npm - @directus/api - Versions diffs - 20.1.0 → 21.0.0-rc.0 - Mend

@directus/api 20.1.0 → 21.0.0-rc.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (328) hide show

package/dist/permissions/modules/process-ast/process-ast.d.ts ADDED Viewed

@@ -0,0 +1,9 @@
+import type { Accountability, PermissionsAction } from '@directus/types';
+import type { AST } from '../../../types/ast.js';
+import type { Context } from '../../types.js';
+export interface ProcessAstOptions {
+    ast: AST;
+    action: PermissionsAction;
+    accountability: Accountability | null;
+}
+export declare function processAst(options: ProcessAstOptions, context: Context): Promise<AST>;

package/dist/permissions/modules/process-ast/process-ast.js ADDED Viewed

@@ -0,0 +1,39 @@
+import { fetchPermissions } from '../../lib/fetch-permissions.js';
+import { fetchPolicies } from '../../lib/fetch-policies.js';
+import { fieldMapFromAst } from './lib/field-map-from-ast.js';
+import { injectCases } from './lib/inject-cases.js';
+import { collectionsInFieldMap } from './utils/collections-in-field-map.js';
+import { validatePathPermissions } from './utils/validate-path/validate-path-permissions.js';
+import { validatePathExistence } from './utils/validate-path/validate-path-existence.js';
+export async function processAst(options, context) {
+    // FieldMap is a Map of paths in the AST, with each path containing the collection and fields in
+    // that collection that the AST path tries to access
+    const fieldMap = fieldMapFromAst(options.ast, context.schema);
+    const collections = collectionsInFieldMap(fieldMap);
+    if (!options.accountability || options.accountability.admin) {
+        // Validate the field existence, even if no permissions apply to the current accountability
+        for (const [path, { collection, fields }] of [...fieldMap.read.entries(), ...fieldMap.other.entries()]) {
+            validatePathExistence(path, collection, fields, context.schema);
+        }
+        return options.ast;
+    }
+    const policies = await fetchPolicies(options.accountability, context);
+    const permissions = await fetchPermissions({ action: options.action, policies, collections, accountability: options.accountability }, context);
+    const readPermissions = options.action === 'read'
+        ? permissions
+        : await fetchPermissions({ action: 'read', policies, collections, accountability: options.accountability }, context);
+    // Validate field existence first
+    for (const [path, { collection, fields }] of [...fieldMap.read.entries(), ...fieldMap.other.entries()]) {
+        validatePathExistence(path, collection, fields, context.schema);
+    }
+    // Validate permissions for the fields
+    for (const [path, { collection, fields }] of fieldMap.other.entries()) {
+        validatePathPermissions(path, permissions, collection, fields);
+    }
+    // Validate permission for read only fields
+    for (const [path, { collection, fields }] of fieldMap.read.entries()) {
+        validatePathPermissions(path, readPermissions, collection, fields);
+    }
+    injectCases(options.ast, permissions);
+    return options.ast;
+}

package/dist/permissions/modules/process-ast/types.d.ts ADDED Viewed

@@ -0,0 +1,24 @@
+export type CollectionKey = string;
+export type FieldKey = string;
+export type QueryPath = string[];
+/**
+ * Key is dot-notation QueryPath, f.e. `category.created_by`.
+ * Value contains collection context for that path, and fields fetched within
+ */
+export type FieldMapEntries = Map<string, {
+    collection: CollectionKey;
+    fields: Set<FieldKey>;
+}>;
+/**
+ * FieldMapEntries that require only read permissions and those that require action specific permissions
+ */
+export type FieldMap = {
+    read: FieldMapEntries;
+    other: FieldMapEntries;
+};
+export interface AccessRow {
+    policy: {
+        id: string;
+        ip_access: string[] | null;
+    };
+}

package/dist/permissions/modules/process-ast/types.js ADDED Viewed

	@@ -0,0 +1 @@
1	+ export {};

package/dist/permissions/modules/process-ast/utils/collections-in-field-map.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ import type { CollectionKey, FieldMap } from '../types.js';
2	+ export declare function collectionsInFieldMap(fieldMap: FieldMap): CollectionKey[];

package/dist/permissions/modules/process-ast/utils/collections-in-field-map.js ADDED Viewed

@@ -0,0 +1,7 @@
+export function collectionsInFieldMap(fieldMap) {
+    const collections = new Set();
+    for (const { collection } of [...fieldMap.other.values(), ...fieldMap.read.values()]) {
+        collections.add(collection);
+    }
+    return Array.from(collections);
+}

package/dist/permissions/modules/process-ast/utils/dedupe-access.d.ts ADDED Viewed

@@ -0,0 +1,12 @@
+import type { Filter, Permission } from '@directus/types';
+/**
+ * Deduplicate the permissions sets by merging the field sets based on the access control rules
+ * (`permissions` in Permission rows)
+ *
+ * This allows the cases injection to be more efficient by not having to generate duplicate
+ * case/when clauses for permission sets where the rule access is identical
+ */
+export declare function dedupeAccess(permissions: Permission[]): {
+    rule: Filter;
+    fields: Set<string>;
+}[];

package/dist/permissions/modules/process-ast/utils/dedupe-access.js ADDED Viewed

@@ -0,0 +1,30 @@
+import hash from 'object-hash';
+/**
+ * Deduplicate the permissions sets by merging the field sets based on the access control rules
+ * (`permissions` in Permission rows)
+ *
+ * This allows the cases injection to be more efficient by not having to generate duplicate
+ * case/when clauses for permission sets where the rule access is identical
+ */
+export function dedupeAccess(permissions) {
+    // Map of `ruleHash: fields[]`
+    const map = new Map();
+    for (const permission of permissions) {
+        const rule = permission.permissions ?? {};
+        // Two JS objects can't be equality checked. Object-hash will resort any nested arrays
+        // deterministically meaning that this can be used to compare two rule sets where the array
+        // order does not matter
+        const ruleHash = hash(rule, {
+            algorithm: 'passthrough',
+            unorderedArrays: true,
+        });
+        if (map.has(ruleHash) === false) {
+            map.set(ruleHash, { rule, fields: new Set() });
+        }
+        const info = map.get(ruleHash);
+        for (const field of permission.fields ?? []) {
+            info.fields.add(field);
+        }
+    }
+    return Array.from(map.values());
+}

package/dist/permissions/modules/process-ast/utils/extract-paths-from-query.d.ts ADDED Viewed

@@ -0,0 +1,15 @@
+import type { Query } from '@directus/types';
+/**
+ * Converts the passed Query object into a unique list of path arrays, for example:
+ *
+ * ```
+ * [
+ * 	['author', 'age'],
+ * 	['category']
+ * ]
+ * ```
+ */
+export declare function extractPathsFromQuery(query: Query): {
+    paths: string[][];
+    readOnlyPaths: string[][];
+};

package/dist/permissions/modules/process-ast/utils/extract-paths-from-query.js ADDED Viewed

@@ -0,0 +1,50 @@
+import { isEqual, uniqWith } from 'lodash-es';
+import { flattenFilter } from './flatten-filter.js';
+/**
+ * Converts the passed Query object into a unique list of path arrays, for example:
+ *
+ * ```
+ * [
+ * 	['author', 'age'],
+ * 	['category']
+ * ]
+ * ```
+ */
+export function extractPathsFromQuery(query) {
+    /**
+     * All nested paths used in the current query scope.
+     * This is generated by flattening the filters and adding in the used sort/aggregate fields.
+     */
+    const paths = [];
+    const readOnlyPaths = [];
+    if (query.filter) {
+        flattenFilter(readOnlyPaths, query.filter);
+    }
+    if (query.sort) {
+        for (const field of query.sort) {
+            // Sort can have dot notation fields for sorting on m2o values Sort fields can start with
+            // `-` to indicate descending order, which should be dropped for permissions checks
+            readOnlyPaths.push(field.split('.').map((field) => (field.startsWith('-') ? field.substring(1) : field)));
+        }
+    }
+    if (query.aggregate) {
+        for (const fields of Object.values(query.aggregate)) {
+            for (const field of fields) {
+                // Aggregate doesn't currently support aggregating on nested fields, but it doesn't hurt
+                // to standardize it in the validation layer
+                paths.push(field.split('.'));
+            }
+        }
+    }
+    if (query.group) {
+        for (const field of query.group) {
+            // Grouping doesn't currently support grouping on nested fields, but it doesn't hurt to
+            // standardize it in the validation layer
+            paths.push(field.split('.'));
+        }
+    }
+    return {
+        paths: uniqWith(paths, isEqual),
+        readOnlyPaths: uniqWith(readOnlyPaths, isEqual),
+    };
+}

package/dist/permissions/modules/process-ast/utils/find-related-collection.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+import type { SchemaOverview } from '@directus/types';
+import type { CollectionKey, FieldKey } from '../types.js';
+export declare function findRelatedCollection(collection: CollectionKey, field: FieldKey, schema: SchemaOverview): CollectionKey | null;

package/dist/permissions/modules/process-ast/utils/find-related-collection.js ADDED Viewed

@@ -0,0 +1,9 @@
+import { getRelationInfo } from '../../../../utils/get-relation-info.js';
+export function findRelatedCollection(collection, field, schema) {
+    const { relation } = getRelationInfo(schema.relations, collection, field);
+    if (!relation)
+        return null;
+    const isO2m = relation.related_collection === collection;
+    const relatedCollectionName = isO2m ? relation.collection : relation.related_collection;
+    return relatedCollectionName;
+}

package/dist/permissions/modules/process-ast/utils/flatten-filter.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+import type { Query } from '@directus/types';
+import type { FieldKey } from '../types.js';
+export declare function flattenFilter(paths: FieldKey[][], filter: Query['filter']): void;

package/dist/permissions/modules/process-ast/utils/flatten-filter.js ADDED Viewed

@@ -0,0 +1,34 @@
+export function flattenFilter(paths, filter) {
+    if (!filter)
+        return;
+    const stack = [{ current: filter, path: [] }];
+    while (stack.length > 0) {
+        const { current, path } = stack.pop();
+        if (typeof current === 'object' && current !== null) {
+            // If the current nested value is an array, we ignore the array order and flatten all
+            // nested objects
+            const isArray = Array.isArray(current);
+            for (const key in current) {
+                if (!key.startsWith('_') || key === '_and' || key === '_or' || key === '_some' || key === '_none') {
+                    // Only deepen the path if the current value can contain more keys
+                    stack.push({
+                        current: current[key],
+                        path: isArray ? path : [...path, key],
+                    });
+                }
+                else {
+                    // Ignore all operators and logical grouping in the field paths
+                    const parts = path.filter((part) => part.startsWith('_') === false);
+                    if (parts.length > 0)
+                        paths.push(parts);
+                }
+            }
+        }
+        else {
+            // Ignore all operators and logical grouping in the field paths
+            const parts = path.filter((part) => part.startsWith('_') === false);
+            if (parts.length > 0)
+                paths.push(parts);
+        }
+    }
+}

package/dist/permissions/modules/process-ast/utils/format-a2o-key.d.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export declare function formatA2oKey(fieldKey: string, collection: string): string;

package/dist/permissions/modules/process-ast/utils/format-a2o-key.js ADDED Viewed

@@ -0,0 +1,3 @@
+export function formatA2oKey(fieldKey, collection) {
+    return `${fieldKey}:${collection}`;
+}

package/dist/permissions/modules/process-ast/utils/get-info-for-path.d.ts ADDED Viewed

@@ -0,0 +1,5 @@
+import type { CollectionKey, FieldMap, QueryPath } from '../types.js';
+export declare function getInfoForPath(fieldMap: FieldMap, group: keyof FieldMap, path: QueryPath, collection: CollectionKey): {
+    collection: string;
+    fields: Set<string>;
+};

package/dist/permissions/modules/process-ast/utils/get-info-for-path.js ADDED Viewed

@@ -0,0 +1,7 @@
+export function getInfoForPath(fieldMap, group, path, collection) {
+    const pathStr = path.join('.');
+    if (fieldMap[group].has(pathStr) === false) {
+        fieldMap[group].set(pathStr, { collection, fields: new Set() });
+    }
+    return fieldMap[group].get(pathStr);
+}

package/dist/permissions/modules/process-ast/utils/has-item-permissions.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ import type { Permission } from '@directus/types';
2	+ export declare function hasItemPermissions(permission: Permission): boolean;

package/dist/permissions/modules/process-ast/utils/has-item-permissions.js ADDED Viewed

@@ -0,0 +1,3 @@
+export function hasItemPermissions(permission) {
+    return permission.permissions !== null && Object.keys(permission.permissions).length > 0;
+}

package/dist/permissions/modules/process-ast/utils/stringify-query-path.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ import type { QueryPath } from '../types.js';
2	+ export declare function stringifyQueryPath(queryPath: QueryPath): string;

package/dist/permissions/modules/process-ast/utils/stringify-query-path.js ADDED Viewed

@@ -0,0 +1,3 @@
+export function stringifyQueryPath(queryPath) {
+    return queryPath.join('.');
+}

package/dist/permissions/modules/process-ast/utils/validate-path/create-error.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+import { type DirectusError } from '@directus/errors';
+export declare function createCollectionForbiddenError(path: string, collection: string): DirectusError<any>;
+export declare function createFieldsForbiddenError(path: string, collection: string, fields: string[]): DirectusError<any>;

package/dist/permissions/modules/process-ast/utils/validate-path/create-error.js ADDED Viewed

@@ -0,0 +1,16 @@
+import { ForbiddenError } from '@directus/errors';
+export function createCollectionForbiddenError(path, collection) {
+    const pathSuffix = path === '' ? 'root' : `"${path}"`;
+    return new ForbiddenError({
+        reason: `You don't have permission to access collection "${collection}" or it does not exist. Queried in ${pathSuffix}.`,
+    });
+}
+export function createFieldsForbiddenError(path, collection, fields) {
+    const pathSuffix = path === '' ? 'root' : `"${path}"`;
+    const fieldStr = fields.map((field) => `"${field}"`).join(', ');
+    return new ForbiddenError({
+        reason: fields.length === 1
+            ? `You don't have permission to access field ${fieldStr} in collection "${collection}" or it does not exist. Queried in ${pathSuffix}.`
+            : `You don't have permission to access fields ${fieldStr} in collection "${collection}" or they do not exist. Queried in ${pathSuffix}.`,
+    });
+}

package/dist/permissions/modules/process-ast/utils/validate-path/validate-path-existence.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ import type { SchemaOverview } from '@directus/types';
2	+ export declare function validatePathExistence(path: string, collection: string, fields: Set<string>, schema: SchemaOverview): void;

package/dist/permissions/modules/process-ast/utils/validate-path/validate-path-existence.js ADDED Viewed

@@ -0,0 +1,12 @@
+import { createCollectionForbiddenError, createFieldsForbiddenError } from './create-error.js';
+export function validatePathExistence(path, collection, fields, schema) {
+    const collectionInfo = schema.collections[collection];
+    if (collectionInfo === undefined) {
+        throw createCollectionForbiddenError(path, collection);
+    }
+    const requestedFields = Array.from(fields);
+    const nonExistentFields = requestedFields.filter((field) => collectionInfo.fields[field] === undefined);
+    if (nonExistentFields.length > 0) {
+        throw createFieldsForbiddenError(path, collection, nonExistentFields);
+    }
+}

package/dist/permissions/modules/process-ast/utils/validate-path/validate-path-permissions.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ import type { Permission } from '@directus/types';
2	+ export declare function validatePathPermissions(path: string, permissions: Permission[], collection: string, fields: Set<string>): void;

package/dist/permissions/modules/process-ast/utils/validate-path/validate-path-permissions.js ADDED Viewed

@@ -0,0 +1,28 @@
+import { createCollectionForbiddenError, createFieldsForbiddenError } from './create-error.js';
+export function validatePathPermissions(path, permissions, collection, fields) {
+    const permissionsForCollection = permissions.filter((permission) => permission.collection === collection);
+    if (permissionsForCollection.length === 0) {
+        throw createCollectionForbiddenError(path, collection);
+    }
+    // Set of all fields that are allowed to be queried combined
+    const allowedFields = new Set();
+    for (const { fields } of permissionsForCollection) {
+        if (!fields) {
+            continue;
+        }
+        for (const field of fields) {
+            if (field === '*') {
+                // Early exit in case all fields are allowed
+                return;
+            }
+            allowedFields.add(field);
+        }
+    }
+    const requestedFields = Array.from(fields);
+    const forbiddenFields = allowedFields.has('*')
+        ? []
+        : requestedFields.filter((field) => allowedFields.has(field) === false);
+    if (forbiddenFields.length > 0) {
+        throw createFieldsForbiddenError(path, collection, forbiddenFields);
+    }
+}

package/dist/permissions/modules/process-payload/lib/is-field-nullable.d.ts ADDED Viewed

@@ -0,0 +1,5 @@
+import type { FieldOverview } from '@directus/types';
+/**
+ * Checks if a given field is allowed to be set to `null`.
+ */
+export declare function isFieldNullable(field: FieldOverview): boolean;

package/dist/permissions/modules/process-payload/lib/is-field-nullable.js ADDED Viewed

@@ -0,0 +1,12 @@
+import { GENERATE_SPECIAL } from '../../../../constants.js';
+/**
+ * Checks if a given field is allowed to be set to `null`.
+ */
+export function isFieldNullable(field) {
+    if (field.nullable)
+        return true;
+    if (field.generated)
+        return true;
+    const hasGenerateSpecial = GENERATE_SPECIAL.some((name) => field.special.includes(name));
+    return hasGenerateSpecial;
+}

package/dist/permissions/modules/process-payload/process-payload.d.ts ADDED Viewed

@@ -0,0 +1,13 @@
+import type { Accountability, Item, PermissionsAction } from '@directus/types';
+import type { Context } from '../../types.js';
+export interface ProcessPayloadOptions {
+    accountability: Accountability;
+    action: PermissionsAction;
+    collection: string;
+    payload: Item;
+}
+/**
+ * @note this only validates the top-level fields. The expectation is that this function is called
+ * for each level of nested insert separately
+ */
+export declare function processPayload(options: ProcessPayloadOptions, context: Context): Promise<any>;

package/dist/permissions/modules/process-payload/process-payload.js ADDED Viewed

@@ -0,0 +1,77 @@
+import { ForbiddenError } from '@directus/errors';
+import { validatePayload } from '@directus/utils';
+import { FailedValidationError, joiValidationErrorItemToErrorExtensions } from '@directus/validation';
+import { assign, difference, uniq } from 'lodash-es';
+import { fetchPermissions } from '../../lib/fetch-permissions.js';
+import { fetchPolicies } from '../../lib/fetch-policies.js';
+import { isFieldNullable } from './lib/is-field-nullable.js';
+/**
+ * @note this only validates the top-level fields. The expectation is that this function is called
+ * for each level of nested insert separately
+ */
+export async function processPayload(options, context) {
+    let permissions;
+    let permissionValidationRules = [];
+    if (!options.accountability.admin) {
+        const policies = await fetchPolicies(options.accountability, context);
+        permissions = await fetchPermissions({ action: options.action, policies, collections: [options.collection], accountability: options.accountability }, context);
+        if (permissions.length === 0) {
+            throw new ForbiddenError({
+                reason: `You don't have permission to "${options.action}" from collection "${options.collection}" or it does not exist.`,
+            });
+        }
+        const fieldsAllowed = uniq(permissions.map(({ fields }) => fields ?? []).flat());
+        if (fieldsAllowed.includes('*') === false) {
+            const fieldsUsed = Object.keys(options.payload);
+            const notAllowed = difference(fieldsUsed, fieldsAllowed);
+            if (notAllowed.length > 0) {
+                const fieldStr = notAllowed.map((field) => `"${field}"`).join(', ');
+                throw new ForbiddenError({
+                    reason: notAllowed.length === 1
+                        ? `You don't have permission to access field ${fieldStr} in collection "${options.collection}" or it does not exist.`
+                        : `You don't have permission to access fields ${fieldStr} in collection "${options.collection}" or they do not exist.`,
+                });
+            }
+        }
+        permissionValidationRules = permissions.map(({ validation }) => validation);
+    }
+    const fields = Object.values(context.schema.collections[options.collection]?.fields ?? {});
+    const fieldValidationRules = [];
+    for (const field of fields) {
+        if (!isFieldNullable(field)) {
+            const isSubmissionRequired = options.action === 'create' && field.defaultValue === null;
+            if (isSubmissionRequired) {
+                fieldValidationRules.push({
+                    [field.field]: {
+                        _submitted: true,
+                    },
+                });
+            }
+            fieldValidationRules.push({
+                [field.field]: {
+                    _nnull: true,
+                },
+            });
+        }
+        fieldValidationRules.push(field.validation);
+    }
+    const validationRules = [...fieldValidationRules, ...permissionValidationRules].filter((rule) => {
+        if (rule === null)
+            return false;
+        if (Object.keys(rule).length === 0)
+            return false;
+        return true;
+    });
+    if (validationRules.length > 0) {
+        const validationErrors = [];
+        validationErrors.push(...validatePayload({ _and: validationRules }, options.payload)
+            .map((error) => error.details.map((details) => new FailedValidationError(joiValidationErrorItemToErrorExtensions(details))))
+            .flat());
+        if (validationErrors.length > 0)
+            throw validationErrors;
+    }
+    if (!permissions)
+        return options.payload;
+    const presets = permissions.map((permission) => permission.presets);
+    return assign({}, ...presets, options.payload);
+}

package/dist/permissions/modules/validate-access/lib/validate-collection-access.d.ts ADDED Viewed

@@ -0,0 +1,12 @@
+import type { Accountability, PermissionsAction } from '@directus/types';
+import type { Context } from '../../../types.js';
+export interface ValidateCollectionAccessOptions {
+    accountability: Accountability;
+    action: PermissionsAction;
+    collection: string;
+}
+/**
+ * Check if you have (limited) access to a given collection by making sure there's at least 1
+ * permission rule available for the collection and action combo
+ */
+export declare function validateCollectionAccess(options: ValidateCollectionAccessOptions, context: Context): Promise<boolean>;

package/dist/permissions/modules/validate-access/lib/validate-collection-access.js ADDED Viewed

@@ -0,0 +1,11 @@
+import { fetchPermissions } from '../../../lib/fetch-permissions.js';
+import { fetchPolicies } from '../../../lib/fetch-policies.js';
+/**
+ * Check if you have (limited) access to a given collection by making sure there's at least 1
+ * permission rule available for the collection and action combo
+ */
+export async function validateCollectionAccess(options, context) {
+    const policies = await fetchPolicies(options.accountability, context);
+    const permissions = await fetchPermissions({ action: options.action, policies, collections: [options.collection], accountability: options.accountability }, context);
+    return permissions.length > 0;
+}

package/dist/permissions/modules/validate-access/lib/validate-item-access.d.ts ADDED Viewed

@@ -0,0 +1,9 @@
+import type { Accountability, PermissionsAction, PrimaryKey } from '@directus/types';
+import type { Context } from '../../../types.js';
+export interface ValidateItemAccessOptions {
+    accountability: Accountability;
+    action: PermissionsAction;
+    collection: string;
+    primaryKeys: PrimaryKey[];
+}
+export declare function validateItemAccess(options: ValidateItemAccessOptions, context: Context): Promise<boolean>;

package/dist/permissions/modules/validate-access/lib/validate-item-access.js ADDED Viewed

@@ -0,0 +1,33 @@
+import { getAstFromQuery } from '../../../../database/get-ast-from-query/get-ast-from-query.js';
+import { runAst } from '../../../../database/run-ast/run-ast.js';
+import { processAst } from '../../process-ast/process-ast.js';
+export async function validateItemAccess(options, context) {
+    const primaryKeyField = context.schema.collections[options.collection]?.primary;
+    if (!primaryKeyField) {
+        throw new Error(`Cannot find primary key for collection "${options.collection}"`);
+    }
+    // When we're looking up access to specific items, we have to read them from the database to
+    // make sure you are allowed to access them.
+    const query = {
+        // We don't actually need any of the field data, just want to know if we can read the item as
+        // whole or not
+        fields: [],
+        limit: options.primaryKeys.length,
+        filter: {
+            [primaryKeyField]: {
+                _in: options.primaryKeys,
+            },
+        },
+    };
+    const ast = await getAstFromQuery({
+        accountability: options.accountability,
+        query,
+        collection: options.collection,
+    }, context);
+    await processAst({ ast, ...options }, context);
+    const items = await runAst(ast, context.schema, { knex: context.knex });
+    if (items && items.length === options.primaryKeys.length) {
+        return true;
+    }
+    return false;
+}

package/dist/permissions/modules/validate-access/validate-access.d.ts ADDED Viewed

@@ -0,0 +1,14 @@
+import type { Accountability, PermissionsAction, PrimaryKey } from '@directus/types';
+import type { Context } from '../../types.js';
+export interface ValidateAccessOptions {
+    accountability: Accountability;
+    action: PermissionsAction;
+    collection: string;
+    primaryKeys?: PrimaryKey[];
+}
+/**
+ * Validate if the current user has access to perform action against the given collection and
+ * optional primary keys. This is done by reading the item from the database using the access
+ * control rules and checking if we got the expected result back
+ */
+export declare function validateAccess(options: ValidateAccessOptions, context: Context): Promise<void>;

package/dist/permissions/modules/validate-access/validate-access.js ADDED Viewed

@@ -0,0 +1,28 @@
+import { ForbiddenError } from '@directus/errors';
+import { validateCollectionAccess } from './lib/validate-collection-access.js';
+import { validateItemAccess } from './lib/validate-item-access.js';
+/**
+ * Validate if the current user has access to perform action against the given collection and
+ * optional primary keys. This is done by reading the item from the database using the access
+ * control rules and checking if we got the expected result back
+ */
+export async function validateAccess(options, context) {
+    if (options.accountability.admin === true) {
+        return;
+    }
+    let access;
+    // If primary keys are passed, we have to confirm the access by actually trying to read the items
+    // from the database. If no keys are passed, we can simply check if the collection+action combo
+    // exists within permissions
+    if (options.primaryKeys) {
+        access = await validateItemAccess(options, context);
+    }
+    else {
+        access = await validateCollectionAccess(options, context);
+    }
+    if (!access) {
+        throw new ForbiddenError({
+            reason: `You don't have permission to "${options.action}" from collection "${options.collection}" or it does not exist.`,
+        });
+    }
+}

package/dist/permissions/modules/validate-remaining-admin/validate-remaining-admin-count.d.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export declare function validateRemainingAdminCount(count: number): void;

package/dist/permissions/modules/validate-remaining-admin/validate-remaining-admin-count.js ADDED Viewed

@@ -0,0 +1,8 @@
+import { UnprocessableContentError } from '@directus/errors';
+export function validateRemainingAdminCount(count) {
+    if (count <= 0) {
+        throw new UnprocessableContentError({
+            reason: `Cannot remove the last admin user from the system`,
+        });
+    }
+}

package/dist/permissions/modules/validate-remaining-admin/validate-remaining-admin-users.d.ts ADDED Viewed

@@ -0,0 +1,5 @@
+import { type FetchUserCountOptions } from '../../../utils/fetch-user-count/fetch-user-count.js';
+import type { Context } from '../../types.js';
+export interface ValidateRemainingAdminUsersOptions extends Pick<FetchUserCountOptions, 'excludeAccessRows' | 'excludePolicies' | 'excludeUsers' | 'excludeRoles'> {
+}
+export declare function validateRemainingAdminUsers(options: ValidateRemainingAdminUsersOptions, context: Context): Promise<void>;

package/dist/permissions/modules/validate-remaining-admin/validate-remaining-admin-users.js ADDED Viewed

@@ -0,0 +1,10 @@
+import { fetchUserCount } from '../../../utils/fetch-user-count/fetch-user-count.js';
+import { validateRemainingAdminCount } from './validate-remaining-admin-count.js';
+export async function validateRemainingAdminUsers(options, context) {
+    const { admin } = await fetchUserCount({
+        ...options,
+        adminOnly: true,
+        knex: context.knex,
+    });
+    validateRemainingAdminCount(admin);
+}