7 +10,7 @@ import url from 'url';
 import createApp from './app.js';
 import getDatabase from './database/index.js';
 import emitter from './emitter.js';
-import { useLogger } from './logger.js';
+import { useLogger } from './logger/index.js';
 import { getConfigFromEnv } from './utils/get-config-from-env.js';
 import { getIPFromReq } from './utils/get-ip-from-req.js';
 import { createSubscriptionController, createWebSocketController, getSubscriptionController, getWebSocketController, } from './websocket/controllers/index.js';

package/dist/services/access.d.ts ADDED Viewed

@@ -0,0 +1,10 @@
+import type { Item, PrimaryKey } from '@directus/types';
+import type { AbstractServiceOptions, MutationOptions } from '../types/index.js';
+import { ItemsService } from './items.js';
+export declare class AccessService extends ItemsService {
+    constructor(options: AbstractServiceOptions);
+    private clearCaches;
+    createOne(data: Partial<Item>, opts?: MutationOptions): Promise<PrimaryKey>;
+    updateMany(keys: PrimaryKey[], data: Partial<Item>, opts?: MutationOptions): Promise<PrimaryKey[]>;
+    deleteMany(keys: PrimaryKey[], opts?: MutationOptions): Promise<PrimaryKey[]>;
+}

package/dist/services/access.js ADDED Viewed

@@ -0,0 +1,43 @@
+import { clearSystemCache } from '../cache.js';
+import { UserIntegrityCheckFlag } from '../utils/validate-user-count-integrity.js';
+import { ItemsService } from './items.js';
+export class AccessService extends ItemsService {
+    constructor(options) {
+        super('directus_access', options);
+    }
+    async clearCaches(opts) {
+        await clearSystemCache({ autoPurgeCache: opts?.autoPurgeCache });
+        if (this.cache && opts?.autoPurgeCache !== false) {
+            await this.cache.clear();
+        }
+    }
+    async createOne(data, opts = {}) {
+        // Creating a new policy attachments affects the number of admin/app/api users.
+        // But it can only add app or admin users, so no need to check the remaining admin users.
+        opts.userIntegrityCheckFlags =
+            (opts.userIntegrityCheckFlags ?? UserIntegrityCheckFlag.None) | UserIntegrityCheckFlag.UserLimits;
+        opts.onRequireUserIntegrityCheck?.(opts.userIntegrityCheckFlags);
+        const result = await super.createOne(data, opts);
+        // A new policy has been attached to a user or a role, clear the caches
+        await this.clearCaches();
+        return result;
+    }
+    async updateMany(keys, data, opts = {}) {
+        // Updating policy attachments might affect the number of admin/app/api users
+        opts.userIntegrityCheckFlags = UserIntegrityCheckFlag.All;
+        opts.onRequireUserIntegrityCheck?.(opts.userIntegrityCheckFlags);
+        const result = await super.updateMany(keys, data, { ...opts, userIntegrityCheckFlags: UserIntegrityCheckFlag.All });
+        // Some policy attachments have been updated, clear the caches
+        await this.clearCaches();
+        return result;
+    }
+    async deleteMany(keys, opts = {}) {
+        // Changes here can affect the number of admin/app/api users
+        opts.userIntegrityCheckFlags = UserIntegrityCheckFlag.All;
+        opts.onRequireUserIntegrityCheck?.(opts.userIntegrityCheckFlags);
+        const result = await super.deleteMany(keys, opts);
+        // Some policy attachments have been deleted, clear the caches
+        await this.clearCaches();
+        return result;
+    }
+}

package/dist/services/activity.js CHANGED Viewed

@@ -2,12 +2,14 @@ import { Action } from '@directus/constants';
 import { useEnv } from '@directus/env';
 import { ErrorCode, isDirectusError } from '@directus/errors';
 import { uniq } from 'lodash-es';
-import { useLogger } from '../logger.js';
-import { getPermissions } from '../utils/get-permissions.js';
+import { useLogger } from '../logger/index.js';
+import { fetchRolesTree } from '../permissions/lib/fetch-roles-tree.js';
+import { fetchGlobalAccess } from '../permissions/modules/fetch-global-access/fetch-global-access.js';
+import { validateAccess } from '../permissions/modules/validate-access/validate-access.js';
+import { createDefaultAccountability } from '../permissions/utils/create-default-accountability.js';
 import { isValidUuid } from '../utils/is-valid-uuid.js';
 import { Url } from '../utils/url.js';
 import { userName } from '../utils/user-name.js';
-import { AuthorizationService } from './authorization.js';
 import { ItemsService } from './items.js';
 import { NotificationsService } from './notifications.js';
 import { UsersService } from './users.js';
@@ -31,19 +33,29 @@ export class ActivityService extends ItemsService {
             for (const mention of mentions) {
                 const userID = mention.substring(1);
                 const user = await this.usersService.readOne(userID, {
-                    fields: ['id', 'first_name', 'last_name', 'email', 'role.id', 'role.admin_access', 'role.app_access'],
+                    fields: ['id', 'first_name', 'last_name', 'email', 'role'],
                 });
-                const accountability = {
+                const roles = await fetchRolesTree(user['role'], this.knex);
+                const globalAccess = await fetchGlobalAccess({ user: user['id'], roles, ip: null }, this.knex);
+                const accountability = createDefaultAccountability({
                     user: userID,
                     role: user['role']?.id ?? null,
-                    admin: user['role']?.admin_access ?? null,
-                    app: user['role']?.app_access ?? null,
-                };
-                accountability.permissions = await getPermissions(accountability, this.schema);
-                const authorizationService = new AuthorizationService({ schema: this.schema, accountability });
+                    roles,
+                    ...globalAccess,
+                });
                 const usersService = new UsersService({ schema: this.schema, accountability });
                 try {
-                    await authorizationService.checkAccess('read', data['collection'], data['item']);
+                    if (this.accountability) {
+                        await validateAccess({
+                            accountability: this.accountability,
+                            action: 'read',
+                            collection: data['collection'],
+                            primaryKeys: [data['item']],
+                        }, {
+                            knex: this.knex,
+                            schema: this.schema,
+                        });
+                    }
                     const templateData = await usersService.readByQuery({
                         fields: ['id', 'first_name', 'last_name', 'email'],
                         filter: { id: { _in: mentions.map((mention) => mention.substring(1)) } },

package/dist/services/assets.d.ts CHANGED Viewed

@@ -1,15 +1,14 @@
 /// <reference types="node" resolution-mode="require"/>
 import type { Range, Stat } from '@directus/storage';
-import type { Accountability } from '@directus/types';
+import type { Accountability, SchemaOverview } from '@directus/types';
 import type { Knex } from 'knex';
 import type { Readable } from 'node:stream';
 import type { AbstractServiceOptions, TransformationSet } from '../types/index.js';
-import { AuthorizationService } from './authorization.js';
 import { FilesService } from './files.js';
 export declare class AssetsService {
     knex: Knex;
     accountability: Accountability | null;
-    authorizationService: AuthorizationService;
+    schema: SchemaOverview;
     filesService: FilesService;
     constructor(options: AbstractServiceOptions);
     getAsset(id: string, transformation?: TransformationSet, range?: Range): Promise<{

package/dist/services/assets.js CHANGED Viewed

@@ -7,25 +7,25 @@ import path from 'path';
 import sharp from 'sharp';
 import { SUPPORTED_IMAGE_TRANSFORM_FORMATS } from '../constants.js';
 import getDatabase from '../database/index.js';
-import { useLogger } from '../logger.js';
+import { useLogger } from '../logger/index.js';
+import { validateAccess } from '../permissions/modules/validate-access/validate-access.js';
 import { getStorage } from '../storage/index.js';
 import { getMilliseconds } from '../utils/get-milliseconds.js';
 import { isValidUuid } from '../utils/is-valid-uuid.js';
 import * as TransformationUtils from '../utils/transformations.js';
-import { AuthorizationService } from './authorization.js';
 import { FilesService } from './files.js';
 const env = useEnv();
 const logger = useLogger();
 export class AssetsService {
     knex;
     accountability;
-    authorizationService;
+    schema;
     filesService;
     constructor(options) {
         this.knex = options.knex || getDatabase();
         this.accountability = options.accountability || null;
+        this.schema = options.schema;
         this.filesService = new FilesService({ ...options, accountability: null });
-        this.authorizationService = new AuthorizationService(options);
     }
     async getAsset(id, transformation, range) {
         const storage = await getStorage();
@@ -41,8 +41,13 @@ export class AssetsService {
          */
         if (!isValidUuid(id))
             throw new ForbiddenError();
-        if (systemPublicKeys.includes(id) === false && this.accountability?.admin !== true) {
-            await this.authorizationService.checkAccess('read', 'directus_files', id);
+        if (systemPublicKeys.includes(id) === false && this.accountability) {
+            await validateAccess({
+                accountability: this.accountability,
+                action: 'read',
+                collection: 'directus_files',
+                primaryKeys: [id],
+            }, { knex: this.knex, schema: this.schema });
         }
         const file = (await this.filesService.readOne(id, { limit: 1 }));
         const exists = await storage.location(file.storage).exists(file.filename_disk);

package/dist/services/authentication.js CHANGED Viewed

@@ -1,3 +1,5 @@
+import { fetchRolesTree } from '../permissions/lib/fetch-roles-tree.js';
+import { fetchGlobalAccess } from '../permissions/modules/fetch-global-access/fetch-global-access.js';
 import { Action } from '@directus/constants';
 import { useEnv } from '@directus/env';
 import { InvalidCredentialsError, InvalidOtpError, ServiceUnavailableError, UserSuspendedError, } from '@directus/errors';
@@ -48,10 +50,9 @@ export class AuthenticationService {
             throw err;
         }
         const user = await this.knex
-            .select('u.id', 'u.first_name', 'u.last_name', 'u.email', 'u.password', 'u.status', 'u.role', 'r.admin_access', 'r.app_access', 'u.tfa_secret', 'u.provider', 'u.external_identifier', 'u.auth_data')
-            .from('directus_users as u')
-            .leftJoin('directus_roles as r', 'u.role', 'r.id')
-            .where('u.id', userId)
+            .select('id', 'first_name', 'last_name', 'email', 'password', 'status', 'role', 'tfa_secret', 'provider', 'external_identifier', 'auth_data')
+            .from('directus_users')
+            .where('id', userId)
             .first();
         const updatedPayload = await emitter.emitFilter('auth.login', payload, {
             status: 'pending',
@@ -128,11 +129,13 @@ export class AuthenticationService {
                 throw new InvalidOtpError();
             }
         }
+        const roles = await fetchRolesTree(user.role, this.knex);
+        const globalAccess = await fetchGlobalAccess({ roles, user: user.id, ip: this.accountability?.ip ?? null }, this.knex);
         const tokenPayload = {
             id: user.id,
             role: user.role,
-            app_access: user.app_access,
-            admin_access: user.admin_access,
+            app_access: globalAccess.app,
+            admin_access: globalAccess.admin,
         };
         const refreshToken = nanoid(64);
         const refreshTokenExpiration = new Date(Date.now() + getMilliseconds(env['REFRESH_TOKEN_TTL'], 0));
@@ -207,9 +210,7 @@ export class AuthenticationService {
             user_provider: 'u.provider',
             user_external_identifier: 'u.external_identifier',
             user_auth_data: 'u.auth_data',
-            role_id: 'r.id',
-            role_admin_access: 'r.admin_access',
-            role_app_access: 'r.app_access',
+            user_role: 'u.role',
             share_id: 'd.id',
             share_item: 'd.item',
             share_role: 'd.role',
@@ -222,9 +223,6 @@ export class AuthenticationService {
             .from('directus_sessions AS s')
             .leftJoin('directus_users AS u', 's.user', 'u.id')
             .leftJoin('directus_shares AS d', 's.share', 'd.id')
-            .leftJoin('directus_roles AS r', (join) => {
-            join.onIn('r.id', [this.knex.ref('u.role'), this.knex.ref('d.role')]);
-        })
             .where('s.token', refreshToken)
             .andWhere('s.expires', '>=', new Date())
             .andWhere((subQuery) => {
@@ -248,6 +246,8 @@ export class AuthenticationService {
                 throw new InvalidCredentialsError();
             }
         }
+        const roles = await fetchRolesTree(record.user_role, this.knex);
+        const globalAccess = await fetchGlobalAccess({ user: record.user_id, roles, ip: this.accountability?.ip ?? null }, this.knex);
         if (record.user_id) {
             const provider = getAuthProvider(record.user_provider);
             await provider.refresh({
@@ -260,9 +260,9 @@ export class AuthenticationService {
                 provider: record.user_provider,
                 external_identifier: record.user_external_identifier,
                 auth_data: record.user_auth_data,
-                role: record.role_id,
-                app_access: record.role_app_access,
-                admin_access: record.role_admin_access,
+                role: record.user_role,
+                app_access: globalAccess.app,
+                admin_access: globalAccess.admin,
             });
         }
         let newRefreshToken = record.session_next_token ?? nanoid(64);
@@ -270,9 +270,9 @@ export class AuthenticationService {
         const refreshTokenExpiration = new Date(Date.now() + getMilliseconds(sessionDuration, 0));
         const tokenPayload = {
             id: record.user_id,
-            role: record.role_id,
-            app_access: record.role_app_access,
-            admin_access: record.role_admin_access,
+            role: record.user_role,
+            app_access: globalAccess.app,
+            admin_access: globalAccess.admin,
         };
         if (options?.session) {
             newRefreshToken = await this.updateStatefulSession(record, refreshToken, newRefreshToken, refreshTokenExpiration);

package/dist/services/collections.js CHANGED Viewed

@@ -9,6 +9,8 @@ import { ALIAS_TYPES } from '../constants.js';
 import { getHelpers } from '../database/helpers/index.js';
 import getDatabase, { getSchemaInspector } from '../database/index.js';
 import emitter from '../emitter.js';
+import { fetchAllowedCollections } from '../permissions/modules/fetch-allowed-collections/fetch-allowed-collections.js';
+import { validateAccess } from '../permissions/modules/validate-access/validate-access.js';
 import { getSchema } from '../utils/get-schema.js';
 import { shouldClearCache } from '../utils/should-clear-cache.js';
 import { transaction } from '../utils/transaction.js';
@@ -223,11 +225,13 @@ export class CollectionsService {
                 ...meta,
                 [item.collection]: item.group,
             }), {});
-            let collectionsYouHavePermissionToRead = this.accountability
-                .permissions.filter((permission) => {
-                return permission.action === 'read';
-            })
-                .map(({ collection }) => collection);
+            let collectionsYouHavePermissionToRead = await fetchAllowedCollections({
+                accountability: this.accountability,
+                action: 'read',
+            }, {
+                knex: this.knex,
+                schema: this.schema,
+            });
             for (const collection of collectionsYouHavePermissionToRead) {
                 const group = collectionsGroups[collection];
                 if (group)
@@ -279,18 +283,15 @@ export class CollectionsService {
      * Read many collections by name
      */
     async readMany(collectionKeys) {
-        if (this.accountability && this.accountability.admin !== true) {
-            const permissions = this.accountability.permissions.filter((permission) => {
-                return permission.action === 'read' && collectionKeys.includes(permission.collection);
-            });
-            if (collectionKeys.length !== permissions.length) {
-                const collectionsYouHavePermissionToRead = permissions.map(({ collection }) => collection);
-                for (const collectionKey of collectionKeys) {
-                    if (collectionsYouHavePermissionToRead.includes(collectionKey) === false) {
-                        throw new ForbiddenError();
-                    }
-                }
-            }
+        if (this.accountability) {
+            await Promise.all(collectionKeys.map((collection) => validateAccess({
+                accountability: this.accountability,
+                action: 'read',
+                collection,
+            }, {
+                schema: this.schema,
+                knex: this.knex,
+            })));
         }
         const collections = await this.readByQuery();
         return collections.filter(({ collection }) => collectionKeys.includes(collection));

package/dist/services/fields.d.ts CHANGED Viewed

@@ -17,7 +17,6 @@ export declare class FieldsService {
     cache: Keyv<any> | null;
     systemCache: Keyv<any>;
     constructor(options: AbstractServiceOptions);
-    private get hasReadAccess();
     readAll(collection?: string): Promise<Field[]>;
     readOne(collection: string, field: string): Promise<Record<string, any>>;
     createField(collection: string, field: Partial<Field> & {