@directus/api 21.0.0-rc.0 → 21.0.0

package/dist/services/fields.js

@@ -1,17 +1,14 @@
-import { DEFAULT_NUMERIC_PRECISION, DEFAULT_NUMERIC_SCALE, KNEX_TYPES, REGEX_BETWEEN_PARENS, } from '@directus/constants';
+import { KNEX_TYPES, REGEX_BETWEEN_PARENS, DEFAULT_NUMERIC_PRECISION, DEFAULT_NUMERIC_SCALE, } from '@directus/constants';
 import { ForbiddenError, InvalidPayloadError } from '@directus/errors';
 import { createInspector } from '@directus/schema';
 import { addFieldFlag, toArray } from '@directus/utils';
 import { isEqual, isNil, merge } from 'lodash-es';
-import { clearSystemCache, getCache } from '../cache.js';
+import { clearSystemCache, getCache, getCacheValue, setCacheValue } from '../cache.js';
 import { ALIAS_TYPES } from '../constants.js';
 import { translateDatabaseError } from '../database/errors/translate.js';
 import { getHelpers } from '../database/helpers/index.js';
 import getDatabase, { getSchemaInspector } from '../database/index.js';
 import emitter from '../emitter.js';
-import { fetchPermissions } from '../permissions/lib/fetch-permissions.js';
-import { fetchPolicies } from '../permissions/lib/fetch-policies.js';
-import { validateAccess } from '../permissions/modules/validate-access/validate-access.js';
 import getDefaultValue from '../utils/get-default-value.js';
 import { getSystemFieldRowsWithAuthProviders } from '../utils/get-field-system-rows.js';
 import getLocalType from '../utils/get-local-type.js';
@@ -22,7 +19,9 @@ import { transaction } from '../utils/transaction.js';
 import { ItemsService } from './items.js';
 import { PayloadService } from './payload.js';
 import { RelationsService } from './relations.js';
+import { useEnv } from '@directus/env';
 const systemFieldRows = getSystemFieldRowsWithAuthProviders();
+const env = useEnv();
 export class FieldsService {
     knex;
     helpers;
@@ -33,6 +32,7 @@ export class FieldsService {
     schema;
     cache;
     systemCache;
+    schemaCache;
     constructor(options) {
         this.knex = options.knex || getDatabase();
         this.helpers = getHelpers(this.knex);
@@ -41,21 +41,40 @@ export class FieldsService {
         this.itemsService = new ItemsService('directus_fields', options);
         this.payloadService = new PayloadService('directus_fields', options);
         this.schema = options.schema;
-        const { cache, systemCache } = getCache();
+        const { cache, systemCache, localSchemaCache } = getCache();
         this.cache = cache;
         this.systemCache = systemCache;
+        this.schemaCache = localSchemaCache;
+    }
+    get hasReadAccess() {
+        return !!this.accountability?.permissions?.find((permission) => {
+            return permission.collection === 'directus_fields' && permission.action === 'read';
+        });
+    }
+    async columnInfo(collection, field) {
+        const schemaCacheIsEnabled = Boolean(env['CACHE_SCHEMA']);
+        let columnInfo = null;
+        if (schemaCacheIsEnabled) {
+            columnInfo = await getCacheValue(this.schemaCache, 'columnInfo');
+        }
+        if (!columnInfo) {
+            columnInfo = await this.schemaInspector.columnInfo();
+            if (schemaCacheIsEnabled) {
+                setCacheValue(this.schemaCache, 'columnInfo', columnInfo);
+            }
+        }
+        if (collection) {
+            columnInfo = columnInfo.filter((column) => column.table === collection);
+        }
+        if (field) {
+            return columnInfo.find((column) => column.name === field);
+        }
+        return columnInfo;
     }
     async readAll(collection) {
         let fields;
-        if (this.accountability) {
-            await validateAccess({
-                accountability: this.accountability,
-                action: 'read',
-                collection: 'directus_fields',
-            }, {
-                schema: this.schema,
-                knex: this.knex,
-            });
+        if (this.accountability && this.accountability.admin !== true && this.hasReadAccess === false) {
+            throw new ForbiddenError();
         }
         const nonAuthorizedItemsService = new ItemsService('directus_fields', {
             knex: this.knex,
@@ -72,7 +91,7 @@ export class FieldsService {
             fields = (await nonAuthorizedItemsService.readByQuery({ limit: -1 }));
             fields.push(...systemFieldRows);
         }
-        const columns = (await this.schemaInspector.columnInfo(collection)).map((column) => ({
+        const columns = (await this.columnInfo(collection)).map((column) => ({
             ...column,
             default_value: getDefaultValue(column, fields.find((field) => field.collection === column.table && field.field === column.name)),
         }));
@@ -124,27 +143,12 @@ export class FieldsService {
         const result = [...columnsWithSystem, ...aliasFieldsAsField].filter((field) => knownCollections.includes(field.collection));
         // Filter the result so we only return the fields you have read access to
         if (this.accountability && this.accountability.admin !== true) {
-            const policies = await fetchPolicies(this.accountability, { knex: this.knex, schema: this.schema });
-            const permissions = await fetchPermissions(collection
-                ? {
-                    action: 'read',
-                    policies,
-                    collections: [collection],
-                    accountability: this.accountability,
-                }
-                : {
-                    action: 'read',
-                    policies,
-                    accountability: this.accountability,
-                }, { knex: this.knex, schema: this.schema });
+            const permissions = this.accountability.permissions.filter((permission) => {
+                return permission.action === 'read';
+            });
             const allowedFieldsInCollection = {};
             permissions.forEach((permission) => {
-                if (!allowedFieldsInCollection[permission.collection]) {
-                    allowedFieldsInCollection[permission.collection] = new Set();
-                }
-                for (const field of permission.fields ?? []) {
-                    allowedFieldsInCollection[permission.collection].add(field);
-                }
+                allowedFieldsInCollection[permission.collection] = permission.fields ?? [];
             });
             if (collection && collection in allowedFieldsInCollection === false) {
                 throw new ForbiddenError();
@@ -153,9 +157,9 @@ export class FieldsService {
                 if (field.collection in allowedFieldsInCollection === false)
                     return false;
                 const allowedFields = allowedFieldsInCollection[field.collection];
-                if (allowedFields.has('*'))
+                if (allowedFields[0] === '*')
                     return true;
-                return allowedFields.has(field.field);
+                return allowedFields.includes(field.field);
             });
         }
         // Update specific database type overrides
@@ -172,27 +176,18 @@ export class FieldsService {
     }
     async readOne(collection, field) {
         if (this.accountability && this.accountability.admin !== true) {
-            await validateAccess({
-                accountability: this.accountability,
-                action: 'read',
-                collection,
-            }, {
-                schema: this.schema,
-                knex: this.knex,
-            });
-            const policies = await fetchPolicies(this.accountability, { knex: this.knex, schema: this.schema });
-            const permissions = await fetchPermissions({ action: 'read', policies, collections: [collection], accountability: this.accountability }, { knex: this.knex, schema: this.schema });
-            let hasAccess = false;
-            for (const permission of permissions) {
-                if (permission.fields) {
-                    if (permission.fields.includes('*') || permission.fields.includes(field)) {
-                        hasAccess = true;
-                        break;
-                    }
-                }
+            if (this.hasReadAccess === false) {
+                throw new ForbiddenError();
             }
-            if (!hasAccess) {
+            const permissions = this.accountability.permissions.find((permission) => {
+                return permission.action === 'read' && permission.collection === collection;
+            });
+            if (!permissions || !permissions.fields)
                 throw new ForbiddenError();
+            if (permissions.fields.includes('*') === false) {
+                const allowedFields = permissions.fields;
+                if (allowedFields.includes(field) === false)
+                    throw new ForbiddenError();
             }
         }
         let column = undefined;
@@ -204,7 +199,7 @@ export class FieldsService {
             fieldInfo ||
                 systemFieldRows.find((fieldMeta) => fieldMeta.collection === collection && fieldMeta.field === field);
         try {
-            column = await this.schemaInspector.columnInfo(collection, field);
+            column = await this.columnInfo(collection, field);
         }
         catch {
             // Do nothing
@@ -359,7 +354,7 @@ export class FieldsService {
                 throw new InvalidPayloadError({ reason: 'Alias type cannot be changed' });
             }
             if (hookAdjustedField.schema) {
-                const existingColumn = await this.schemaInspector.columnInfo(collection, hookAdjustedField.field);
+                const existingColumn = await this.columnInfo(collection, hookAdjustedField.field);
                 if (hookAdjustedField.schema?.is_nullable === true && existingColumn.is_primary_key) {
                     throw new InvalidPayloadError({ reason: 'Primary key cannot be null' });
                 }

package/dist/services/files/lib/get-sharp-instance.d.ts

@@ -0,0 +1,2 @@
+import { type Sharp } from 'sharp';
+export declare function getSharpInstance(): Sharp;

package/dist/services/files/lib/get-sharp-instance.js

@@ -0,0 +1,10 @@
+import { useEnv } from '@directus/env';
+import sharp, {} from 'sharp';
+export function getSharpInstance() {
+    const env = useEnv();
+    return sharp({
+        limitInputPixels: Math.trunc(Math.pow(env['ASSETS_TRANSFORM_IMAGE_MAX_DIMENSION'], 2)),
+        sequentialRead: true,
+        failOn: env['ASSETS_INVALID_IMAGE_SENSITIVITY_LEVEL'],
+    });
+}

package/dist/services/files/utils/get-metadata.js

@@ -1,19 +1,20 @@
+import { useEnv } from '@directus/env';
 import exif, {} from 'exif-reader';
 import { parse as parseIcc } from 'icc';
 import { pick } from 'lodash-es';
 import { pipeline } from 'node:stream/promises';
-import sharp from 'sharp';
-import { useEnv } from '@directus/env';
 import { useLogger } from '../../../logger/index.js';
+import { getSharpInstance } from '../lib/get-sharp-instance.js';
 import { parseIptc, parseXmp } from './parse-image-metadata.js';
 const env = useEnv();
 const logger = useLogger();
 export async function getMetadata(stream, allowList = env['FILE_METADATA_ALLOW_LIST']) {
-    return new Promise((resolve, reject) => {
-        pipeline(stream, sharp().metadata(async (err, sharpMetadata) => {
+    const transformer = getSharpInstance();
+    return new Promise((resolve) => {
+        pipeline(stream, transformer.metadata(async (err, sharpMetadata) => {
             if (err) {
-                reject(err);
-                return;
+                logger.error(err);
+                return resolve({});
             }
             const metadata = {};
             if (sharpMetadata.orientation && sharpMetadata.orientation >= 5) {

package/dist/services/files.js

@@ -12,7 +12,6 @@ import url from 'url';
 import { RESUMABLE_UPLOADS } from '../constants.js';
 import emitter from '../emitter.js';
 import { useLogger } from '../logger/index.js';
-import { validateAccess } from '../permissions/modules/validate-access/validate-access.js';
 import { getAxios } from '../request/index.js';
 import { getStorage } from '../storage/index.js';
 import { extractMetadata } from './files/lib/extract-metadata.js';
@@ -58,6 +57,10 @@ export class FilesService extends ItemsService {
         const fileExtension = path.extname(payload.filename_download) || (payload.type && '.' + extension(payload.type)) || '';
         // The filename_disk is the FINAL filename on disk
         payload.filename_disk ||= primaryKey + (fileExtension || '');
+        // If the filename_disk extension doesn't match the new mimetype, update it
+        if (isReplacement === true && path.extname(payload.filename_disk) !== fileExtension) {
+            payload.filename_disk = primaryKey + (fileExtension || '');
+        }
         // Temp filename is used for replacements
         const tempFilenameDisk = 'temp_' + payload.filename_disk;
         if (!payload.type) {
@@ -126,6 +129,7 @@ export class FilesService extends ItemsService {
         const { size } = await storage.location(data.storage).stat(payload.filename_disk);
         payload.filesize = size;
         const metadata = await extractMetadata(data.storage, payload);
+        payload.uploaded_on = new Date().toISOString();
         // We do this in a service without accountability. Even if you don't have update permissions to the file,
         // we still want to be able to set the extracted values from the file on create
         const sudoService = new ItemsService('directus_files', {
@@ -153,15 +157,9 @@ export class FilesService extends ItemsService {
      * Import a single file from an external URL
      */
     async importOne(importURL, body) {
-        if (this.accountability) {
-            await validateAccess({
-                accountability: this.accountability,
-                action: 'create',
-                collection: 'directus_files',
-            }, {
-                knex: this.knex,
-                schema: this.schema,
-            });
+        const fileCreatePermissions = this.accountability?.permissions?.find((permission) => permission.collection === 'directus_files' && permission.action === 'create');
+        if (this.accountability && this.accountability?.admin !== true && !fileCreatePermissions) {
+            throw new ForbiddenError();
         }
         let fileResponse;
         try {

package/dist/services/graphql/index.d.ts

@@ -20,9 +20,9 @@ export declare class GraphQLService {
     /**
      * Generate the GraphQL schema. Pulls from the schema information generated by the get-schema util.
      */
-    getSchema(): Promise<GraphQLSchema>;
-    getSchema(type: 'schema'): Promise<GraphQLSchema>;
-    getSchema(type: 'sdl'): Promise<GraphQLSchema | string>;
+    getSchema(): GraphQLSchema;
+    getSchema(type: 'schema'): GraphQLSchema;
+    getSchema(type: 'sdl'): GraphQLSchema | string;
     /**
      * Generic resolver that's used for every "regular" items/system query. Converts the incoming GraphQL AST / fragments into
      * Directus' query structure which is then executed by the services.

package/dist/services/graphql/index.js

@@ -11,9 +11,6 @@ import { clearSystemCache, getCache } from '../../cache.js';
 import { DEFAULT_AUTH_PROVIDER, GENERATE_SPECIAL, REFRESH_COOKIE_OPTIONS, SESSION_COOKIE_OPTIONS, } from '../../constants.js';
 import getDatabase from '../../database/index.js';
 import { rateLimiter } from '../../middleware/rate-limiter-registration.js';
-import { fetchAllowedFieldMap } from '../../permissions/modules/fetch-allowed-field-map/fetch-allowed-field-map.js';
-import { fetchInconsistentFieldMap } from '../../permissions/modules/fetch-inconsistent-field-map/fetch-inconsistent-field-map.js';
-import { createDefaultAccountability } from '../../permissions/utils/create-default-accountability.js';
 import { generateHash } from '../../utils/generate-hash.js';
 import { getGraphQLType } from '../../utils/get-graphql-type.js';
 import { getIPFromReq } from '../../utils/get-ip-from-req.js';
@@ -51,9 +48,6 @@ import { GraphQLVoid } from './types/void.js';
 import { addPathToValidationError } from './utils/add-path-to-validation-error.js';
 import processError from './utils/process-error.js';
 import { sanitizeGraphqlSchema } from './utils/sanitize-gql-schema.js';
-import { fetchAccountabilityCollectionAccess } from '../../permissions/modules/fetch-accountability-collection-access/fetch-accountability-collection-access.js';
-import { fetchAccountabilityPolicyGlobals } from '../../permissions/modules/fetch-accountability-policy-globals/fetch-accountability-policy-globals.js';
-import { RolesService } from '../roles.js';
 const env = useEnv();
 const validationRules = Array.from(specifiedRules);
 if (env['GRAPHQL_INTROSPECTION'] === false) {
@@ -86,7 +80,7 @@ export class GraphQLService {
      * Execute a GraphQL structure
      */
     async execute({ document, variables, operationName, contextValue, }) {
-        const schema = await this.getSchema();
+        const schema = this.getSchema();
         const validationErrors = validate(schema, document, validationRules).map((validationError) => addPathToValidationError(validationError));
         if (validationErrors.length > 0) {
             throw new GraphQLValidationError({ errors: validationErrors });
@@ -114,7 +108,7 @@ export class GraphQLService {
             formattedResult.extensions = result['extensions'];
         return formattedResult;
     }
-    async getSchema(type = 'schema') {
+    getSchema(type = 'schema') {
         const key = `${this.scope}_${type}_${this.accountability?.role}_${this.accountability?.user}`;
         const cachedSchema = cache.get(key);
         if (cachedSchema)
@@ -122,53 +116,20 @@ export class GraphQLService {
         // eslint-disable-next-line @typescript-eslint/no-this-alias
         const self = this;
         const schemaComposer = new SchemaComposer();
-        let schema;
         const sanitizedSchema = sanitizeGraphqlSchema(this.schema);
-        if (!this.accountability || this.accountability.admin) {
-            schema = {
-                read: sanitizedSchema,
-                create: sanitizedSchema,
-                update: sanitizedSchema,
-                delete: sanitizedSchema,
-            };
-        }
-        else {
-            schema = {
-                read: reduceSchema(sanitizedSchema, await fetchAllowedFieldMap({
-                    accountability: this.accountability,
-                    action: 'read',
-                }, { schema: this.schema, knex: this.knex })),
-                create: reduceSchema(sanitizedSchema, await fetchAllowedFieldMap({
-                    accountability: this.accountability,
-                    action: 'create',
-                }, { schema: this.schema, knex: this.knex })),
-                update: reduceSchema(sanitizedSchema, await fetchAllowedFieldMap({
-                    accountability: this.accountability,
-                    action: 'update',
-                }, { schema: this.schema, knex: this.knex })),
-                delete: reduceSchema(sanitizedSchema, await fetchAllowedFieldMap({
-                    accountability: this.accountability,
-                    action: 'delete',
-                }, { schema: this.schema, knex: this.knex })),
-            };
-        }
-        const inconsistentFields = {
-            read: await fetchInconsistentFieldMap({
-                accountability: this.accountability,
-                action: 'read',
-            }, { schema: this.schema, knex: this.knex }),
-            create: await fetchInconsistentFieldMap({
-                accountability: this.accountability,
-                action: 'create',
-            }, { schema: this.schema, knex: this.knex }),
-            update: await fetchInconsistentFieldMap({
-                accountability: this.accountability,
-                action: 'update',
-            }, { schema: this.schema, knex: this.knex }),
-            delete: await fetchInconsistentFieldMap({
-                accountability: this.accountability,
-                action: 'delete',
-            }, { schema: this.schema, knex: this.knex }),
+        const schema = {
+            read: this.accountability?.admin === true
+                ? sanitizedSchema
+                : reduceSchema(sanitizedSchema, this.accountability?.permissions || null, ['read']),
+            create: this.accountability?.admin === true
+                ? sanitizedSchema
+                : reduceSchema(sanitizedSchema, this.accountability?.permissions || null, ['create']),
+            update: this.accountability?.admin === true
+                ? sanitizedSchema
+                : reduceSchema(sanitizedSchema, this.accountability?.permissions || null, ['update']),
+            delete: this.accountability?.admin === true
+                ? sanitizedSchema
+                : reduceSchema(sanitizedSchema, this.accountability?.permissions || null, ['delete']),
         };
         const subscriptionEventType = schemaComposer.createEnumTC({
             name: 'EventEnum',
@@ -339,18 +300,16 @@ export class GraphQLService {
                     name: action === 'read' ? collection.collection : `${action}_${collection.collection}`,
                     fields: Object.values(collection.fields).reduce((acc, field) => {
                         let type = getGraphQLType(field.type, field.special);
-                        const fieldIsInconsistent = inconsistentFields[action][collection.collection]?.includes(field.field);
                         // GraphQL doesn't differentiate between not-null and has-to-be-submitted. We
                         // can't non-null in update, as that would require every not-nullable field to be
                         // submitted on updates
                         if (field.nullable === false &&
                             !field.defaultValue &&
                             !GENERATE_SPECIAL.some((flag) => field.special.includes(flag)) &&
-                            fieldIsInconsistent === false &&
                             action !== 'update') {
                             type = new GraphQLNonNull(type);
                         }
-                        if (collection.primary === field.field && fieldIsInconsistent === false) {
+                        if (collection.primary === field.field) {
                             // permissions IDs need to be nullable https://github.com/directus/directus/issues/20509
                             if (collection.collection === 'directus_permissions') {
                                 type = GraphQLID;
@@ -1803,7 +1762,7 @@ export class GraphQLService {
                         accountability: this.accountability,
                         scope: args['scope'] ?? 'items',
                     });
-                    return await service.getSchema('sdl');
+                    return service.getSchema('sdl');
                 },
             },
             server_ping: {
@@ -1856,7 +1815,7 @@ export class GraphQLService {
                     otp: GraphQLString,
                 },
                 resolve: async (_, args, { req, res }) => {
-                    const accountability = createDefaultAccountability();
+                    const accountability = { role: null };
                     if (req?.ip)
                         accountability.ip = req.ip;
                     const userAgent = req?.get('user-agent');
@@ -1896,7 +1855,7 @@ export class GraphQLService {
                     mode: AuthMode,
                 },
                 resolve: async (_, args, { req, res }) => {
-                    const accountability = createDefaultAccountability();
+                    const accountability = { role: null };
                     if (req?.ip)
                         accountability.ip = req.ip;
                     const userAgent = req?.get('user-agent');
@@ -1954,7 +1913,7 @@ export class GraphQLService {
                     mode: AuthMode,
                 },
                 resolve: async (_, args, { req, res }) => {
-                    const accountability = createDefaultAccountability();
+                    const accountability = { role: null };
                     if (req?.ip)
                         accountability.ip = req.ip;
                     const userAgent = req?.get('user-agent');
@@ -2004,7 +1963,7 @@ export class GraphQLService {
                     reset_url: GraphQLString,
                 },
                 resolve: async (_, args, { req }) => {
-                    const accountability = createDefaultAccountability();
+                    const accountability = { role: null };
                     if (req?.ip)
                         accountability.ip = req.ip;
                     const userAgent = req?.get('user-agent');
@@ -2032,7 +1991,7 @@ export class GraphQLService {
                     password: new GraphQLNonNull(GraphQLString),
                 },
                 resolve: async (_, args, { req }) => {
-                    const accountability = createDefaultAccountability();
+                    const accountability = { role: null };
                     if (req?.ip)
                         accountability.ip = req.ip;
                     const userAgent = req?.get('user-agent');
@@ -2673,69 +2632,6 @@ export class GraphQLService {
                 },
             });
         }
-        if ('directus_permissions' in schema.read.collections) {
-            schemaComposer.Query.addFields({
-                permissions_me: {
-                    type: schemaComposer.createScalarTC({
-                        name: 'permissions_me_type',
-                        parseValue: (value) => value,
-                        serialize: (value) => value,
-                    }),
-                    resolve: async (_, _args, __, _info) => {
-                        if (!this.accountability?.user && !this.accountability?.role)
-                            return null;
-                        const result = await fetchAccountabilityCollectionAccess(this.accountability, {
-                            schema: this.schema,
-                            knex: getDatabase(),
-                        });
-                        return result;
-                    },
-                },
-            });
-        }
-        if ('directus_roles' in schema.read.collections) {
-            schemaComposer.Query.addFields({
-                roles_me: {
-                    type: ReadCollectionTypes['directus_roles'].List,
-                    resolve: async (_, args, __, info) => {
-                        if (!this.accountability?.user && !this.accountability?.role)
-                            return null;
-                        const service = new RolesService({
-                            accountability: this.accountability,
-                            schema: this.schema,
-                        });
-                        const selections = this.replaceFragmentsInSelections(info.fieldNodes[0]?.selectionSet?.selections, info.fragments);
-                        const query = this.getQuery(args, selections || [], info.variableValues);
-                        query.limit = -1;
-                        const roles = await service.readMany(this.accountability.roles, query);
-                        return roles;
-                    },
-                },
-            });
-        }
-        if ('directus_policies' in schema.read.collections) {
-            schemaComposer.Query.addFields({
-                policies_me_globals: {
-                    type: schemaComposer.createObjectTC({
-                        name: 'policy_me_globals_type',
-                        fields: {
-                            enforce_tfa: 'Boolean',
-                            app_access: 'Boolean',
-                            admin_access: 'Boolean',
-                        },
-                    }),
-                    resolve: async (_, _args, __, _info) => {
-                        if (!this.accountability?.user && !this.accountability?.role)
-                            return null;
-                        const result = await fetchAccountabilityPolicyGlobals(this.accountability, {
-                            schema: this.schema,
-                            knex: getDatabase(),
-                        });
-                        return result;
-                    },
-                },
-            });
-        }
         if ('directus_users' in schema.update.collections && this.accountability?.user) {
             schemaComposer.Mutation.addFields({
                 update_users_me: {

package/dist/services/graphql/subscription.js

@@ -1,6 +1,7 @@
 import { EventEmitter, on } from 'events';
 import { useBus } from '../../bus/index.js';
 import { getSchema } from '../../utils/get-schema.js';
+import { refreshAccountability } from '../../websocket/authenticate.js';
 import { getPayload } from '../../websocket/utils/items.js';
 const messages = createPubSub(new EventEmitter());
 export function bindPubSub() {
@@ -18,6 +19,7 @@ export function createSubscriptionGenerator(self, event) {
             if ('event' in args && eventData['action'] !== args['event']) {
                 continue; // skip filtered events
             }
+            const accountability = await refreshAccountability(self.accountability);
             const schema = await getSchema();
             const subscription = {
                 collection: eventData['collection'],
@@ -33,7 +35,7 @@ export function createSubscriptionGenerator(self, event) {
             if (eventData['action'] === 'create') {
                 try {
                     subscription.item = eventData['key'];
-                    const result = await getPayload(subscription, self.accountability, schema, eventData);
+                    const result = await getPayload(subscription, accountability, schema, eventData);
                     yield {
                         [event]: {
                             key: eventData['key'],
@@ -50,7 +52,7 @@ export function createSubscriptionGenerator(self, event) {
                 for (const key of eventData['keys']) {
                     try {
                         subscription.item = key;
-                        const result = await getPayload(subscription, self.accountability, schema, eventData);
+                        const result = await getPayload(subscription, accountability, schema, eventData);
                         yield {
                             [event]: {
                                 key,

package/dist/services/import-export.js

@@ -15,7 +15,6 @@ import StreamArray from 'stream-json/streamers/StreamArray.js';
 import getDatabase from '../database/index.js';
 import emitter from '../emitter.js';
 import { useLogger } from '../logger/index.js';
-import { validateAccess } from '../permissions/modules/validate-access/validate-access.js';
 import { getDateFormatted } from '../utils/get-date-formatted.js';
 import { getService } from '../utils/get-service.js';
 import { transaction } from '../utils/transaction.js';
@@ -38,23 +37,10 @@ export class ImportService {
     async import(collection, mimetype, stream) {
         if (this.accountability?.admin !== true && isSystemCollection(collection))
             throw new ForbiddenError();
-        if (this.accountability) {
-            await validateAccess({
-                accountability: this.accountability,
-                action: 'create',
-                collection,
-            }, {
-                schema: this.schema,
-                knex: this.knex,
-            });
-            await validateAccess({
-                accountability: this.accountability,
-                action: 'update',
-                collection,
-            }, {
-                schema: this.schema,
-                knex: this.knex,
-            });
+        const createPermissions = this.accountability?.permissions?.find((permission) => permission.collection === collection && permission.action === 'create');
+        const updatePermissions = this.accountability?.permissions?.find((permission) => permission.collection === collection && permission.action === 'update');
+        if (this.accountability?.admin !== true && (!createPermissions || !updatePermissions)) {
+            throw new ForbiddenError();
         }
         switch (mimetype) {
             case 'application/json':

package/dist/services/index.d.ts

@@ -1,7 +1,7 @@
-export * from './access.js';
 export * from './activity.js';
 export * from './assets.js';
 export * from './authentication.js';
+export * from './authorization.js';
 export * from './collections.js';
 export * from './dashboards.js';
 export * from './extensions.js';
@@ -18,8 +18,7 @@ export * from './notifications.js';
 export * from './operations.js';
 export * from './panels.js';
 export * from './payload.js';
-export * from './permissions.js';
-export * from './policies.js';
+export * from './permissions/index.js';
 export * from './presets.js';
 export * from './relations.js';
 export * from './revisions.js';

package/dist/services/index.js

@@ -1,7 +1,7 @@
-export * from './access.js';
 export * from './activity.js';
 export * from './assets.js';
 export * from './authentication.js';
+export * from './authorization.js';
 export * from './collections.js';
 export * from './dashboards.js';
 export * from './extensions.js';
@@ -18,8 +18,7 @@ export * from './notifications.js';
 export * from './operations.js';
 export * from './panels.js';
 export * from './payload.js';
-export * from './permissions.js';
-export * from './policies.js';
+export * from './permissions/index.js';
 export * from './presets.js';
 export * from './relations.js';
 export * from './revisions.js';