@directus/api 21.0.0-rc.0 → 22.0.0

package/dist/database/migrations/20240806A-permissions-policies.js

@@ -0,0 +1,338 @@
+import { processChunk, toBoolean } from '@directus/utils';
+import { flatten, intersection, isEqual, merge, omit, uniq } from 'lodash-es';
+import { randomUUID } from 'node:crypto';
+import { fetchPermissions } from '../../permissions/lib/fetch-permissions.js';
+import { fetchPolicies } from '../../permissions/lib/fetch-policies.js';
+import { fetchRolesTree } from '../../permissions/lib/fetch-roles-tree.js';
+import { getSchema } from '../../utils/get-schema.js';
+// Adapted from https://github.com/directus/directus/blob/141b8adbf4dd8e06530a7929f34e3fc68a522053/api/src/utils/merge-permissions.ts#L4
+export function mergePermissions(strategy, ...permissions) {
+    const allPermissions = flatten(permissions);
+    const mergedPermissions = allPermissions
+        .reduce((acc, val) => {
+        const key = `${val.collection}__${val.action}`;
+        const current = acc.get(key);
+        acc.set(key, current ? mergePermission(strategy, current, val) : val);
+        return acc;
+    }, new Map())
+        .values();
+    return Array.from(mergedPermissions);
+}
+export function mergePermission(strategy, currentPerm, newPerm) {
+    const logicalKey = `_${strategy}`;
+    let { permissions, validation, fields, presets } = currentPerm;
+    if (newPerm.permissions) {
+        if (currentPerm.permissions && Object.keys(currentPerm.permissions)[0] === logicalKey) {
+            permissions = {
+                [logicalKey]: [
+                    ...currentPerm.permissions[logicalKey],
+                    newPerm.permissions,
+                ],
+            };
+        }
+        else if (currentPerm.permissions) {
+            // Empty {} supersedes other permissions in _OR merge
+            if (strategy === 'or' && (isEqual(currentPerm.permissions, {}) || isEqual(newPerm.permissions, {}))) {
+                permissions = {};
+            }
+            else {
+                permissions = {
+                    [logicalKey]: [currentPerm.permissions, newPerm.permissions],
+                };
+            }
+        }
+        else {
+            permissions = {
+                [logicalKey]: [newPerm.permissions],
+            };
+        }
+    }
+    if (newPerm.validation) {
+        if (currentPerm.validation && Object.keys(currentPerm.validation)[0] === logicalKey) {
+            validation = {
+                [logicalKey]: [
+                    ...currentPerm.validation[logicalKey],
+                    newPerm.validation,
+                ],
+            };
+        }
+        else if (currentPerm.validation) {
+            // Empty {} supersedes other validations in _OR merge
+            if (strategy === 'or' && (isEqual(currentPerm.validation, {}) || isEqual(newPerm.validation, {}))) {
+                validation = {};
+            }
+            else {
+                validation = {
+                    [logicalKey]: [currentPerm.validation, newPerm.validation],
+                };
+            }
+        }
+        else {
+            validation = {
+                [logicalKey]: [newPerm.validation],
+            };
+        }
+    }
+    if (newPerm.fields) {
+        if (Array.isArray(currentPerm.fields) && strategy === 'or') {
+            fields = uniq([...currentPerm.fields, ...newPerm.fields]);
+        }
+        else if (Array.isArray(currentPerm.fields) && strategy === 'and') {
+            fields = intersection(currentPerm.fields, newPerm.fields);
+        }
+        else {
+            fields = newPerm.fields;
+        }
+        if (fields.includes('*'))
+            fields = ['*'];
+    }
+    if (newPerm.presets) {
+        presets = merge({}, presets, newPerm.presets);
+    }
+    return omit({
+        ...currentPerm,
+        permissions,
+        validation,
+        fields,
+        presets,
+    }, ['id', 'system']);
+}
+async function fetchRoleAccess(roles, context) {
+    const roleAccess = {
+        admin_access: false,
+        app_access: false,
+        ip_access: null,
+        enforce_tfa: false,
+    };
+    const accessRows = await context
+        .knex('directus_access')
+        .select('directus_policies.id', 'directus_policies.admin_access', 'directus_policies.app_access', 'directus_policies.ip_access', 'directus_policies.enforce_tfa')
+        .where('role', 'in', roles)
+        .leftJoin('directus_policies', 'directus_policies.id', 'directus_access.policy');
+    const ipAccess = new Set();
+    for (const { admin_access, app_access, ip_access, enforce_tfa } of accessRows) {
+        roleAccess.admin_access ||= toBoolean(admin_access);
+        roleAccess.app_access ||= toBoolean(app_access);
+        roleAccess.enforce_tfa ||= toBoolean(enforce_tfa);
+        if (ip_access && ip_access.length) {
+            ip_access.split(',').forEach((ip) => ipAccess.add(ip));
+        }
+    }
+    if (ipAccess.size > 0) {
+        roleAccess.ip_access = Array.from(ipAccess).join(',');
+    }
+    return roleAccess;
+}
+/**
+ * The public role used to be `null`, we gotta create a single new policy for the permissions
+ * previously attached to the public role (marked through `role = null`).
+ */
+const PUBLIC_POLICY_ID = 'abf8a154-5b1c-4a46-ac9c-7300570f4f17';
+export async function up(knex) {
+    /////////////////////////////////////////////////////////////////////////////////////////////////
+    // If the policies table already exists the migration has already run
+    if (await knex.schema.hasTable('directus_policies')) {
+        return;
+    }
+    /////////////////////////////////////////////////////////////////////////////////////////////////
+    // Create new policies table that mirrors previous Roles
+    await knex.schema.createTable('directus_policies', (table) => {
+        table.uuid('id').primary();
+        table.string('name', 100).notNullable();
+        table.string('icon', 64).notNullable().defaultTo('badge');
+        table.text('description');
+        table.text('ip_access');
+        table.boolean('enforce_tfa').defaultTo(false).notNullable();
+        table.boolean('admin_access').defaultTo(false).notNullable();
+        table.boolean('app_access').defaultTo(false).notNullable();
+    });
+    /////////////////////////////////////////////////////////////////////////////////////////////////
+    // Copy over all existing roles into new policies
+    const roles = await knex
+        .select('id', 'name', 'icon', 'description', 'ip_access', 'enforce_tfa', 'admin_access', 'app_access')
+        .from('directus_roles');
+    if (roles.length > 0) {
+        await processChunk(roles, 100, async (chunk) => {
+            await knex('directus_policies').insert(chunk);
+        });
+    }
+    await knex
+        .insert({
+        id: PUBLIC_POLICY_ID,
+        name: '$t:public_label',
+        icon: 'public',
+        description: '$t:public_description',
+        app_access: false,
+    })
+        .into('directus_policies');
+    // Change the admin policy description to $t:admin_policy_description
+    await knex('directus_policies')
+        .update({
+        description: '$t:admin_policy_description',
+    })
+        .where('description', 'LIKE', '$t:admin_description');
+    /////////////////////////////////////////////////////////////////////////////////////////////////
+    // Remove access control + add nesting to roles
+    await knex.schema.alterTable('directus_roles', (table) => {
+        table.dropColumn('ip_access');
+        table.dropColumn('enforce_tfa');
+        table.dropColumn('admin_access');
+        table.dropColumn('app_access');
+        table.uuid('parent').references('directus_roles.id');
+    });
+    /////////////////////////////////////////////////////////////////////////////////////////////////
+    // Link permissions to policies instead of roles
+    await knex.schema.alterTable('directus_permissions', (table) => {
+        table.uuid('policy').references('directus_policies.id').onDelete('CASCADE');
+        // Drop the foreign key constraint here in order to update `null` role to public policy ID
+        table.dropForeign('role');
+    });
+    await knex('directus_permissions')
+        .update({
+        role: PUBLIC_POLICY_ID,
+    })
+        .whereNull('role');
+    await knex('directus_permissions').update({
+        policy: knex.ref('role'),
+    });
+    await knex.schema.alterTable('directus_permissions', (table) => {
+        table.dropColumns('role');
+        table.dropNullable('policy');
+    });
+    /////////////////////////////////////////////////////////////////////////////////////////////////
+    // Setup junction table between roles/users and policies
+    // This could be a A2O style setup with a collection/item field rather than individual foreign
+    // keys, but we want to be able to show the reverse-relationship on the individual policies as
+    // well, which would require the O2A type to exist in Directus which currently doesn't.
+    // Shouldn't be the end of the world here, as we know we're only attaching policies to two other
+    // collections.
+    await knex.schema.createTable('directus_access', (table) => {
+        table.uuid('id').primary();
+        table.uuid('role').references('directus_roles.id').nullable().onDelete('CASCADE');
+        table.uuid('user').references('directus_users.id').nullable().onDelete('CASCADE');
+        table.uuid('policy').references('directus_policies.id').notNullable().onDelete('CASCADE');
+        table.integer('sort');
+    });
+    /////////////////////////////////////////////////////////////////////////////////////////////////
+    // Attach policies to existing roles for backwards compatibility
+    const policyAttachments = roles.map((role) => ({
+        id: randomUUID(),
+        role: role.id,
+        user: null,
+        policy: role.id,
+        sort: 1,
+    }));
+    await processChunk(policyAttachments, 100, async (chunk) => {
+        await knex('directus_access').insert(chunk);
+    });
+    await knex('directus_access').insert({
+        id: randomUUID(),
+        role: null,
+        user: null,
+        policy: PUBLIC_POLICY_ID,
+        sort: 1,
+    });
+}
+export async function down(knex) {
+    /////////////////////////////////////////////////////////////////////////////////////////////////
+    // Reinstate access control fields on directus roles
+    await knex.schema.alterTable('directus_roles', (table) => {
+        table.text('ip_access');
+        table.boolean('enforce_tfa').defaultTo(false).notNullable();
+        table.boolean('admin_access').defaultTo(false).notNullable();
+        table.boolean('app_access').defaultTo(true).notNullable();
+    });
+    /////////////////////////////////////////////////////////////////////////////////////////////////
+    // Copy policy access control rules back to roles
+    const originalPermissions = await knex
+        .select('id')
+        .from('directus_permissions')
+        .whereNot({ policy: PUBLIC_POLICY_ID });
+    await knex.schema.alterTable('directus_permissions', (table) => {
+        table.uuid('role').nullable();
+        table.setNullable('policy');
+    });
+    const context = { knex, schema: await getSchema() };
+    // fetch all roles
+    const roles = await knex.select('id').from('directus_roles');
+    // simulate Public Role
+    roles.push({ id: null });
+    // role permissions to be inserted once all processing is completed
+    const rolePermissions = [];
+    for (const role of roles) {
+        const roleTree = await fetchRolesTree(role.id, knex);
+        let roleAccess = null;
+        if (role.id !== null) {
+            roleAccess = await fetchRoleAccess(roleTree, context);
+            await knex('directus_roles').update(roleAccess).where({ id: role.id });
+        }
+        if (roleAccess === null || !roleAccess.admin_access) {
+            // fetch all of the roles policies
+            const policies = await fetchPolicies({ roles: roleTree, user: null, ip: null }, context);
+            //  fetch all of the policies permissions
+            const rawPermissions = await fetchPermissions({
+                accountability: { role: null, roles: roleTree, user: null, app: roleAccess?.app_access || false },
+                policies,
+                bypassDynamicVariableProcessing: true,
+            }, context);
+            // merge all permissions to single version (v10) and save for later use
+            mergePermissions('or', rawPermissions).forEach((permission) => {
+                // System permissions are automatically populated
+                if (permission.system) {
+                    return;
+                }
+                // convert merged permissions to storage ready format
+                if (Array.isArray(permission.fields)) {
+                    permission.fields = permission.fields.join(',');
+                }
+                if (permission.permissions) {
+                    permission.permissions = JSON.stringify(permission.permissions);
+                }
+                if (permission.validation) {
+                    permission.validation = JSON.stringify(permission.validation);
+                }
+                if (permission.presets) {
+                    permission.presets = JSON.stringify(permission.presets);
+                }
+                rolePermissions.push({ role: role.id, ...omit(permission, ['id', 'policy']) });
+            });
+        }
+    }
+    /////////////////////////////////////////////////////////////////////////////////////////////////
+    // Remove role nesting support
+    await knex.schema.alterTable('directus_roles', (table) => {
+        table.dropForeign('parent');
+        table.dropColumn('parent');
+    });
+    /////////////////////////////////////////////////////////////////////////////////////////////////
+    // Drop all permissions that are only attached to a user
+    // TODO query all policies that are attached to a user and delete their permissions,
+    //  since we don't know were to put them now and it'll cause a foreign key problem
+    //  as soon as we reference directus_roles in directus_permissions again
+    /////////////////////////////////////////////////////////////////////////////////////////////////
+    // Drop policy attachments
+    await knex.schema.dropTable('directus_access');
+    /////////////////////////////////////////////////////////////////////////////////////////////////
+    // Reattach permissions to roles instead of policies
+    await knex('directus_permissions')
+        .update({
+        role: null,
+    })
+        .where({ role: PUBLIC_POLICY_ID });
+    // remove all v11 permissions
+    await processChunk(originalPermissions, 100, async (chunk) => {
+        await knex('directus_permissions').delete(chunk);
+    });
+    // insert all v10 permissions
+    await processChunk(rolePermissions, 100, async (chunk) => {
+        await knex('directus_permissions').insert(chunk);
+    });
+    await knex.schema.alterTable('directus_permissions', (table) => {
+        table.uuid('role').references('directus_roles.id').alter();
+        table.dropForeign('policy');
+        table.dropColumn('policy');
+    });
+    /////////////////////////////////////////////////////////////////////////////////////////////////
+    // Drop policies table
+    await knex.schema.dropTable('directus_policies');
+}

package/dist/database/run-ast/lib/get-db-query.js

@@ -8,6 +8,7 @@ import { applyCaseWhen } from '../utils/apply-case-when.js';
 import { getColumnPreprocessor } from '../utils/get-column-pre-processor.js';
 import { getNodeAlias } from '../utils/get-field-alias.js';
 import { getInnerQueryColumnPreProcessor } from '../utils/get-inner-query-column-pre-processor.js';
+import { withPreprocessBindings } from '../utils/with-preprocess-bindings.js';
 export function getDBQuery(schema, knex, table, fieldNodes, o2mNodes, query, cases) {
     const aliasMap = Object.create(null);
     const env = useEnv();
@@ -19,8 +20,15 @@ export function getDBQuery(schema, knex, table, fieldNodes, o2mNodes, query, cas
     queryCopy.limit = typeof queryCopy.limit === 'number' ? queryCopy.limit : Number(env['QUERY_LIMIT_DEFAULT']);
     // Queries with aggregates and groupBy will not have duplicate result
     if (queryCopy.aggregate || queryCopy.group) {
-        const flatQuery = knex.from(table).select(fieldNodes.map((node) => preProcess(node)));
-        return applyQuery(knex, table, flatQuery, queryCopy, schema, cases).query;
+        const flatQuery = knex.from(table);
+        // Map the group fields to their respective field nodes
+        const groupWhenCases = hasCaseWhen
+            ? queryCopy.group?.map((field) => fieldNodes.find(({ fieldKey }) => fieldKey === field)?.whenCase ?? [])
+            : undefined;
+        const dbQuery = applyQuery(knex, table, flatQuery, queryCopy, schema, cases, { aliasMap, groupWhenCases }).query;
+        flatQuery.select(fieldNodes.map((node) => preProcess(node)));
+        withPreprocessBindings(knex, dbQuery);
+        return dbQuery;
     }
     const primaryKey = schema.collections[table].primary;
     let dbQuery = knex.from(table);
@@ -132,6 +140,8 @@ export function getDBQuery(schema, knex, table, fieldNodes, o2mNodes, query, cas
            SELECT DISTINCT ...,
              CASE WHEN <condition> THEN <actual-column> END AS <alias>
 
+           a group-by query is generated.
+
              Another problem is that all not all rows with the same primary key are guaranteed to have the same value for
              the columns with the case/when, so we to `or` those together, but counting the number of flags in a group by
              operation. This way the flag is set to > 0 if any of the rows in the group allows access to the column.

package/dist/database/run-ast/utils/apply-case-when.js

@@ -17,10 +17,11 @@ export function applyCaseWhen({ columnCases, table, aliasMap, cases, column, ali
         }
     }
     const sql = sqlParts.join(' ');
-    const bindings = caseQuery.toSQL().bindings;
-    const result = knex.raw(`(CASE WHEN ${sql} THEN ?? END)`, [...bindings, column]);
+    const bindings = [...caseQuery.toSQL().bindings, column];
+    let rawCase = `(CASE WHEN ${sql} THEN ?? END)`;
     if (alias) {
-        return knex.raw(result + ' AS ??', [alias]);
+        rawCase += ' AS ??';
+        bindings.push(alias);
     }
-    return result;
+    return knex.raw(rawCase, bindings);
 }

package/dist/database/run-ast/utils/with-preprocess-bindings.d.ts

@@ -0,0 +1,2 @@
+import type { Knex } from 'knex';
+export declare function withPreprocessBindings(knex: Knex, dbQuery: Knex.QueryBuilder): void;

package/dist/database/run-ast/utils/with-preprocess-bindings.js

@@ -0,0 +1,14 @@
+import { getHelpers } from '../../helpers/index.js';
+export function withPreprocessBindings(knex, dbQuery) {
+    const schemaHelper = getHelpers(knex).schema;
+    dbQuery.client = new Proxy(dbQuery.client, {
+        get(target, prop, receiver) {
+            if (prop === 'query') {
+                return (connection, queryParam) => {
+                    return Reflect.get(target, prop, receiver).bind(target)(connection, schemaHelper.preprocessBindings(queryParam));
+                };
+            }
+            return Reflect.get(target, prop, receiver);
+        },
+    });
+}

package/dist/logger/index.js

@@ -79,7 +79,7 @@ export const createExpressLogger = () => {
     }
     if (env['LOG_STYLE'] === 'raw') {
         httpLoggerOptions.redact = {
-            paths: ['req.headers.authorization', 'req.headers.cookie', 'res.headers'],
+            paths: ['req.headers.authorization', 'req.headers.cookie', 'res.headers', 'req.query.access_token'],
             censor: (value, pathParts) => {
                 const path = pathParts.join('.');
                 if (path === 'res.headers') {

package/dist/middleware/error-handler.d.ts

@@ -1,3 +1,3 @@
+/// <reference types="qs" />
 import type { ErrorRequestHandler } from 'express';
-declare const errorHandler: ErrorRequestHandler;
-export default errorHandler;
+export declare const errorHandler: (err: any, req: import("express-serve-static-core").Request<import("express-serve-static-core").ParamsDictionary, any, any, import("qs").ParsedQs, Record<string, any>>, res: import("express-serve-static-core").Response<any, Record<string, any>, number>, next: import("express-serve-static-core").NextFunction) => Promise<ReturnType<ErrorRequestHandler>>;

package/dist/middleware/error-handler.js

@@ -1,40 +1,38 @@
-import { ErrorCode, MethodNotAllowedError, isDirectusError } from '@directus/errors';
-import { isObject, toArray } from '@directus/utils';
+import { ErrorCode, InternalServerError, isDirectusError } from '@directus/errors';
+import { isObject } from '@directus/utils';
 import { getNodeEnv } from '@directus/utils/node';
 import getDatabase from '../database/index.js';
 import emitter from '../emitter.js';
 import { useLogger } from '../logger/index.js';
-// Note: keep all 4 parameters here. That's how Express recognizes it's the error handler, even if
-// we don't use next
-const errorHandler = (err, req, res, _next) => {
+const FALLBACK_ERROR = new InternalServerError();
+export const errorHandler = asyncErrorHandler(async (err, req, res) => {
     const logger = useLogger();
-    let payload = {
-        errors: [],
-    };
-    const errors = toArray(err);
+    let errors = [];
     let status = null;
-    for (const error of errors) {
-        if (getNodeEnv() === 'development') {
-            if (isObject(error)) {
-                error['extensions'] = {
-                    ...(error['extensions'] || {}),
-                    stack: error['stack'],
-                };
-            }
+    // It can be assumed that at least one error is given
+    const receivedErrors = Array.isArray(err) ? err : [err];
+    for (const error of receivedErrors) {
+        // In dev mode, if available, expose stack trace under error's extensions data
+        if (getNodeEnv() === 'development' && error instanceof Error && error.stack) {
+            (error.extensions ??= {})['stack'] = error.stack;
         }
         if (isDirectusError(error)) {
             logger.debug(error);
-            if (!status) {
+            if (status === null) {
+                // Use current error status as response status
                 status = error.status;
             }
             else if (status !== error.status) {
-                status = 500;
+                // Fallback if status has already been set by a preceding error
+                // and doesn't match the current one
+                status = FALLBACK_ERROR.status;
             }
-            payload.errors.push({
+            errors.push({
                 message: error.message,
                 extensions: {
-                    code: error.code,
                     ...(error.extensions ?? {}),
+                    // Expose error code under error's extensions data
+                    code: error.code,
                 },
             });
             if (isDirectusError(error, ErrorCode.MethodNotAllowed)) {
@@ -43,45 +41,50 @@ const errorHandler = (err, req, res, _next) => {
         }
         else {
             logger.error(error);
-            status = 500;
+            status = FALLBACK_ERROR.status;
             if (req.accountability?.admin === true) {
                 const localError = isObject(error) ? error : {};
-                const message = localError['message'] ?? typeof error === 'string' ? error : null;
-                payload = {
-                    errors: [
-                        {
-                            message: message || 'An unexpected error occurred.',
-                            extensions: {
-                                code: 'INTERNAL_SERVER_ERROR',
-                                ...(localError['extensions'] ?? {}),
-                            },
+                // Use 'message' prop if available, otherwise if 'error' is a string use that
+                const message = (typeof localError['message'] === 'string' ? localError['message'] : null) ??
+                    (typeof error === 'string' ? error : null);
+                errors = [
+                    {
+                        message: message || FALLBACK_ERROR.message,
+                        extensions: {
+                            code: FALLBACK_ERROR.code,
+                            ...(localError['extensions'] ?? {}),
                         },
-                    ],
-                };
+                    },
+                ];
             }
             else {
-                payload = {
-                    errors: [
-                        {
-                            message: 'An unexpected error occurred.',
-                            extensions: {
-                                code: 'INTERNAL_SERVER_ERROR',
-                            },
-                        },
-                    ],
-                };
+                // Don't expose unknown errors to non-admin users
+                errors = [{ message: FALLBACK_ERROR.message, extensions: { code: FALLBACK_ERROR.code } }];
             }
         }
     }
-    res.status(status ?? 500);
-    emitter
-        .emitFilter('request.error', payload.errors, {}, {
+    res.status(status ?? FALLBACK_ERROR.status);
+    const updatedErrors = await emitter.emitFilter('request.error', errors, {}, {
         database: getDatabase(),
         schema: req.schema,
         accountability: req.accountability ?? null,
-    })
-        .then((updatedErrors) => {
-        return res.json({ ...payload, errors: updatedErrors });
     });
-};
-export default errorHandler;
+    return res.json({ errors: updatedErrors });
+});
+function asyncErrorHandler(fn) {
+    return (err, req, res, next) => fn(err, req, res, next).catch((error) => {
+        // To be on the safe side and ensure this doesn't lead to an unhandled (potentially crashing) error
+        try {
+            const logger = useLogger();
+            logger.error(error, 'Unexpected error in error handler');
+        }
+        catch {
+            // Ignore
+        }
+        // Delegate to default error handler to close the connection
+        if (res.headersSent)
+            return next(err);
+        res.status(FALLBACK_ERROR.status);
+        return res.json({ errors: [{ message: FALLBACK_ERROR.message, extensions: { code: FALLBACK_ERROR.code } }] });
+    });
+}

package/dist/permissions/lib/fetch-permissions.d.ts

@@ -6,5 +6,6 @@ export interface FetchPermissionsOptions {
     policies: string[];
     collections?: string[];
     accountability?: Pick<Accountability, 'user' | 'role' | 'roles' | 'app'>;
+    bypassDynamicVariableProcessing?: boolean;
 }
 export declare function _fetchPermissions(options: FetchPermissionsOptions, context: Context): Promise<Permission[]>;

package/dist/permissions/lib/fetch-permissions.js

@@ -3,11 +3,12 @@ import { fetchDynamicVariableContext } from '../utils/fetch-dynamic-variable-con
 import { processPermissions } from '../utils/process-permissions.js';
 import { withCache } from '../utils/with-cache.js';
 import { withAppMinimalPermissions } from './with-app-minimal-permissions.js';
-export const fetchPermissions = withCache('permissions', _fetchPermissions, ({ action, policies, collections, accountability }) => ({
+export const fetchPermissions = withCache('permissions', _fetchPermissions, ({ action, policies, collections, accountability, bypassDynamicVariableProcessing }) => ({
     policies, // we assume that policies always come from the same source, so they should be in the same order
     ...(action && { action }),
     ...(collections && { collections: sortBy(collections) }),
     ...(accountability && { accountability: pick(accountability, ['user', 'role', 'roles', 'app']) }),
+    ...(bypassDynamicVariableProcessing && { bypassDynamicVariableProcessing }),
 }));
 export async function _fetchPermissions(options, context) {
     const { PermissionsService } = await import('../../services/permissions.js');
@@ -29,7 +30,7 @@ export async function _fetchPermissions(options, context) {
     // This ensures that if a sorted array of policies is passed in the permissions are returned in the same order
     // which is necessary for correctly applying the presets in order
     permissions = sortBy(permissions, (permission) => options.policies.indexOf(permission.policy));
-    if (options.accountability) {
+    if (options.accountability && !options.bypassDynamicVariableProcessing) {
         // Add app minimal permissions for the request accountability, if applicable.
         // Normally this is done in the permissions service readByQuery, but it also needs to do it here
         // since the permissions service is created without accountability.

package/dist/permissions/lib/fetch-policies.d.ts

@@ -1,5 +1,12 @@
 import type { Accountability } from '@directus/types';
 import type { Context } from '../types.js';
+export interface AccessRow {
+    policy: {
+        id: string;
+        ip_access: string[] | null;
+    };
+    role: string | null;
+}
 export declare const fetchPolicies: typeof _fetchPolicies;
 /**
  * Fetch the policies associated with the current user accountability

package/dist/permissions/lib/fetch-policies.js

@@ -19,10 +19,25 @@ export async function _fetchPolicies({ roles, user, ip }, context) {
     const filter = user ? { _or: [{ user: { _eq: user } }, roleFilter] } : roleFilter;
     const accessRows = (await accessService.readByQuery({
         filter,
-        fields: ['policy.id', 'policy.ip_access'],
+        fields: ['policy.id', 'policy.ip_access', 'role'],
         limit: -1,
     }));
     const filteredAccessRows = filterPoliciesByIp(accessRows, ip);
+    /*
+     * Sort rows by priority (goes bottom up):
+     * - Parent role policies
+     * - Child role policies
+     * - User policies
+     */
+    filteredAccessRows.sort((a, b) => {
+        if (!a.role && !b.role)
+            return 0;
+        if (!a.role)
+            return 1;
+        if (!b.role)
+            return -1;
+        return roles.indexOf(a.role) - roles.indexOf(b.role);
+    });
     const ids = filteredAccessRows.map(({ policy }) => policy.id);
     return ids;
 }