@directus/api 21.0.0-rc.0 → 21.0.1

package/dist/services/policies.d.ts

@@ -1,12 +0,0 @@
-import type { Policy, PrimaryKey } from '@directus/types';
-import type { AbstractServiceOptions, MutationOptions } from '../types/index.js';
-import { ItemsService } from './items.js';
-export declare class PoliciesService extends ItemsService<Policy> {
-    constructor(options: AbstractServiceOptions);
-    private clearCaches;
-    private isIpAccessValid;
-    private assertValidIpAccess;
-    createOne(data: Partial<Policy>, opts?: MutationOptions): Promise<PrimaryKey>;
-    updateMany(keys: PrimaryKey[], data: Partial<Policy>, opts?: MutationOptions): Promise<PrimaryKey[]>;
-    deleteMany(keys: PrimaryKey[], opts?: MutationOptions): Promise<PrimaryKey[]>;
-}

package/dist/services/policies.js

@@ -1,87 +0,0 @@
-import { InvalidPayloadError } from '@directus/errors';
-import { getMatch } from 'ip-matching';
-import { clearSystemCache } from '../cache.js';
-import { clearCache as clearPermissionsCache } from '../permissions/cache.js';
-import { UserIntegrityCheckFlag } from '../utils/validate-user-count-integrity.js';
-import { ItemsService } from './items.js';
-export class PoliciesService extends ItemsService {
-    constructor(options) {
-        super('directus_policies', options);
-    }
-    async clearCaches(opts) {
-        await clearSystemCache({ autoPurgeCache: opts?.autoPurgeCache });
-        if (this.cache && opts?.autoPurgeCache !== false) {
-            await this.cache.clear();
-        }
-    }
-    isIpAccessValid(value) {
-        if (value === undefined)
-            return false;
-        if (value === null)
-            return true;
-        if (Array.isArray(value) && value.length === 0)
-            return true;
-        for (const ip of value) {
-            if (typeof ip !== 'string' || ip.includes('*'))
-                return false;
-            try {
-                const match = getMatch(ip);
-                if (match.type == 'IPMask')
-                    return false;
-            }
-            catch {
-                return false;
-            }
-        }
-        return true;
-    }
-    assertValidIpAccess(partialItem) {
-        if ('ip_access' in partialItem && !this.isIpAccessValid(partialItem['ip_access'])) {
-            throw new InvalidPayloadError({
-                reason: 'IP Access contains an incorrect value. Valid values are: IP addresses, IP ranges and CIDR blocks',
-            });
-        }
-    }
-    async createOne(data, opts = {}) {
-        this.assertValidIpAccess(data);
-        // A policy has been created, but the attachment to a user/role happens in the AccessService,
-        // so no need to check user integrity
-        const result = await super.createOne(data, opts);
-        // TODO is this necessary? Since the attachment should be handled in the AccessService
-        // A new policy has created, clear the permissions cache
-        await clearPermissionsCache();
-        return result;
-    }
-    async updateMany(keys, data, opts = {}) {
-        this.assertValidIpAccess(data);
-        if ('admin_access' in data) {
-            let flags = UserIntegrityCheckFlag.RemainingAdmins;
-            if (data['admin_access'] === true) {
-                // Only need to perform a full user count if the policy allows admin access
-                flags |= UserIntegrityCheckFlag.All;
-            }
-            opts.userIntegrityCheckFlags = (opts.userIntegrityCheckFlags ?? UserIntegrityCheckFlag.None) | flags;
-        }
-        if ('app_access' in data) {
-            opts.userIntegrityCheckFlags =
-                (opts.userIntegrityCheckFlags ?? UserIntegrityCheckFlag.None) | UserIntegrityCheckFlag.UserLimits;
-        }
-        if (opts.userIntegrityCheckFlags)
-            opts.onRequireUserIntegrityCheck?.(opts.userIntegrityCheckFlags);
-        const result = await super.updateMany(keys, data, opts);
-        if ('admin_access' in data || 'app_access' in data || 'ip_access' in data || 'enforce_tfa' in data) {
-            // Some relevant properties on policies have been updated, clear the caches
-            await this.clearCaches(opts);
-        }
-        return result;
-    }
-    async deleteMany(keys, opts = {}) {
-        opts.userIntegrityCheckFlags = UserIntegrityCheckFlag.All;
-        opts.onRequireUserIntegrityCheck?.(opts.userIntegrityCheckFlags);
-        const result = await super.deleteMany(keys, opts);
-        // TODO is this necessary? Since the detachment should be handled in the AccessService
-        // Some policies have been deleted, clear the permissions cache
-        await this.clearCaches(opts);
-        return result;
-    }
-}

package/dist/telemetry/utils/check-user-limits.d.ts

@@ -1,5 +0,0 @@
-import { type UserCount } from '../../utils/fetch-user-count/fetch-user-count.js';
-/**
- * Ensure that user limits are not reached
- */
-export declare function checkUserLimits(userCounts: UserCount): Promise<void>;

package/dist/telemetry/utils/check-user-limits.js

@@ -1,19 +0,0 @@
-import { useEnv } from '@directus/env';
-import { LimitExceededError } from '@directus/errors';
-import {} from '../../utils/fetch-user-count/fetch-user-count.js';
-const env = useEnv();
-/**
- * Ensure that user limits are not reached
- */
-export async function checkUserLimits(userCounts) {
-    if (userCounts.admin > Number(env['USERS_ADMIN_ACCESS_LIMIT'])) {
-        throw new LimitExceededError({ category: 'Active Admin users' });
-    }
-    // Both app and admin users count against the app access limit
-    if (userCounts.app + userCounts.admin > Number(env['USERS_APP_ACCESS_LIMIT'])) {
-        throw new LimitExceededError({ category: 'Active App users' });
-    }
-    if (userCounts.api > Number(env['USERS_API_ACCESS_LIMIT'])) {
-        throw new LimitExceededError({ category: 'Active API users' });
-    }
-}

package/dist/utils/fetch-user-count/fetch-access-lookup.d.ts

@@ -1,17 +0,0 @@
-import type { PrimaryKey } from '@directus/types';
-import type { Knex } from 'knex';
-export interface AccessLookup {
-    role: string | null;
-    user: string | null;
-    app_access: boolean | number;
-    admin_access: boolean | number;
-}
-export interface FetchAccessLookupOptions {
-    excludeAccessRows?: PrimaryKey[];
-    excludePolicies?: PrimaryKey[];
-    excludeUsers?: PrimaryKey[];
-    excludeRoles?: PrimaryKey[];
-    adminOnly?: boolean;
-    knex: Knex;
-}
-export declare function fetchAccessLookup(options: FetchAccessLookupOptions): Promise<AccessLookup[]>;

package/dist/utils/fetch-user-count/fetch-access-lookup.js

@@ -1,22 +0,0 @@
-export async function fetchAccessLookup(options) {
-    let query = options.knex
-        .select('directus_access.role', 'directus_access.user', 'directus_policies.app_access', 'directus_policies.admin_access')
-        .from('directus_access')
-        .leftJoin('directus_policies', 'directus_access.policy', 'directus_policies.id');
-    if (options.excludeAccessRows && options.excludeAccessRows.length > 0) {
-        query = query.whereNotIn('directus_access.id', options.excludeAccessRows);
-    }
-    if (options.excludePolicies && options.excludePolicies.length > 0) {
-        query = query.whereNotIn('directus_access.policy', options.excludePolicies);
-    }
-    if (options.excludeUsers && options.excludeUsers.length > 0) {
-        query = query.where((q) => q.whereNotIn('directus_access.user', options.excludeUsers).orWhereNull('directus_access.user'));
-    }
-    if (options.excludeRoles && options.excludeRoles.length > 0) {
-        query = query.where((q) => q.whereNotIn('directus_access.role', options.excludeRoles).orWhereNull('directus_access.role'));
-    }
-    if (options.adminOnly) {
-        query = query.where('directus_policies.admin_access', 1);
-    }
-    return query;
-}

package/dist/utils/fetch-user-count/fetch-access-roles.d.ts

@@ -1,16 +0,0 @@
-import type { PrimaryKey } from '@directus/types';
-import type { Knex } from 'knex';
-export interface FetchAccessRolesOptions {
-    adminRoles: Set<string>;
-    appRoles: Set<string>;
-    excludeRoles?: PrimaryKey[];
-}
-/**
- * Return a set of roles that allow app or admin access, if itself or any of its parents do
- */
-export declare function fetchAccessRoles(options: FetchAccessRolesOptions, context: {
-    knex: Knex;
-}): Promise<{
-    adminRoles: Set<string>;
-    appRoles: Set<string>;
-}>;

package/dist/utils/fetch-user-count/fetch-access-roles.js

@@ -1,37 +0,0 @@
-/**
- * Return a set of roles that allow app or admin access, if itself or any of its parents do
- */
-export async function fetchAccessRoles(options, context) {
-    // Only fetch the roles that have a parent, as otherwise those roles should already be included in at least one of the input set
-    const allChildRoles = await context.knex
-        .select('id', 'parent')
-        .from('directus_roles')
-        .whereNotNull('parent')
-        .whereNotIn('id', options.excludeRoles ?? []);
-    const adminRoles = new Set(options.adminRoles);
-    const appRoles = new Set(options.appRoles);
-    const remainingRoles = new Set(allChildRoles);
-    let hasChanged = remainingRoles.size > 0;
-    // This loop accounts for the undefined order in which the roles are returned, as there is the possibility
-    // of a role parent not being in the set of roles yet, so we need to iterate over the roles multiple times
-    // until no further roles are added to the sets
-    while (hasChanged) {
-        hasChanged = false;
-        for (const role of remainingRoles) {
-            if (adminRoles.has(role.parent)) {
-                adminRoles.add(role.id);
-                remainingRoles.delete(role);
-                hasChanged = true;
-            }
-            if (appRoles.has(role.parent)) {
-                appRoles.add(role.id);
-                remainingRoles.delete(role);
-                hasChanged = true;
-            }
-        }
-    }
-    return {
-        adminRoles,
-        appRoles,
-    };
-}

package/dist/utils/fetch-user-count/fetch-active-users.d.ts

@@ -1,6 +0,0 @@
-import type { Knex } from 'knex';
-export interface ActiveUser {
-    id: string;
-    role: string | null;
-}
-export declare function fetchActiveUsers(knex: Knex): Promise<ActiveUser[]>;

package/dist/utils/fetch-user-count/fetch-active-users.js

@@ -1,3 +0,0 @@
-export async function fetchActiveUsers(knex) {
-    return await knex.select('id', 'role').from('directus_users').where('status', 'active');
-}

package/dist/utils/fetch-user-count/fetch-user-count.d.ts

@@ -1,12 +0,0 @@
-import { type FetchAccessLookupOptions } from './fetch-access-lookup.js';
-export interface FetchUserCountOptions extends FetchAccessLookupOptions {
-}
-export interface UserCount {
-    admin: number;
-    app: number;
-    api: number;
-}
-/**
- * Returns counts of all active users in the system grouped by admin, app, and api access
- */
-export declare function fetchUserCount(options: FetchUserCountOptions): Promise<UserCount>;

package/dist/utils/fetch-user-count/fetch-user-count.js

@@ -1,57 +0,0 @@
-import { toBoolean } from '@directus/utils';
-import { fetchAccessLookup } from './fetch-access-lookup.js';
-import { fetchAccessRoles } from './fetch-access-roles.js';
-import { getUserCountQuery } from './get-user-count-query.js';
-/**
- * Returns counts of all active users in the system grouped by admin, app, and api access
- */
-export async function fetchUserCount(options) {
-    const accessRows = await fetchAccessLookup(options);
-    const adminRoles = new Set(accessRows.filter((row) => toBoolean(row.admin_access) && row.role !== null).map((row) => row.role));
-    const appRoles = new Set(accessRows
-        .filter((row) => !toBoolean(row.admin_access) && toBoolean(row.app_access) && row.role !== null)
-        .map((row) => row.role));
-    // All users that are directly granted rights through a connected policy
-    const adminUsers = new Set(accessRows.filter((row) => toBoolean(row.admin_access) && row.user !== null).map((row) => row.user));
-    // Some roles might be granted access rights through nesting, so determine all roles that grant admin or app access,
-    // including nested roles
-    const { adminRoles: allAdminRoles, appRoles: allAppRoles } = await fetchAccessRoles({
-        adminRoles,
-        appRoles,
-        ...options,
-    }, { knex: options.knex });
-    // All users that are granted admin rights through a role, but not directly
-    const adminCountQuery = getUserCountQuery(options.knex, {
-        includeRoles: Array.from(allAdminRoles),
-        excludeIds: [...adminUsers, ...(options.excludeUsers ?? [])],
-    });
-    if (options.adminOnly) {
-        // Shortcut for only counting admin users
-        const adminResult = await adminCountQuery;
-        return {
-            admin: Number(adminResult?.['count'] ?? 0) + adminUsers.size,
-            app: 0,
-            api: 0,
-        };
-    }
-    const appUsers = new Set(accessRows
-        .filter((row) => !toBoolean(row.admin_access) && toBoolean(row.app_access) && row.user !== null)
-        .map((row) => row.user));
-    // All users that are granted app rights through a role, but not directly, and that aren't admin users
-    const appCountQuery = getUserCountQuery(options.knex, {
-        includeRoles: Array.from(allAppRoles),
-        excludeRoles: Array.from(allAdminRoles),
-        excludeIds: [...appUsers, ...adminUsers, ...(options.excludeUsers ?? [])],
-    });
-    const allCountQuery = getUserCountQuery(options.knex, {
-        excludeIds: options.excludeUsers ?? [],
-    });
-    const [adminResult, appResult, allResult] = await Promise.all([adminCountQuery, appCountQuery, allCountQuery]);
-    const adminCount = Number(adminResult?.['count'] ?? 0) + adminUsers.size;
-    const appCount = Number(appResult?.['count'] ?? 0) + appUsers.size;
-    return {
-        admin: adminCount,
-        app: appCount,
-        api: Number(allResult?.['count'] ?? 0) - adminCount - appCount,
-    };
-}

package/dist/utils/fetch-user-count/get-user-count-query.d.ts

@@ -1,20 +0,0 @@
-import type { PrimaryKey } from '@directus/types';
-import type { Knex } from 'knex';
-export interface GetUserCountOptions {
-    excludeIds?: PrimaryKey[];
-    excludeRoles?: PrimaryKey[];
-    includeRoles?: PrimaryKey[];
-}
-export declare function getUserCountQuery(knex: Knex, options: GetUserCountOptions): Promise<{
-    count: number;
-}> | Knex.QueryBuilder<any, {
-    _base: {};
-    _hasSelection: true;
-    _keys: never;
-    _aliases: {};
-    _single: false;
-    _intersectProps: {
-        count?: string | number;
-    };
-    _unionProps: undefined;
-}>;

package/dist/utils/fetch-user-count/get-user-count-query.js

@@ -1,17 +0,0 @@
-export function getUserCountQuery(knex, options) {
-    // Safety check for an empty list of includeRoles, which would otherwise return all users
-    if (options.includeRoles && options.includeRoles.length === 0) {
-        return Promise.resolve({ count: 0 });
-    }
-    let query = knex('directus_users').count({ count: '*' }).as('count').where('status', 'active');
-    if (options.excludeIds && options.excludeIds.length > 0) {
-        query = query.whereNotIn('id', options.excludeIds);
-    }
-    if (options.excludeRoles && options.excludeRoles.length > 0) {
-        query = query.whereNotIn('role', options.excludeRoles);
-    }
-    if (options.includeRoles && options.includeRoles.length > 0) {
-        query = query.whereIn('role', options.includeRoles);
-    }
-    return query.first();
-}

package/dist/utils/validate-user-count-integrity.d.ts

@@ -1,13 +0,0 @@
-import { type FetchUserCountOptions } from './fetch-user-count/fetch-user-count.js';
-export declare enum UserIntegrityCheckFlag {
-    None = 0,
-    /** Check if the number of remaining admin users is greater than 0 */
-    RemainingAdmins = 1,
-    /** Check if the number of users is within the limits */
-    UserLimits = 2,
-    All = 3
-}
-export interface ValidateUserCountIntegrityOptions extends Omit<FetchUserCountOptions, 'adminOnly'> {
-    flags: UserIntegrityCheckFlag;
-}
-export declare function validateUserCountIntegrity(options: ValidateUserCountIntegrityOptions): Promise<void>;

package/dist/utils/validate-user-count-integrity.js

@@ -1,29 +0,0 @@
-import { validateRemainingAdminCount } from '../permissions/modules/validate-remaining-admin/validate-remaining-admin-count.js';
-import { checkUserLimits } from '../telemetry/utils/check-user-limits.js';
-import { shouldCheckUserLimits } from '../telemetry/utils/should-check-user-limits.js';
-import { fetchUserCount } from './fetch-user-count/fetch-user-count.js';
-export var UserIntegrityCheckFlag;
-(function (UserIntegrityCheckFlag) {
-    UserIntegrityCheckFlag[UserIntegrityCheckFlag["None"] = 0] = "None";
-    /** Check if the number of remaining admin users is greater than 0 */
-    UserIntegrityCheckFlag[UserIntegrityCheckFlag["RemainingAdmins"] = 1] = "RemainingAdmins";
-    /** Check if the number of users is within the limits */
-    UserIntegrityCheckFlag[UserIntegrityCheckFlag["UserLimits"] = 2] = "UserLimits";
-    UserIntegrityCheckFlag[UserIntegrityCheckFlag["All"] = 3] = "All";
-})(UserIntegrityCheckFlag || (UserIntegrityCheckFlag = {}));
-export async function validateUserCountIntegrity(options) {
-    const validateUserLimits = (options.flags & UserIntegrityCheckFlag.UserLimits) !== 0;
-    const validateRemainingAdminUsers = (options.flags & UserIntegrityCheckFlag.RemainingAdmins) !== 0;
-    const limitCheck = validateUserLimits && shouldCheckUserLimits();
-    if (!validateRemainingAdminUsers && !limitCheck) {
-        return;
-    }
-    const adminOnly = validateRemainingAdminUsers && !limitCheck;
-    const userCounts = await fetchUserCount({ ...options, adminOnly });
-    if (limitCheck) {
-        await checkUserLimits(userCounts);
-    }
-    if (validateRemainingAdminUsers) {
-        validateRemainingAdminCount(userCounts.admin);
-    }
-}