@directus/api 21.0.0-rc.0 → 21.0.0

package/dist/app.js

@@ -10,7 +10,6 @@ import path from 'path';
 import qs from 'qs';
 import { registerAuthProviders } from './auth.js';
 import activityRouter from './controllers/activity.js';
-import accessRouter from './controllers/access.js';
 import assetsRouter from './controllers/assets.js';
 import authRouter from './controllers/auth.js';
 import collectionsRouter from './controllers/collections.js';
@@ -27,7 +26,6 @@ import notificationsRouter from './controllers/notifications.js';
 import operationsRouter from './controllers/operations.js';
 import panelsRouter from './controllers/panels.js';
 import permissionsRouter from './controllers/permissions.js';
-import policiesRouter from './controllers/policies.js';
 import presetsRouter from './controllers/presets.js';
 import relationsRouter from './controllers/relations.js';
 import revisionsRouter from './controllers/revisions.js';
@@ -49,9 +47,11 @@ import { getFlowManager } from './flows.js';
 import { createExpressLogger, useLogger } from './logger/index.js';
 import authenticate from './middleware/authenticate.js';
 import cache from './middleware/cache.js';
+import { checkIP } from './middleware/check-ip.js';
 import cors from './middleware/cors.js';
-import errorHandler from './middleware/error-handler.js';
+import { errorHandler } from './middleware/error-handler.js';
 import extractToken from './middleware/extract-token.js';
+import getPermissions from './middleware/get-permissions.js';
 import rateLimiterGlobal from './middleware/rate-limiter-global.js';
 import rateLimiter from './middleware/rate-limiter-ip.js';
 import sanitizeQuery from './middleware/sanitize-query.js';
@@ -198,15 +198,16 @@ export default async function createApp() {
     }
     app.get('/server/ping', (_req, res) => res.send('pong'));
     app.use(authenticate);
+    app.use(checkIP);
     app.use(sanitizeQuery);
     app.use(cache);
     app.use(schema);
+    app.use(getPermissions);
     await emitter.emitInit('middlewares.after', { app });
     await emitter.emitInit('routes.before', { app });
     app.use('/auth', authRouter);
     app.use('/graphql', graphqlRouter);
     app.use('/activity', activityRouter);
-    app.use('/access', accessRouter);
     app.use('/assets', assetsRouter);
     app.use('/collections', collectionsRouter);
     app.use('/dashboards', dashboardsRouter);
@@ -223,7 +224,6 @@ export default async function createApp() {
     app.use('/operations', operationsRouter);
     app.use('/panels', panelsRouter);
     app.use('/permissions', permissionsRouter);
-    app.use('/policies', policiesRouter);
     app.use('/presets', presetsRouter);
     app.use('/translations', translationsRouter);
     app.use('/relations', relationsRouter);

package/dist/auth/drivers/ldap.js

@@ -3,17 +3,16 @@ import { ErrorCode, InvalidCredentialsError, InvalidPayloadError, InvalidProvide
 import { Router } from 'express';
 import Joi from 'joi';
 import ldap from 'ldapjs';
-import { REFRESH_COOKIE_OPTIONS, SESSION_COOKIE_OPTIONS } from '../../constants.js';
 import getDatabase from '../../database/index.js';
 import emitter from '../../emitter.js';
 import { useLogger } from '../../logger/index.js';
 import { respond } from '../../middleware/respond.js';
-import { createDefaultAccountability } from '../../permissions/utils/create-default-accountability.js';
 import { AuthenticationService } from '../../services/authentication.js';
 import { UsersService } from '../../services/users.js';
 import asyncHandler from '../../utils/async-handler.js';
 import { getIPFromReq } from '../../utils/get-ip-from-req.js';
 import { AuthDriver } from '../auth.js';
+import { REFRESH_COOKIE_OPTIONS, SESSION_COOKIE_OPTIONS } from '../../constants.js';
 // 0x2: ACCOUNTDISABLE
 // 0x10: LOCKOUT
 // 0x800000: PASSWORD_EXPIRED
@@ -296,9 +295,10 @@ export function createLDAPAuthRouter(provider) {
     }).unknown();
     router.post('/', asyncHandler(async (req, res, next) => {
         const env = useEnv();
-        const accountability = createDefaultAccountability({
+        const accountability = {
             ip: getIPFromReq(req),
-        });
+            role: null,
+        };
         const userAgent = req.get('user-agent')?.substring(0, 1024);
         if (userAgent)
             accountability.userAgent = userAgent;

package/dist/auth/drivers/local.js

@@ -1,12 +1,11 @@
-import { useEnv } from '@directus/env';
 import { InvalidCredentialsError, InvalidPayloadError } from '@directus/errors';
 import argon2 from 'argon2';
 import { Router } from 'express';
 import Joi from 'joi';
 import { performance } from 'perf_hooks';
 import { REFRESH_COOKIE_OPTIONS, SESSION_COOKIE_OPTIONS } from '../../constants.js';
+import { useEnv } from '@directus/env';
 import { respond } from '../../middleware/respond.js';
-import { createDefaultAccountability } from '../../permissions/utils/create-default-accountability.js';
 import { AuthenticationService } from '../../services/authentication.js';
 import asyncHandler from '../../utils/async-handler.js';
 import { getIPFromReq } from '../../utils/get-ip-from-req.js';
@@ -48,9 +47,10 @@ export function createLocalAuthRouter(provider) {
     router.post('/', asyncHandler(async (req, res, next) => {
         const STALL_TIME = env['LOGIN_STALL_TIME'];
         const timeStart = performance.now();
-        const accountability = createDefaultAccountability({
+        const accountability = {
             ip: getIPFromReq(req),
-        });
+            role: null,
+        };
         const userAgent = req.get('user-agent')?.substring(0, 1024);
         if (userAgent)
             accountability.userAgent = userAgent;

package/dist/auth/drivers/oauth2.js

@@ -11,16 +11,15 @@ import getDatabase from '../../database/index.js';
 import emitter from '../../emitter.js';
 import { useLogger } from '../../logger/index.js';
 import { respond } from '../../middleware/respond.js';
-import { createDefaultAccountability } from '../../permissions/utils/create-default-accountability.js';
 import { AuthenticationService } from '../../services/authentication.js';
 import { UsersService } from '../../services/users.js';
 import asyncHandler from '../../utils/async-handler.js';
 import { getConfigFromEnv } from '../../utils/get-config-from-env.js';
 import { getIPFromReq } from '../../utils/get-ip-from-req.js';
-import { getSecret } from '../../utils/get-secret.js';
 import { isLoginRedirectAllowed } from '../../utils/is-login-redirect-allowed.js';
 import { Url } from '../../utils/url.js';
 import { LocalAuthDriver } from './local.js';
+import { getSecret } from '../../utils/get-secret.js';
 export class OAuth2AuthDriver extends LocalAuthDriver {
     client;
     redirectUrl;
@@ -252,9 +251,10 @@ export function createOAuth2AuthRouter(providerName) {
             throw new InvalidCredentialsError();
         }
         const { verifier, redirect, prompt } = tokenData;
-        const accountability = createDefaultAccountability({
+        const accountability = {
             ip: getIPFromReq(req),
-        });
+            role: null,
+        };
         const userAgent = req.get('user-agent')?.substring(0, 1024);
         if (userAgent)
             accountability.userAgent = userAgent;

package/dist/auth/drivers/openid.js

@@ -11,7 +11,6 @@ import getDatabase from '../../database/index.js';
 import emitter from '../../emitter.js';
 import { useLogger } from '../../logger/index.js';
 import { respond } from '../../middleware/respond.js';
-import { createDefaultAccountability } from '../../permissions/utils/create-default-accountability.js';
 import { AuthenticationService } from '../../services/authentication.js';
 import { UsersService } from '../../services/users.js';
 import asyncHandler from '../../utils/async-handler.js';
@@ -273,7 +272,10 @@ export function createOpenIDAuthRouter(providerName) {
             throw new InvalidCredentialsError();
         }
         const { verifier, redirect, prompt } = tokenData;
-        const accountability = createDefaultAccountability({ ip: getIPFromReq(req) });
+        const accountability = {
+            ip: getIPFromReq(req),
+            role: null,
+        };
         const userAgent = req.get('user-agent')?.substring(0, 1024);
         if (userAgent)
             accountability.userAgent = userAgent;

package/dist/cache.d.ts

@@ -3,7 +3,6 @@ import Keyv from 'keyv';
 export declare function getCache(): {
     cache: Keyv | null;
     systemCache: Keyv;
-    sharedSchemaCache: Keyv;
     localSchemaCache: Keyv;
     lockCache: Keyv;
 };

package/dist/cache.js

@@ -1,5 +1,4 @@
 import { useEnv } from '@directus/env';
-import { getSimpleHash } from '@directus/utils';
 import Keyv from 'keyv';
 import { useBus } from './bus/index.js';
 import { useLogger } from './logger/index.js';
@@ -8,7 +7,6 @@ import { compress, decompress } from './utils/compress.js';
 import { getConfigFromEnv } from './utils/get-config-from-env.js';
 import { getMilliseconds } from './utils/get-milliseconds.js';
 import { validateEnv } from './utils/validate-env.js';
-import { clearCache as clearPermissionCache } from './permissions/cache.js';
 import { createRequire } from 'node:module';
 const logger = useLogger();
 const env = useEnv();
@@ -16,16 +14,16 @@ const require = createRequire(import.meta.url);
 let cache = null;
 let systemCache = null;
 let localSchemaCache = null;
-let sharedSchemaCache = null;
 let lockCache = null;
 let messengerSubscribed = false;
 const messenger = useBus();
-if (redisConfigAvailable() && env['CACHE_STORE'] === 'memory' && env['CACHE_AUTO_PURGE'] && !messengerSubscribed) {
+if (redisConfigAvailable() && !messengerSubscribed) {
     messengerSubscribed = true;
     messenger.subscribe('schemaChanged', async (opts) => {
-        if (cache && opts?.['autoPurgeCache'] !== false) {
+        if (env['CACHE_STORE'] === 'memory' && env['CACHE_AUTO_PURGE'] && cache && opts?.['autoPurgeCache'] !== false) {
             await cache.clear();
         }
+        await localSchemaCache?.clear();
     });
 }
 export function getCache() {
@@ -38,10 +36,6 @@ export function getCache() {
         systemCache = getKeyvInstance(env['CACHE_STORE'], getMilliseconds(env['CACHE_SYSTEM_TTL']), '_system');
         systemCache.on('error', (err) => logger.warn(err, `[system-cache] ${err}`));
     }
-    if (sharedSchemaCache === null) {
-        sharedSchemaCache = getKeyvInstance(env['CACHE_STORE'], getMilliseconds(env['CACHE_SYSTEM_TTL']), '_schema_shared');
-        sharedSchemaCache.on('error', (err) => logger.warn(err, `[shared-schema-cache] ${err}`));
-    }
     if (localSchemaCache === null) {
         localSchemaCache = getKeyvInstance('memory', getMilliseconds(env['CACHE_SYSTEM_TTL']), '_schema');
         localSchemaCache.on('error', (err) => logger.warn(err, `[schema-cache] ${err}`));
@@ -50,7 +44,7 @@ export function getCache() {
         lockCache = getKeyvInstance(env['CACHE_STORE'], undefined, '_lock');
         lockCache.on('error', (err) => logger.warn(err, `[lock-cache] ${err}`));
     }
-    return { cache, systemCache, sharedSchemaCache, localSchemaCache, lockCache };
+    return { cache, systemCache, localSchemaCache, lockCache };
 }
 export async function flushCaches(forced) {
     const { cache } = getCache();
@@ -58,17 +52,14 @@ export async function flushCaches(forced) {
     await cache?.clear();
 }
 export async function clearSystemCache(opts) {
-    const { systemCache, localSchemaCache, lockCache, sharedSchemaCache } = getCache();
+    const { systemCache, localSchemaCache, lockCache } = getCache();
     // Flush system cache when forced or when system cache lock not set
     if (opts?.forced || !(await lockCache.get('system-cache-lock'))) {
         await lockCache.set('system-cache-lock', true, 10000);
         await systemCache.clear();
         await lockCache.delete('system-cache-lock');
     }
-    await sharedSchemaCache.clear();
     await localSchemaCache.clear();
-    // Since a lot of cached permission function rely on the schema it needs to be cleared as well
-    await clearPermissionCache();
     messenger.publish('schemaChanged', { autoPurgeCache: opts?.autoPurgeCache });
 }
 export async function setSystemCache(key, value, ttl) {
@@ -82,20 +73,11 @@ export async function getSystemCache(key) {
     return await getCacheValue(systemCache, key);
 }
 export async function setSchemaCache(schema) {
-    const { localSchemaCache, sharedSchemaCache } = getCache();
-    const schemaHash = getSimpleHash(JSON.stringify(schema));
-    await sharedSchemaCache.set('hash', schemaHash);
+    const { localSchemaCache } = getCache();
     await localSchemaCache.set('schema', schema);
-    await localSchemaCache.set('hash', schemaHash);
 }
 export async function getSchemaCache() {
-    const { localSchemaCache, sharedSchemaCache } = getCache();
-    const sharedSchemaHash = await sharedSchemaCache.get('hash');
-    if (!sharedSchemaHash)
-        return;
-    const localSchemaHash = await localSchemaCache.get('hash');
-    if (!localSchemaHash || localSchemaHash !== sharedSchemaHash)
-        return;
+    const { localSchemaCache } = getCache();
     return await localSchemaCache.get('schema');
 }
 export async function setCacheValue(cache, key, value, ttl) {

package/dist/cli/commands/bootstrap/index.js

@@ -3,13 +3,11 @@ import getDatabase, { hasDatabaseConnection, isInstalled, validateDatabaseConnec
 import runMigrations from '../../../database/migrations/run.js';
 import installDatabase from '../../../database/seeds/run.js';
 import { useLogger } from '../../../logger/index.js';
-import { AccessService } from '../../../services/access.js';
-import { PoliciesService } from '../../../services/policies.js';
 import { RolesService } from '../../../services/roles.js';
 import { SettingsService } from '../../../services/settings.js';
 import { UsersService } from '../../../services/users.js';
 import { getSchema } from '../../../utils/get-schema.js';
-import { defaultAdminPolicy, defaultAdminRole, defaultAdminUser } from '../../utils/defaults.js';
+import { defaultAdminRole, defaultAdminUser } from '../../utils/defaults.js';
 export default async function bootstrap({ skipAdminInit }) {
     const logger = useLogger();
     logger.info('Initializing bootstrap...');
@@ -60,12 +58,8 @@ async function createDefaultAdmin(schema) {
     const env = useEnv();
     const { nanoid } = await import('nanoid');
     logger.info('Setting up first admin role...');
-    const accessService = new AccessService({ schema });
-    const policiesService = new PoliciesService({ schema });
     const rolesService = new RolesService({ schema });
     const role = await rolesService.createOne(defaultAdminRole);
-    const policy = await policiesService.createOne(defaultAdminPolicy);
-    await accessService.createOne({ policy, role });
     logger.info('Adding first admin user...');
     const usersService = new UsersService({ schema });
     let adminEmail = env['ADMIN_EMAIL'];
@@ -79,5 +73,5 @@ async function createDefaultAdmin(schema) {
         logger.info(`No admin password provided. Defaulting to "${adminPassword}"`);
     }
     const token = env['ADMIN_TOKEN'] ?? null;
-    await usersService.createOne({ ...defaultAdminUser, email: adminEmail, password: adminPassword, token, role });
+    await usersService.createOne({ email: adminEmail, password: adminPassword, token, role, ...defaultAdminUser });
 }

package/dist/cli/commands/init/index.js

@@ -9,7 +9,7 @@ import runSeed from '../../../database/seeds/run.js';
 import { generateHash } from '../../../utils/generate-hash.js';
 import createDBConnection from '../../utils/create-db-connection.js';
 import createEnv from '../../utils/create-env/index.js';
-import { defaultAdminPolicy, defaultAdminRole, defaultAdminUser } from '../../utils/defaults.js';
+import { defaultAdminRole, defaultAdminUser } from '../../utils/defaults.js';
 import { drivers, getDriverForClient } from '../../utils/drivers.js';
 import { databaseQuestions } from './questions.js';
 export default async function init() {
@@ -79,17 +79,18 @@ export default async function init() {
         },
     ]);
     firstUser.password = await generateHash(firstUser.password);
-    const role = randomUUID();
-    const policy = randomUUID();
-    await db('directus_roles').insert({ ...defaultAdminRole, id: role });
-    await db('directus_policies').insert({ ...defaultAdminPolicy, id: policy });
-    await db('directus_access').insert({ id: randomUUID(), role, policy });
+    const userID = randomUUID();
+    const roleID = randomUUID();
+    await db('directus_roles').insert({
+        id: roleID,
+        ...defaultAdminRole,
+    });
     await db('directus_users').insert({
-        ...defaultAdminUser,
-        id: randomUUID(),
+        id: userID,
         email: firstUser.email,
         password: firstUser.password,
-        role,
+        role: roleID,
+        ...defaultAdminUser,
     });
     await db.destroy();
     process.stdout.write(`\nYour project has been created at ${chalk.green(rootPath)}.\n`);

package/dist/cli/utils/defaults.d.ts

@@ -1,4 +1,11 @@
-import type { Policy, Role, User } from '@directus/types';
-export declare const defaultAdminRole: Partial<Role>;
-export declare const defaultAdminUser: Partial<User>;
-export declare const defaultAdminPolicy: Partial<Policy>;
+export declare const defaultAdminRole: {
+    name: string;
+    icon: string;
+    admin_access: boolean;
+    description: string;
+};
+export declare const defaultAdminUser: {
+    status: string;
+    first_name: string;
+    last_name: string;
+};

package/dist/cli/utils/defaults.js

@@ -1,6 +1,7 @@
 export const defaultAdminRole = {
     name: 'Administrator',
     icon: 'verified',
+    admin_access: true,
     description: '$t:admin_description',
 };
 export const defaultAdminUser = {
@@ -8,10 +9,3 @@ export const defaultAdminUser = {
     first_name: 'Admin',
     last_name: 'User',
 };
-export const defaultAdminPolicy = {
-    name: 'Administrator',
-    icon: 'verified',
-    admin_access: true,
-    app_access: true,
-    description: '$t:admin_description',
-};

package/dist/constants.d.ts

@@ -6,7 +6,7 @@ export declare const FILTER_VARIABLES: string[];
 export declare const ALIAS_TYPES: string[];
 export declare const DEFAULT_AUTH_PROVIDER = "default";
 export declare const COLUMN_TRANSFORMS: string[];
-export declare const GENERATE_SPECIAL: readonly ["uuid", "date-created", "role-created", "user-created"];
+export declare const GENERATE_SPECIAL: string[];
 export declare const UUID_REGEX = "[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}";
 export declare const REFRESH_COOKIE_OPTIONS: CookieOptions;
 export declare const SESSION_COOKIE_OPTIONS: CookieOptions;

package/dist/controllers/auth.js

@@ -5,7 +5,6 @@ import { createLDAPAuthRouter, createLocalAuthRouter, createOAuth2AuthRouter, cr
 import { DEFAULT_AUTH_PROVIDER, REFRESH_COOKIE_OPTIONS, SESSION_COOKIE_OPTIONS } from '../constants.js';
 import { useLogger } from '../logger/index.js';
 import { respond } from '../middleware/respond.js';
-import { createDefaultAccountability } from '../permissions/utils/create-default-accountability.js';
 import { AuthenticationService } from '../services/authentication.js';
 import { UsersService } from '../services/users.js';
 import asyncHandler from '../utils/async-handler.js';
@@ -72,7 +71,10 @@ function getCurrentRefreshToken(req, mode) {
     return undefined;
 }
 router.post('/refresh', asyncHandler(async (req, res, next) => {
-    const accountability = createDefaultAccountability({ ip: getIPFromReq(req) });
+    const accountability = {
+        ip: getIPFromReq(req),
+        role: null,
+    };
     const userAgent = req.get('user-agent')?.substring(0, 1024);
     if (userAgent)
         accountability.userAgent = userAgent;
@@ -109,7 +111,10 @@ router.post('/refresh', asyncHandler(async (req, res, next) => {
     return next();
 }), respond);
 router.post('/logout', asyncHandler(async (req, res, next) => {
-    const accountability = createDefaultAccountability({ ip: getIPFromReq(req) });
+    const accountability = {
+        ip: getIPFromReq(req),
+        role: null,
+    };
     const userAgent = req.get('user-agent')?.substring(0, 1024);
     if (userAgent)
         accountability.userAgent = userAgent;
@@ -140,7 +145,10 @@ router.post('/password/request', asyncHandler(async (req, _res, next) => {
     if (typeof req.body.email !== 'string') {
         throw new InvalidPayloadError({ reason: `"email" field is required` });
     }
-    const accountability = createDefaultAccountability({ ip: getIPFromReq(req) });
+    const accountability = {
+        ip: getIPFromReq(req),
+        role: null,
+    };
     const userAgent = req.get('user-agent')?.substring(0, 1024);
     if (userAgent)
         accountability.userAgent = userAgent;
@@ -169,7 +177,10 @@ router.post('/password/reset', asyncHandler(async (req, _res, next) => {
     if (typeof req.body.password !== 'string') {
         throw new InvalidPayloadError({ reason: `"password" field is required` });
     }
-    const accountability = createDefaultAccountability({ ip: getIPFromReq(req) });
+    const accountability = {
+        ip: getIPFromReq(req),
+        role: null,
+    };
     const userAgent = req.get('user-agent')?.substring(0, 1024);
     if (userAgent)
         accountability.userAgent = userAgent;

package/dist/controllers/permissions.js

@@ -1,12 +1,10 @@
-import { ErrorCode, ForbiddenError, isDirectusError } from '@directus/errors';
+import { ErrorCode, isDirectusError } from '@directus/errors';
 import express from 'express';
-import getDatabase from '../database/index.js';
 import { respond } from '../middleware/respond.js';
 import useCollection from '../middleware/use-collection.js';
 import { validateBatch } from '../middleware/validate-batch.js';
-import { fetchAccountabilityCollectionAccess } from '../permissions/modules/fetch-accountability-collection-access/fetch-accountability-collection-access.js';
 import { MetaService } from '../services/meta.js';
-import { PermissionsService } from '../services/permissions.js';
+import { PermissionsService } from '../services/permissions/index.js';
 import asyncHandler from '../utils/async-handler.js';
 import { sanitizeQuery } from '../utils/sanitize-query.js';
 const router = express.Router();
@@ -71,16 +69,6 @@ const readHandler = asyncHandler(async (req, res, next) => {
 });
 router.get('/', validateBatch('read'), readHandler, respond);
 router.search('/', validateBatch('read'), readHandler, respond);
-router.get('/me', asyncHandler(async (req, res, next) => {
-    if (!req.accountability?.user && !req.accountability?.role)
-        throw new ForbiddenError();
-    const result = await fetchAccountabilityCollectionAccess(req.accountability, {
-        schema: req.schema,
-        knex: getDatabase(),
-    });
-    res.locals['payload'] = { data: result };
-    return next();
-}), respond);
 router.get('/:pk', asyncHandler(async (req, res, next) => {
     if (req.path.endsWith('me'))
         return next();

package/dist/controllers/roles.js

@@ -1,4 +1,4 @@
-import { ErrorCode, ForbiddenError, isDirectusError } from '@directus/errors';
+import { ErrorCode, isDirectusError } from '@directus/errors';
 import express from 'express';
 import { respond } from '../middleware/respond.js';
 import useCollection from '../middleware/use-collection.js';
@@ -57,27 +57,6 @@ const readHandler = asyncHandler(async (req, res, next) => {
 });
 router.get('/', validateBatch('read'), readHandler, respond);
 router.search('/', validateBatch('read'), readHandler, respond);
-router.get('/me', asyncHandler(async (req, res, next) => {
-    if (!req.accountability?.user && !req.accountability?.role)
-        throw new ForbiddenError();
-    const service = new RolesService({
-        accountability: req.accountability,
-        schema: req.schema,
-    });
-    const query = { ...req.sanitizedQuery, limit: -1 };
-    try {
-        const roles = await service.readMany(req.accountability.roles, query);
-        res.locals['payload'] = { data: roles || null };
-    }
-    catch (error) {
-        if (isDirectusError(error, ErrorCode.Forbidden)) {
-            res.locals['payload'] = { data: req.accountability.roles.map((id) => ({ id })) };
-            return next();
-        }
-        throw error;
-    }
-    return next();
-}), respond);
 router.get('/:pk', asyncHandler(async (req, res, next) => {
     const service = new RolesService({
         accountability: req.accountability,

package/dist/controllers/tus.js

@@ -1,10 +1,10 @@
 import { Router } from 'express';
-import getDatabase from '../database/index.js';
-import { validateAccess } from '../permissions/modules/validate-access/validate-access.js';
 import { getSchema } from '../utils/get-schema.js';
 import { scheduleSynchronizedJob, validateCron } from '../utils/schedule.js';
 import { createTusServer } from '../services/tus/index.js';
+import { AuthorizationService } from '../services/authorization.js';
 import asyncHandler from '../utils/async-handler.js';
+import { ForbiddenError } from '@directus/errors';
 import { RESUMABLE_UPLOADS } from '../constants.js';
 const mapAction = (method) => {
     switch (method) {
@@ -19,35 +19,49 @@ const mapAction = (method) => {
     }
 };
 const checkFileAccess = asyncHandler(async (req, _res, next) => {
-    if (req.accountability) {
+    const auth = new AuthorizationService({
+        accountability: req.accountability,
+        schema: req.schema,
+    });
+    if (!req.accountability?.admin) {
         const action = mapAction(req.method);
-        await validateAccess({
-            action,
-            collection: 'directus_files',
-            accountability: req.accountability,
-        }, {
-            schema: req.schema,
-            knex: getDatabase(),
-        });
+        if (action === 'create') {
+            // checkAccess doesn't seem to work as expected for "create" actions
+            const hasPermission = Boolean(req.accountability?.permissions?.find((permission) => {
+                return permission.collection === 'directus_files' && permission.action === action;
+            }));
+            if (!hasPermission)
+                throw new ForbiddenError();
+        }
+        else {
+            try {
+                await auth.checkAccess(action, 'directus_files');
+            }
+            catch (e) {
+                throw new ForbiddenError();
+            }
+        }
     }
     return next();
 });
 const handler = asyncHandler(async (req, res) => {
-    const tusServer = await createTusServer({
+    const [tusServer, cleanupServer] = await createTusServer({
         schema: req.schema,
         accountability: req.accountability,
     });
     await tusServer.handle(req, res);
+    cleanupServer();
 });
 export function scheduleTusCleanup() {
     if (!RESUMABLE_UPLOADS.ENABLED)
         return;
     if (validateCron(RESUMABLE_UPLOADS.SCHEDULE)) {
         scheduleSynchronizedJob('tus-cleanup', RESUMABLE_UPLOADS.SCHEDULE, async () => {
-            const tusServer = await createTusServer({
+            const [tusServer, cleanupServer] = await createTusServer({
                 schema: await getSchema(),
             });
             await tusServer.cleanUpExpiredUploads();
+            cleanupServer();
         });
     }
 }