npm - @directus/api - Versions diffs - 20.1.0 → 21.0.0-rc.0 - Mend

@directus/api 20.1.0 → 21.0.0-rc.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (328) hide show

package/dist/services/fields.js CHANGED Viewed

@@ -1,4 +1,4 @@
-import { KNEX_TYPES, REGEX_BETWEEN_PARENS, DEFAULT_NUMERIC_PRECISION, DEFAULT_NUMERIC_SCALE, } from '@directus/constants';
+import { DEFAULT_NUMERIC_PRECISION, DEFAULT_NUMERIC_SCALE, KNEX_TYPES, REGEX_BETWEEN_PARENS, } from '@directus/constants';
 import { ForbiddenError, InvalidPayloadError } from '@directus/errors';
 import { createInspector } from '@directus/schema';
 import { addFieldFlag, toArray } from '@directus/utils';
@@ -9,6 +9,9 @@ import { translateDatabaseError } from '../database/errors/translate.js';
 import { getHelpers } from '../database/helpers/index.js';
 import getDatabase, { getSchemaInspector } from '../database/index.js';
 import emitter from '../emitter.js';
+import { fetchPermissions } from '../permissions/lib/fetch-permissions.js';
+import { fetchPolicies } from '../permissions/lib/fetch-policies.js';
+import { validateAccess } from '../permissions/modules/validate-access/validate-access.js';
 import getDefaultValue from '../utils/get-default-value.js';
 import { getSystemFieldRowsWithAuthProviders } from '../utils/get-field-system-rows.js';
 import getLocalType from '../utils/get-local-type.js';
@@ -42,15 +45,17 @@ export class FieldsService {
         this.cache = cache;
         this.systemCache = systemCache;
     }
-    get hasReadAccess() {
-        return !!this.accountability?.permissions?.find((permission) => {
-            return permission.collection === 'directus_fields' && permission.action === 'read';
-        });
-    }
     async readAll(collection) {
         let fields;
-        if (this.accountability && this.accountability.admin !== true && this.hasReadAccess === false) {
-            throw new ForbiddenError();
+        if (this.accountability) {
+            await validateAccess({
+                accountability: this.accountability,
+                action: 'read',
+                collection: 'directus_fields',
+            }, {
+                schema: this.schema,
+                knex: this.knex,
+            });
         }
         const nonAuthorizedItemsService = new ItemsService('directus_fields', {
             knex: this.knex,
@@ -119,12 +124,27 @@ export class FieldsService {
         const result = [...columnsWithSystem, ...aliasFieldsAsField].filter((field) => knownCollections.includes(field.collection));
         // Filter the result so we only return the fields you have read access to
         if (this.accountability && this.accountability.admin !== true) {
-            const permissions = this.accountability.permissions.filter((permission) => {
-                return permission.action === 'read';
-            });
+            const policies = await fetchPolicies(this.accountability, { knex: this.knex, schema: this.schema });
+            const permissions = await fetchPermissions(collection
+                ? {
+                    action: 'read',
+                    policies,
+                    collections: [collection],
+                    accountability: this.accountability,
+                }
+                : {
+                    action: 'read',
+                    policies,
+                    accountability: this.accountability,
+                }, { knex: this.knex, schema: this.schema });
             const allowedFieldsInCollection = {};
             permissions.forEach((permission) => {
-                allowedFieldsInCollection[permission.collection] = permission.fields ?? [];
+                if (!allowedFieldsInCollection[permission.collection]) {
+                    allowedFieldsInCollection[permission.collection] = new Set();
+                }
+                for (const field of permission.fields ?? []) {
+                    allowedFieldsInCollection[permission.collection].add(field);
+                }
             });
             if (collection && collection in allowedFieldsInCollection === false) {
                 throw new ForbiddenError();
@@ -133,9 +153,9 @@ export class FieldsService {
                 if (field.collection in allowedFieldsInCollection === false)
                     return false;
                 const allowedFields = allowedFieldsInCollection[field.collection];
-                if (allowedFields[0] === '*')
+                if (allowedFields.has('*'))
                     return true;
-                return allowedFields.includes(field.field);
+                return allowedFields.has(field.field);
             });
         }
         // Update specific database type overrides
@@ -152,18 +172,27 @@ export class FieldsService {
     }
     async readOne(collection, field) {
         if (this.accountability && this.accountability.admin !== true) {
-            if (this.hasReadAccess === false) {
-                throw new ForbiddenError();
-            }
-            const permissions = this.accountability.permissions.find((permission) => {
-                return permission.action === 'read' && permission.collection === collection;
+            await validateAccess({
+                accountability: this.accountability,
+                action: 'read',
+                collection,
+            }, {
+                schema: this.schema,
+                knex: this.knex,
             });
-            if (!permissions || !permissions.fields)
+            const policies = await fetchPolicies(this.accountability, { knex: this.knex, schema: this.schema });
+            const permissions = await fetchPermissions({ action: 'read', policies, collections: [collection], accountability: this.accountability }, { knex: this.knex, schema: this.schema });
+            let hasAccess = false;
+            for (const permission of permissions) {
+                if (permission.fields) {
+                    if (permission.fields.includes('*') || permission.fields.includes(field)) {
+                        hasAccess = true;
+                        break;
+                    }
+                }
+            }
+            if (!hasAccess) {
                 throw new ForbiddenError();
-            if (permissions.fields.includes('*') === false) {
-                const allowedFields = permissions.fields;
-                if (allowedFields.includes(field) === false)
-                    throw new ForbiddenError();
             }
         }
         let column = undefined;

package/dist/services/files/utils/get-metadata.js CHANGED Viewed

@@ -4,7 +4,7 @@ import { pick } from 'lodash-es';
 import { pipeline } from 'node:stream/promises';
 import sharp from 'sharp';
 import { useEnv } from '@directus/env';
-import { useLogger } from '../../../logger.js';
+import { useLogger } from '../../../logger/index.js';
 import { parseIptc, parseXmp } from './parse-image-metadata.js';
 const env = useEnv();
 const logger = useLogger();

package/dist/services/files.js CHANGED Viewed

@@ -11,7 +11,8 @@ import path from 'path';
 import url from 'url';
 import { RESUMABLE_UPLOADS } from '../constants.js';
 import emitter from '../emitter.js';
-import { useLogger } from '../logger.js';
+import { useLogger } from '../logger/index.js';
+import { validateAccess } from '../permissions/modules/validate-access/validate-access.js';
 import { getAxios } from '../request/index.js';
 import { getStorage } from '../storage/index.js';
 import { extractMetadata } from './files/lib/extract-metadata.js';
@@ -152,9 +153,15 @@ export class FilesService extends ItemsService {
      * Import a single file from an external URL
      */
     async importOne(importURL, body) {
-        const fileCreatePermissions = this.accountability?.permissions?.find((permission) => permission.collection === 'directus_files' && permission.action === 'create');
-        if (this.accountability && this.accountability?.admin !== true && !fileCreatePermissions) {
-            throw new ForbiddenError();
+        if (this.accountability) {
+            await validateAccess({
+                accountability: this.accountability,
+                action: 'create',
+                collection: 'directus_files',
+            }, {
+                knex: this.knex,
+                schema: this.schema,
+            });
         }
         let fileResponse;
         try {

package/dist/services/graphql/index.d.ts CHANGED Viewed

@@ -20,9 +20,9 @@ export declare class GraphQLService {
     /**
      * Generate the GraphQL schema. Pulls from the schema information generated by the get-schema util.
      */
-    getSchema(): GraphQLSchema;
-    getSchema(type: 'schema'): GraphQLSchema;
-    getSchema(type: 'sdl'): GraphQLSchema | string;
+    getSchema(): Promise<GraphQLSchema>;
+    getSchema(type: 'schema'): Promise<GraphQLSchema>;
+    getSchema(type: 'sdl'): Promise<GraphQLSchema | string>;
     /**
      * Generic resolver that's used for every "regular" items/system query. Converts the incoming GraphQL AST / fragments into
      * Directus' query structure which is then executed by the services.

package/dist/services/graphql/index.js CHANGED Viewed

@@ -11,6 +11,9 @@ import { clearSystemCache, getCache } from '../../cache.js';
 import { DEFAULT_AUTH_PROVIDER, GENERATE_SPECIAL, REFRESH_COOKIE_OPTIONS, SESSION_COOKIE_OPTIONS, } from '../../constants.js';
 import getDatabase from '../../database/index.js';
 import { rateLimiter } from '../../middleware/rate-limiter-registration.js';
+import { fetchAllowedFieldMap } from '../../permissions/modules/fetch-allowed-field-map/fetch-allowed-field-map.js';
+import { fetchInconsistentFieldMap } from '../../permissions/modules/fetch-inconsistent-field-map/fetch-inconsistent-field-map.js';
+import { createDefaultAccountability } from '../../permissions/utils/create-default-accountability.js';
 import { generateHash } from '../../utils/generate-hash.js';
 import { getGraphQLType } from '../../utils/get-graphql-type.js';
 import { getIPFromReq } from '../../utils/get-ip-from-req.js';
@@ -48,6 +51,9 @@ import { GraphQLVoid } from './types/void.js';
 import { addPathToValidationError } from './utils/add-path-to-validation-error.js';
 import processError from './utils/process-error.js';
 import { sanitizeGraphqlSchema } from './utils/sanitize-gql-schema.js';
+import { fetchAccountabilityCollectionAccess } from '../../permissions/modules/fetch-accountability-collection-access/fetch-accountability-collection-access.js';
+import { fetchAccountabilityPolicyGlobals } from '../../permissions/modules/fetch-accountability-policy-globals/fetch-accountability-policy-globals.js';
+import { RolesService } from '../roles.js';
 const env = useEnv();
 const validationRules = Array.from(specifiedRules);
 if (env['GRAPHQL_INTROSPECTION'] === false) {
@@ -80,7 +86,7 @@ export class GraphQLService {
      * Execute a GraphQL structure
      */
     async execute({ document, variables, operationName, contextValue, }) {
-        const schema = this.getSchema();
+        const schema = await this.getSchema();
         const validationErrors = validate(schema, document, validationRules).map((validationError) => addPathToValidationError(validationError));
         if (validationErrors.length > 0) {
             throw new GraphQLValidationError({ errors: validationErrors });
@@ -108,7 +114,7 @@ export class GraphQLService {
             formattedResult.extensions = result['extensions'];
         return formattedResult;
     }
-    getSchema(type = 'schema') {
+    async getSchema(type = 'schema') {
         const key = `${this.scope}_${type}_${this.accountability?.role}_${this.accountability?.user}`;
         const cachedSchema = cache.get(key);
         if (cachedSchema)
@@ -116,20 +122,53 @@ export class GraphQLService {
         // eslint-disable-next-line @typescript-eslint/no-this-alias
         const self = this;
         const schemaComposer = new SchemaComposer();
+        let schema;
         const sanitizedSchema = sanitizeGraphqlSchema(this.schema);
-        const schema = {
-            read: this.accountability?.admin === true
-                ? sanitizedSchema
-                : reduceSchema(sanitizedSchema, this.accountability?.permissions || null, ['read']),
-            create: this.accountability?.admin === true
-                ? sanitizedSchema
-                : reduceSchema(sanitizedSchema, this.accountability?.permissions || null, ['create']),
-            update: this.accountability?.admin === true
-                ? sanitizedSchema
-                : reduceSchema(sanitizedSchema, this.accountability?.permissions || null, ['update']),
-            delete: this.accountability?.admin === true
-                ? sanitizedSchema
-                : reduceSchema(sanitizedSchema, this.accountability?.permissions || null, ['delete']),
+        if (!this.accountability || this.accountability.admin) {
+            schema = {
+                read: sanitizedSchema,
+                create: sanitizedSchema,
+                update: sanitizedSchema,
+                delete: sanitizedSchema,
+            };
+        }
+        else {
+            schema = {
+                read: reduceSchema(sanitizedSchema, await fetchAllowedFieldMap({
+                    accountability: this.accountability,
+                    action: 'read',
+                }, { schema: this.schema, knex: this.knex })),
+                create: reduceSchema(sanitizedSchema, await fetchAllowedFieldMap({
+                    accountability: this.accountability,
+                    action: 'create',
+                }, { schema: this.schema, knex: this.knex })),
+                update: reduceSchema(sanitizedSchema, await fetchAllowedFieldMap({
+                    accountability: this.accountability,
+                    action: 'update',
+                }, { schema: this.schema, knex: this.knex })),
+                delete: reduceSchema(sanitizedSchema, await fetchAllowedFieldMap({
+                    accountability: this.accountability,
+                    action: 'delete',
+                }, { schema: this.schema, knex: this.knex })),
+            };
+        }
+        const inconsistentFields = {
+            read: await fetchInconsistentFieldMap({
+                accountability: this.accountability,
+                action: 'read',
+            }, { schema: this.schema, knex: this.knex }),
+            create: await fetchInconsistentFieldMap({
+                accountability: this.accountability,
+                action: 'create',
+            }, { schema: this.schema, knex: this.knex }),
+            update: await fetchInconsistentFieldMap({
+                accountability: this.accountability,
+                action: 'update',
+            }, { schema: this.schema, knex: this.knex }),
+            delete: await fetchInconsistentFieldMap({
+                accountability: this.accountability,
+                action: 'delete',
+            }, { schema: this.schema, knex: this.knex }),
         };
         const subscriptionEventType = schemaComposer.createEnumTC({
             name: 'EventEnum',
@@ -300,16 +339,18 @@ export class GraphQLService {
                     name: action === 'read' ? collection.collection : `${action}_${collection.collection}`,
                     fields: Object.values(collection.fields).reduce((acc, field) => {
                         let type = getGraphQLType(field.type, field.special);
+                        const fieldIsInconsistent = inconsistentFields[action][collection.collection]?.includes(field.field);
                         // GraphQL doesn't differentiate between not-null and has-to-be-submitted. We
                         // can't non-null in update, as that would require every not-nullable field to be
                         // submitted on updates
                         if (field.nullable === false &&
                             !field.defaultValue &&
                             !GENERATE_SPECIAL.some((flag) => field.special.includes(flag)) &&
+                            fieldIsInconsistent === false &&
                             action !== 'update') {
                             type = new GraphQLNonNull(type);
                         }
-                        if (collection.primary === field.field) {
+                        if (collection.primary === field.field && fieldIsInconsistent === false) {
                             // permissions IDs need to be nullable https://github.com/directus/directus/issues/20509
                             if (collection.collection === 'directus_permissions') {
                                 type = GraphQLID;
@@ -1762,7 +1803,7 @@ export class GraphQLService {
                         accountability: this.accountability,
                         scope: args['scope'] ?? 'items',
                     });
-                    return service.getSchema('sdl');
+                    return await service.getSchema('sdl');
                 },
             },
             server_ping: {
@@ -1815,7 +1856,7 @@ export class GraphQLService {
                     otp: GraphQLString,
                 },
                 resolve: async (_, args, { req, res }) => {
-                    const accountability = { role: null };
+                    const accountability = createDefaultAccountability();
                     if (req?.ip)
                         accountability.ip = req.ip;
                     const userAgent = req?.get('user-agent');
@@ -1855,7 +1896,7 @@ export class GraphQLService {
                     mode: AuthMode,
                 },
                 resolve: async (_, args, { req, res }) => {
-                    const accountability = { role: null };
+                    const accountability = createDefaultAccountability();
                     if (req?.ip)
                         accountability.ip = req.ip;
                     const userAgent = req?.get('user-agent');
@@ -1913,7 +1954,7 @@ export class GraphQLService {
                     mode: AuthMode,
                 },
                 resolve: async (_, args, { req, res }) => {
-                    const accountability = { role: null };
+                    const accountability = createDefaultAccountability();
                     if (req?.ip)
                         accountability.ip = req.ip;
                     const userAgent = req?.get('user-agent');
@@ -1963,7 +2004,7 @@ export class GraphQLService {
                     reset_url: GraphQLString,
                 },
                 resolve: async (_, args, { req }) => {
-                    const accountability = { role: null };
+                    const accountability = createDefaultAccountability();
                     if (req?.ip)
                         accountability.ip = req.ip;
                     const userAgent = req?.get('user-agent');
@@ -1991,7 +2032,7 @@ export class GraphQLService {
                     password: new GraphQLNonNull(GraphQLString),
                 },
                 resolve: async (_, args, { req }) => {
-                    const accountability = { role: null };
+                    const accountability = createDefaultAccountability();
                     if (req?.ip)
                         accountability.ip = req.ip;
                     const userAgent = req?.get('user-agent');
@@ -2632,6 +2673,69 @@ export class GraphQLService {
                 },
             });
         }
+        if ('directus_permissions' in schema.read.collections) {
+            schemaComposer.Query.addFields({
+                permissions_me: {
+                    type: schemaComposer.createScalarTC({
+                        name: 'permissions_me_type',
+                        parseValue: (value) => value,
+                        serialize: (value) => value,
+                    }),
+                    resolve: async (_, _args, __, _info) => {
+                        if (!this.accountability?.user && !this.accountability?.role)
+                            return null;
+                        const result = await fetchAccountabilityCollectionAccess(this.accountability, {
+                            schema: this.schema,
+                            knex: getDatabase(),
+                        });
+                        return result;
+                    },
+                },
+            });
+        }
+        if ('directus_roles' in schema.read.collections) {
+            schemaComposer.Query.addFields({
+                roles_me: {
+                    type: ReadCollectionTypes['directus_roles'].List,
+                    resolve: async (_, args, __, info) => {
+                        if (!this.accountability?.user && !this.accountability?.role)
+                            return null;
+                        const service = new RolesService({
+                            accountability: this.accountability,
+                            schema: this.schema,
+                        });
+                        const selections = this.replaceFragmentsInSelections(info.fieldNodes[0]?.selectionSet?.selections, info.fragments);
+                        const query = this.getQuery(args, selections || [], info.variableValues);
+                        query.limit = -1;
+                        const roles = await service.readMany(this.accountability.roles, query);
+                        return roles;
+                    },
+                },
+            });
+        }
+        if ('directus_policies' in schema.read.collections) {
+            schemaComposer.Query.addFields({
+                policies_me_globals: {
+                    type: schemaComposer.createObjectTC({
+                        name: 'policy_me_globals_type',
+                        fields: {
+                            enforce_tfa: 'Boolean',
+                            app_access: 'Boolean',
+                            admin_access: 'Boolean',
+                        },
+                    }),
+                    resolve: async (_, _args, __, _info) => {
+                        if (!this.accountability?.user && !this.accountability?.role)
+                            return null;
+                        const result = await fetchAccountabilityPolicyGlobals(this.accountability, {
+                            schema: this.schema,
+                            knex: getDatabase(),
+                        });
+                        return result;
+                    },
+                },
+            });
+        }
         if ('directus_users' in schema.update.collections && this.accountability?.user) {
             schemaComposer.Mutation.addFields({
                 update_users_me: {

package/dist/services/graphql/subscription.js CHANGED Viewed

@@ -1,7 +1,6 @@
 import { EventEmitter, on } from 'events';
 import { useBus } from '../../bus/index.js';
 import { getSchema } from '../../utils/get-schema.js';
-import { refreshAccountability } from '../../websocket/authenticate.js';
 import { getPayload } from '../../websocket/utils/items.js';
 const messages = createPubSub(new EventEmitter());
 export function bindPubSub() {
@@ -19,7 +18,6 @@ export function createSubscriptionGenerator(self, event) {
             if ('event' in args && eventData['action'] !== args['event']) {
                 continue; // skip filtered events
             }
-            const accountability = await refreshAccountability(self.accountability);
             const schema = await getSchema();
             const subscription = {
                 collection: eventData['collection'],
@@ -35,7 +33,7 @@ export function createSubscriptionGenerator(self, event) {
             if (eventData['action'] === 'create') {
                 try {
                     subscription.item = eventData['key'];
-                    const result = await getPayload(subscription, accountability, schema, eventData);
+                    const result = await getPayload(subscription, self.accountability, schema, eventData);
                     yield {
                         [event]: {
                             key: eventData['key'],
@@ -52,7 +50,7 @@ export function createSubscriptionGenerator(self, event) {
                 for (const key of eventData['keys']) {
                     try {
                         subscription.item = key;
-                        const result = await getPayload(subscription, accountability, schema, eventData);
+                        const result = await getPayload(subscription, self.accountability, schema, eventData);
                         yield {
                             [event]: {
                                 key,

package/dist/services/graphql/utils/process-error.js CHANGED Viewed

@@ -1,5 +1,5 @@
 import { isDirectusError } from '@directus/errors';
-import { useLogger } from '../../../logger.js';
+import { useLogger } from '../../../logger/index.js';
 const processError = (accountability, error) => {
     const logger = useLogger();
     logger.error(error);

package/dist/services/graphql/utils/sanitize-gql-schema.js CHANGED Viewed

@@ -1,4 +1,4 @@
-import { useLogger } from '../../../logger.js';
+import { useLogger } from '../../../logger/index.js';
 /**
  * Regex was taken from the spec
  * https://spec.graphql.org/June2018/#sec-Names

package/dist/services/import-export.js CHANGED Viewed

@@ -14,7 +14,8 @@ import Papa from 'papaparse';
 import StreamArray from 'stream-json/streamers/StreamArray.js';
 import getDatabase from '../database/index.js';
 import emitter from '../emitter.js';
-import { useLogger } from '../logger.js';
+import { useLogger } from '../logger/index.js';
+import { validateAccess } from '../permissions/modules/validate-access/validate-access.js';
 import { getDateFormatted } from '../utils/get-date-formatted.js';
 import { getService } from '../utils/get-service.js';
 import { transaction } from '../utils/transaction.js';
@@ -37,10 +38,23 @@ export class ImportService {
     async import(collection, mimetype, stream) {
         if (this.accountability?.admin !== true && isSystemCollection(collection))
             throw new ForbiddenError();
-        const createPermissions = this.accountability?.permissions?.find((permission) => permission.collection === collection && permission.action === 'create');
-        const updatePermissions = this.accountability?.permissions?.find((permission) => permission.collection === collection && permission.action === 'update');
-        if (this.accountability?.admin !== true && (!createPermissions || !updatePermissions)) {
-            throw new ForbiddenError();
+        if (this.accountability) {
+            await validateAccess({
+                accountability: this.accountability,
+                action: 'create',
+                collection,
+            }, {
+                schema: this.schema,
+                knex: this.knex,
+            });
+            await validateAccess({
+                accountability: this.accountability,
+                action: 'update',
+                collection,
+            }, {
+                schema: this.schema,
+                knex: this.knex,
+            });
         }
         switch (mimetype) {
             case 'application/json':

package/dist/services/index.d.ts CHANGED Viewed

@@ -1,7 +1,7 @@
+export * from './access.js';
 export * from './activity.js';
 export * from './assets.js';
 export * from './authentication.js';
-export * from './authorization.js';
 export * from './collections.js';
 export * from './dashboards.js';
 export * from './extensions.js';
@@ -18,7 +18,8 @@ export * from './notifications.js';
 export * from './operations.js';
 export * from './panels.js';
 export * from './payload.js';
-export * from './permissions/index.js';
+export * from './permissions.js';
+export * from './policies.js';
 export * from './presets.js';
 export * from './relations.js';
 export * from './revisions.js';

package/dist/services/index.js CHANGED Viewed

@@ -1,7 +1,7 @@
+export * from './access.js';
 export * from './activity.js';
 export * from './assets.js';
 export * from './authentication.js';
-export * from './authorization.js';
 export * from './collections.js';
 export * from './dashboards.js';
 export * from './extensions.js';
@@ -18,7 +18,8 @@ export * from './notifications.js';
 export * from './operations.js';
 export * from './panels.js';
 export * from './payload.js';
-export * from './permissions/index.js';
+export * from './permissions.js';
+export * from './policies.js';
 export * from './presets.js';
 export * from './relations.js';
 export * from './revisions.js';