@directus/api 21.0.0 → 22.0.0

package/dist/services/import-export.js

@@ -15,6 +15,7 @@ import StreamArray from 'stream-json/streamers/StreamArray.js';
 import getDatabase from '../database/index.js';
 import emitter from '../emitter.js';
 import { useLogger } from '../logger/index.js';
+import { validateAccess } from '../permissions/modules/validate-access/validate-access.js';
 import { getDateFormatted } from '../utils/get-date-formatted.js';
 import { getService } from '../utils/get-service.js';
 import { transaction } from '../utils/transaction.js';
@@ -23,6 +24,7 @@ import { userName } from '../utils/user-name.js';
 import { FilesService } from './files.js';
 import { NotificationsService } from './notifications.js';
 import { UsersService } from './users.js';
+import { parseFields } from '../database/get-ast-from-query/lib/parse-fields.js';
 const env = useEnv();
 const logger = useLogger();
 export class ImportService {
@@ -37,10 +39,23 @@ export class ImportService {
     async import(collection, mimetype, stream) {
         if (this.accountability?.admin !== true && isSystemCollection(collection))
             throw new ForbiddenError();
-        const createPermissions = this.accountability?.permissions?.find((permission) => permission.collection === collection && permission.action === 'create');
-        const updatePermissions = this.accountability?.permissions?.find((permission) => permission.collection === collection && permission.action === 'update');
-        if (this.accountability?.admin !== true && (!createPermissions || !updatePermissions)) {
-            throw new ForbiddenError();
+        if (this.accountability) {
+            await validateAccess({
+                accountability: this.accountability,
+                action: 'create',
+                collection,
+            }, {
+                schema: this.schema,
+                knex: this.knex,
+            });
+            await validateAccess({
+                accountability: this.accountability,
+                action: 'update',
+                collection,
+            }, {
+                schema: this.schema,
+                knex: this.knex,
+            });
         }
         switch (mimetype) {
             case 'application/json':
@@ -248,9 +263,26 @@ export class ExportService {
                     });
                     readCount += result.length;
                     if (result.length) {
+                        let csvHeadings = null;
+                        if (format === 'csv') {
+                            if (!query.fields)
+                                query.fields = ['*'];
+                            // to ensure the all headings are included in the CSV file, all possible fields need to be determined.
+                            const parsedFields = await parseFields({
+                                parentCollection: collection,
+                                fields: query.fields,
+                                query: query,
+                                accountability: this.accountability,
+                            }, {
+                                schema: this.schema,
+                                knex: database,
+                            });
+                            csvHeadings = getHeadingsForCsvExport(parsedFields);
+                        }
                         await appendFile(tmpFile.path, this.transform(result, format, {
                             includeHeader: batch === 0,
                             includeFooter: batch + 1 === batchesRequired,
+                            fields: csvHeadings,
                         }));
                     }
                 }
@@ -345,11 +377,12 @@ Your export of ${collection} is ready. <a href="${href}">Click here to view.</a>
         if (format === 'csv') {
             if (input.length === 0)
                 return '';
-            const parser = new CSVParser({
-                transforms: [CSVTransforms.flatten({ separator: '.' })],
-                header: options?.includeHeader !== false,
-            });
-            let string = parser.parse(input);
+            const transforms = [CSVTransforms.flatten({ separator: '.' })];
+            const header = options?.includeHeader !== false;
+            const transformOptions = options?.fields
+                ? { transforms, header, fields: options?.fields }
+                : { transforms, header };
+            let string = new CSVParser(transformOptions).parse(input);
             if (options?.includeHeader === false) {
                 string = '\n' + string;
             }
@@ -361,3 +394,28 @@ Your export of ${collection} is ready. <a href="${href}">Click here to view.</a>
         throw new ServiceUnavailableError({ service: 'export', reason: `Illegal export type used: "${format}"` });
     }
 }
+/*
+ * Recursive function to traverse the field nodes, to determine the headings for the CSV export file.
+ *
+ * Relational nodes which target a single item get expanded, which means that their nested fields get their own column in the csv file.
+ * For relational nodes which target a multiple items, the nested field names are not going to be expanded.
+ * Instead they will be stored as a single value/cell of the CSV file.
+ */
+export function getHeadingsForCsvExport(nodes, prefix = '') {
+    let fieldNames = [];
+    if (!nodes)
+        return fieldNames;
+    nodes.forEach((node) => {
+        switch (node.type) {
+            case 'field':
+            case 'functionField':
+            case 'o2m':
+            case 'a2o':
+                fieldNames.push(prefix ? `${prefix}.${node.fieldKey}` : node.fieldKey);
+                break;
+            case 'm2o':
+                fieldNames = fieldNames.concat(getHeadingsForCsvExport(node.children, prefix ? `${prefix}.${node.fieldKey}` : node.fieldKey));
+        }
+    });
+    return fieldNames;
+}

package/dist/services/index.d.ts

@@ -1,7 +1,7 @@
+export * from './access.js';
 export * from './activity.js';
 export * from './assets.js';
 export * from './authentication.js';
-export * from './authorization.js';
 export * from './collections.js';
 export * from './dashboards.js';
 export * from './extensions.js';
@@ -18,7 +18,8 @@ export * from './notifications.js';
 export * from './operations.js';
 export * from './panels.js';
 export * from './payload.js';
-export * from './permissions/index.js';
+export * from './permissions.js';
+export * from './policies.js';
 export * from './presets.js';
 export * from './relations.js';
 export * from './revisions.js';

package/dist/services/index.js

@@ -1,7 +1,7 @@
+export * from './access.js';
 export * from './activity.js';
 export * from './assets.js';
 export * from './authentication.js';
-export * from './authorization.js';
 export * from './collections.js';
 export * from './dashboards.js';
 export * from './extensions.js';
@@ -18,7 +18,8 @@ export * from './notifications.js';
 export * from './operations.js';
 export * from './panels.js';
 export * from './payload.js';
-export * from './permissions/index.js';
+export * from './permissions.js';
+export * from './policies.js';
 export * from './presets.js';
 export * from './relations.js';
 export * from './revisions.js';

package/dist/services/items.js

@@ -5,15 +5,18 @@ import { isSystemCollection } from '@directus/system-data';
 import { assign, clone, cloneDeep, omit, pick, without } from 'lodash-es';
 import { getCache } from '../cache.js';
 import { translateDatabaseError } from '../database/errors/translate.js';
+import { getAstFromQuery } from '../database/get-ast-from-query/get-ast-from-query.js';
 import { getHelpers } from '../database/helpers/index.js';
 import getDatabase from '../database/index.js';
-import runAST from '../database/run-ast.js';
+import { runAst } from '../database/run-ast/run-ast.js';
 import emitter from '../emitter.js';
-import getASTFromQuery from '../utils/get-ast-from-query.js';
+import { processAst } from '../permissions/modules/process-ast/process-ast.js';
+import { processPayload } from '../permissions/modules/process-payload/process-payload.js';
+import { validateAccess } from '../permissions/modules/validate-access/validate-access.js';
 import { shouldClearCache } from '../utils/should-clear-cache.js';
 import { transaction } from '../utils/transaction.js';
 import { validateKeys } from '../utils/validate-keys.js';
-import { AuthorizationService } from './authorization.js';
+import { UserIntegrityCheckFlag, validateUserCountIntegrity } from '../utils/validate-user-count-integrity.js';
 import { PayloadService } from './payload.js';
 const env = useEnv();
 export class ItemsService {
@@ -98,17 +101,13 @@ export class ItemsService {
         // that any errors thrown in any nested relational changes will bubble up and cancel the whole
         // update tree
         const primaryKey = await transaction(this.knex, async (trx) => {
-            // We're creating new services instances so they can use the transaction as their Knex interface
-            const payloadService = new PayloadService(this.collection, {
-                accountability: this.accountability,
-                knex: trx,
-                schema: this.schema,
-            });
-            const authorizationService = new AuthorizationService({
+            const serviceOptions = {
                 accountability: this.accountability,
                 knex: trx,
                 schema: this.schema,
-            });
+            };
+            // We're creating new services instances so they can use the transaction as their Knex interface
+            const payloadService = new PayloadService(this.collection, serviceOptions);
             // Run all hooks that are attached to this event so the end user has the chance to augment the
             // item that is about to be saved
             const payloadAfterHooks = opts.emitEvents !== false
@@ -123,13 +122,21 @@ export class ItemsService {
                 })
                 : payload;
             const payloadWithPresets = this.accountability
-                ? authorizationService.validatePayload('create', this.collection, payloadAfterHooks)
+                ? await processPayload({
+                    accountability: this.accountability,
+                    action: 'create',
+                    collection: this.collection,
+                    payload: payloadAfterHooks,
+                }, {
+                    knex: trx,
+                    schema: this.schema,
+                })
                 : payloadAfterHooks;
             if (opts.preMutationError) {
                 throw opts.preMutationError;
             }
-            const { payload: payloadWithM2O, revisions: revisionsM2O, nestedActionEvents: nestedActionEventsM2O, } = await payloadService.processM2O(payloadWithPresets, opts);
-            const { payload: payloadWithA2O, revisions: revisionsA2O, nestedActionEvents: nestedActionEventsA2O, } = await payloadService.processA2O(payloadWithM2O, opts);
+            const { payload: payloadWithM2O, revisions: revisionsM2O, nestedActionEvents: nestedActionEventsM2O, userIntegrityCheckFlags: userIntegrityCheckFlagsM2O, } = await payloadService.processM2O(payloadWithPresets, opts);
+            const { payload: payloadWithA2O, revisions: revisionsA2O, nestedActionEvents: nestedActionEventsA2O, userIntegrityCheckFlags: userIntegrityCheckFlagsA2O, } = await payloadService.processA2O(payloadWithM2O, opts);
             const payloadWithoutAliases = pick(payloadWithA2O, without(fields, ...aliases));
             const payloadWithTypeCasting = await payloadService.processValues('create', payloadWithoutAliases);
             // The primary key can already exist in the payload.
@@ -187,10 +194,22 @@ export class ItemsService {
             }
             // At this point, the primary key is guaranteed to be set.
             primaryKey = primaryKey;
-            const { revisions: revisionsO2M, nestedActionEvents: nestedActionEventsO2M } = await payloadService.processO2M(payloadWithPresets, primaryKey, opts);
+            const { revisions: revisionsO2M, nestedActionEvents: nestedActionEventsO2M, userIntegrityCheckFlags: userIntegrityCheckFlagsO2M, } = await payloadService.processO2M(payloadWithPresets, primaryKey, opts);
             nestedActionEvents.push(...nestedActionEventsM2O);
             nestedActionEvents.push(...nestedActionEventsA2O);
             nestedActionEvents.push(...nestedActionEventsO2M);
+            const userIntegrityCheckFlags = (opts.userIntegrityCheckFlags ?? UserIntegrityCheckFlag.None) |
+                userIntegrityCheckFlagsM2O |
+                userIntegrityCheckFlagsA2O |
+                userIntegrityCheckFlagsO2M;
+            if (userIntegrityCheckFlags) {
+                if (opts.onRequireUserIntegrityCheck) {
+                    opts.onRequireUserIntegrityCheck(userIntegrityCheckFlags);
+                }
+                else {
+                    await validateUserCountIntegrity({ flags: userIntegrityCheckFlags, knex: trx });
+                }
+            }
             // If this is an authenticated action, and accountability tracking is enabled, save activity row
             if (this.accountability && this.schema.collections[this.collection].accountability !== null) {
                 const activityService = new ActivityService({
@@ -281,6 +300,7 @@ export class ItemsService {
             opts.mutationTracker = this.createMutationTracker();
         const { primaryKeys, nestedActionEvents } = await transaction(this.knex, async (knex) => {
             const service = this.fork({ knex });
+            let userIntegrityCheckFlags = opts.userIntegrityCheckFlags ?? UserIntegrityCheckFlag.None;
             const primaryKeys = [];
             const nestedActionEvents = [];
             const pkField = this.schema.collections[this.collection].primary;
@@ -294,12 +314,21 @@ export class ItemsService {
                 const primaryKey = await service.createOne(payload, {
                     ...(opts || {}),
                     autoPurgeCache: false,
+                    onRequireUserIntegrityCheck: (flags) => (userIntegrityCheckFlags |= flags),
                     bypassEmitAction: (params) => nestedActionEvents.push(params),
                     mutationTracker: opts.mutationTracker,
                     bypassAutoIncrementSequenceReset,
                 });
                 primaryKeys.push(primaryKey);
             }
+            if (userIntegrityCheckFlags) {
+                if (opts.onRequireUserIntegrityCheck) {
+                    opts.onRequireUserIntegrityCheck(userIntegrityCheckFlags);
+                }
+                else {
+                    await validateUserCountIntegrity({ flags: userIntegrityCheckFlags, knex });
+                }
+            }
             return { primaryKeys, nestedActionEvents };
         });
         if (opts.emitEvents !== false) {
@@ -332,27 +361,21 @@ export class ItemsService {
                 accountability: this.accountability,
             })
             : query;
-        let ast = await getASTFromQuery(this.collection, updatedQuery, this.schema, {
+        let ast = await getAstFromQuery({
+            collection: this.collection,
+            query: updatedQuery,
             accountability: this.accountability,
-            // By setting the permissions action, you can read items using the permissions for another
-            // operation's permissions. This is used to dynamically check if you have update/delete
-            // access to (a) certain item(s)
-            action: opts?.permissionsAction || 'read',
+        }, {
+            schema: this.schema,
             knex: this.knex,
         });
-        if (this.accountability && this.accountability.admin !== true) {
-            const authorizationService = new AuthorizationService({
-                accountability: this.accountability,
-                knex: this.knex,
-                schema: this.schema,
-            });
-            ast = await authorizationService.processAST(ast, opts?.permissionsAction);
-        }
-        const records = await runAST(ast, this.schema, {
+        ast = await processAst({ ast, action: 'read', accountability: this.accountability }, { knex: this.knex, schema: this.schema });
+        const records = await runAst(ast, this.schema, {
             knex: this.knex,
             // GraphQL requires relational keys to be returned regardless
             stripNonRequested: opts?.stripNonRequested !== undefined ? opts.stripNonRequested : true,
         });
+        // TODO when would this happen?
         if (records === null) {
             throw new ForbiddenError();
         }
@@ -450,13 +473,26 @@ export class ItemsService {
         try {
             await transaction(this.knex, async (knex) => {
                 const service = this.fork({ knex });
+                let userIntegrityCheckFlags = opts.userIntegrityCheckFlags ?? UserIntegrityCheckFlag.None;
                 for (const item of data) {
                     const primaryKey = item[primaryKeyField];
                     if (!primaryKey)
                         throw new InvalidPayloadError({ reason: `Item in update misses primary key` });
-                    const combinedOpts = Object.assign({ autoPurgeCache: false }, opts);
+                    const combinedOpts = {
+                        autoPurgeCache: false,
+                        ...opts,
+                        onRequireUserIntegrityCheck: (flags) => (userIntegrityCheckFlags |= flags),
+                    };
                     keys.push(await service.updateOne(primaryKey, omit(item, primaryKeyField), combinedOpts));
                 }
+                if (userIntegrityCheckFlags) {
+                    if (opts.onRequireUserIntegrityCheck) {
+                        opts.onRequireUserIntegrityCheck(userIntegrityCheckFlags);
+                    }
+                    else {
+                        await validateUserCountIntegrity({ flags: userIntegrityCheckFlags, knex });
+                    }
+                }
             });
         }
         finally {
@@ -485,11 +521,6 @@ export class ItemsService {
             .map((field) => field.field);
         const payload = cloneDeep(data);
         const nestedActionEvents = [];
-        const authorizationService = new AuthorizationService({
-            accountability: this.accountability,
-            knex: this.knex,
-            schema: this.schema,
-        });
         // Run all hooks that are attached to this event so the end user has the chance to augment the
         // item that is about to be saved
         const payloadAfterHooks = opts.emitEvents !== false
@@ -507,10 +538,26 @@ export class ItemsService {
         // Sort keys to ensure that the order is maintained
         keys.sort();
         if (this.accountability) {
-            await authorizationService.checkAccess('update', this.collection, keys);
+            await validateAccess({
+                accountability: this.accountability,
+                action: 'update',
+                collection: this.collection,
+                primaryKeys: keys,
+            }, {
+                schema: this.schema,
+                knex: this.knex,
+            });
         }
         const payloadWithPresets = this.accountability
-            ? authorizationService.validatePayload('update', this.collection, payloadAfterHooks)
+            ? await processPayload({
+                accountability: this.accountability,
+                action: 'update',
+                collection: this.collection,
+                payload: payloadAfterHooks,
+            }, {
+                knex: this.knex,
+                schema: this.schema,
+            })
             : payloadAfterHooks;
         if (opts.preMutationError) {
             throw opts.preMutationError;
@@ -521,8 +568,8 @@ export class ItemsService {
                 knex: trx,
                 schema: this.schema,
             });
-            const { payload: payloadWithM2O, revisions: revisionsM2O, nestedActionEvents: nestedActionEventsM2O, } = await payloadService.processM2O(payloadWithPresets, opts);
-            const { payload: payloadWithA2O, revisions: revisionsA2O, nestedActionEvents: nestedActionEventsA2O, } = await payloadService.processA2O(payloadWithM2O, opts);
+            const { payload: payloadWithM2O, revisions: revisionsM2O, nestedActionEvents: nestedActionEventsM2O, userIntegrityCheckFlags: userIntegrityCheckFlagsM2O, } = await payloadService.processM2O(payloadWithPresets, opts);
+            const { payload: payloadWithA2O, revisions: revisionsA2O, nestedActionEvents: nestedActionEventsA2O, userIntegrityCheckFlags: userIntegrityCheckFlagsA2O, } = await payloadService.processA2O(payloadWithM2O, opts);
             const payloadWithoutAliasAndPK = pick(payloadWithA2O, without(fields, primaryKeyField, ...aliases));
             const payloadWithTypeCasting = await payloadService.processValues('update', payloadWithoutAliasAndPK);
             if (Object.keys(payloadWithTypeCasting).length > 0) {
@@ -534,12 +581,25 @@ export class ItemsService {
                 }
             }
             const childrenRevisions = [...revisionsM2O, ...revisionsA2O];
+            let userIntegrityCheckFlags = opts.userIntegrityCheckFlags ??
+                UserIntegrityCheckFlag.None | userIntegrityCheckFlagsM2O | userIntegrityCheckFlagsA2O;
             nestedActionEvents.push(...nestedActionEventsM2O);
             nestedActionEvents.push(...nestedActionEventsA2O);
             for (const key of keys) {
-                const { revisions, nestedActionEvents: nestedActionEventsO2M } = await payloadService.processO2M(payloadWithA2O, key, opts);
+                const { revisions, nestedActionEvents: nestedActionEventsO2M, userIntegrityCheckFlags: userIntegrityCheckFlagsO2M, } = await payloadService.processO2M(payloadWithA2O, key, opts);
                 childrenRevisions.push(...revisions);
                 nestedActionEvents.push(...nestedActionEventsO2M);
+                userIntegrityCheckFlags |= userIntegrityCheckFlagsO2M;
+            }
+            if (userIntegrityCheckFlags) {
+                if (opts?.onRequireUserIntegrityCheck) {
+                    opts.onRequireUserIntegrityCheck(userIntegrityCheckFlags);
+                }
+                else {
+                    // Having no onRequireUserIntegrityCheck callback indicates that
+                    // this is the top level invocation of the nested updates, so perform the user integrity check
+                    await validateUserCountIntegrity({ flags: userIntegrityCheckFlags, knex: trx });
+                }
             }
             // If this is an authenticated action, and accountability tracking is enabled, save activity row
             if (this.accountability && this.schema.collections[this.collection].accountability !== null) {
@@ -708,13 +768,16 @@ export class ItemsService {
         const { ActivityService } = await import('./activity.js');
         const primaryKeyField = this.schema.collections[this.collection].primary;
         validateKeys(this.schema, this.collection, primaryKeyField, keys);
-        if (this.accountability && this.accountability.admin !== true) {
-            const authorizationService = new AuthorizationService({
+        if (this.accountability) {
+            await validateAccess({
                 accountability: this.accountability,
-                schema: this.schema,
+                action: 'delete',
+                collection: this.collection,
+                primaryKeys: keys,
+            }, {
                 knex: this.knex,
+                schema: this.schema,
             });
-            await authorizationService.checkAccess('delete', this.collection, keys);
         }
         if (opts.preMutationError) {
             throw opts.preMutationError;
@@ -730,6 +793,14 @@ export class ItemsService {
         }
         await transaction(this.knex, async (trx) => {
             await trx(this.collection).whereIn(primaryKeyField, keys).delete();
+            if (opts.userIntegrityCheckFlags) {
+                if (opts.onRequireUserIntegrityCheck) {
+                    opts.onRequireUserIntegrityCheck(opts.userIntegrityCheckFlags);
+                }
+                else {
+                    await validateUserCountIntegrity({ flags: opts.userIntegrityCheckFlags, knex: trx });
+                }
+            }
             if (this.accountability && this.schema.collections[this.collection].accountability !== null) {
                 const activityService = new ActivityService({
                     knex: trx,

package/dist/services/meta.js

@@ -1,5 +1,8 @@
 import getDatabase from '../database/index.js';
-import { ForbiddenError } from '@directus/errors';
+import { fetchPermissions } from '../permissions/lib/fetch-permissions.js';
+import { fetchPolicies } from '../permissions/lib/fetch-policies.js';
+import { dedupeAccess } from '../permissions/modules/process-ast/utils/dedupe-access.js';
+import { validateAccess } from '../permissions/modules/validate-access/validate-access.js';
 import { applyFilter, applySearch } from '../utils/apply-query.js';
 export class MetaService {
     knex;
@@ -28,39 +31,73 @@ export class MetaService {
         }, {});
     }
     async totalCount(collection) {
-        const dbQuery = this.knex(collection).count('*', { as: 'count' }).first();
-        if (this.accountability?.admin !== true) {
-            const permissionsRecord = this.accountability?.permissions?.find((permission) => {
-                return permission.action === 'read' && permission.collection === collection;
-            });
-            if (!permissionsRecord)
-                throw new ForbiddenError();
-            const permissions = permissionsRecord.permissions ?? {};
-            applyFilter(this.knex, this.schema, dbQuery, permissions, collection, {});
+        const dbQuery = this.knex(collection);
+        let hasJoins = false;
+        if (this.accountability && this.accountability.admin === false) {
+            const context = { knex: this.knex, schema: this.schema };
+            await validateAccess({
+                accountability: this.accountability,
+                action: 'read',
+                collection,
+            }, context);
+            const policies = await fetchPolicies(this.accountability, context);
+            const permissions = await fetchPermissions({
+                action: 'read',
+                policies,
+                accountability: this.accountability,
+                ...(collection ? { collections: [collection] } : {}),
+            }, context);
+            const rules = dedupeAccess(permissions);
+            const cases = rules.map(({ rule }) => rule);
+            const filter = {
+                _or: cases,
+            };
+            const result = applyFilter(this.knex, this.schema, dbQuery, filter, collection, {}, cases);
+            hasJoins = result.hasJoins;
+        }
+        if (hasJoins) {
+            const primaryKeyName = this.schema.collections[collection].primary;
+            dbQuery.countDistinct({ count: [`${collection}.${primaryKeyName}`] });
+        }
+        else {
+            dbQuery.count('*', { as: 'count' });
         }
-        const result = await dbQuery;
+        const result = await dbQuery.first();
         return Number(result?.count ?? 0);
     }
     async filterCount(collection, query) {
         const dbQuery = this.knex(collection);
         let filter = query.filter || {};
         let hasJoins = false;
-        if (this.accountability?.admin !== true) {
-            const permissionsRecord = this.accountability?.permissions?.find((permission) => {
-                return permission.action === 'read' && permission.collection === collection;
-            });
-            if (!permissionsRecord)
-                throw new ForbiddenError();
-            const permissions = permissionsRecord.permissions ?? {};
+        let cases = [];
+        if (this.accountability && this.accountability.admin === false) {
+            const context = { knex: this.knex, schema: this.schema };
+            await validateAccess({
+                accountability: this.accountability,
+                action: 'read',
+                collection,
+            }, context);
+            const policies = await fetchPolicies(this.accountability, context);
+            const permissions = await fetchPermissions({
+                action: 'read',
+                policies,
+                accountability: this.accountability,
+                ...(collection ? { collections: [collection] } : {}),
+            }, context);
+            const rules = dedupeAccess(permissions);
+            cases = rules.map(({ rule }) => rule);
+            const permissionsFilter = {
+                _or: cases,
+            };
             if (Object.keys(filter).length > 0) {
-                filter = { _and: [permissions, filter] };
+                filter = { _and: [permissionsFilter, filter] };
             }
             else {
-                filter = permissions;
+                filter = permissionsFilter;
             }
         }
         if (Object.keys(filter).length > 0) {
-            ({ hasJoins } = applyFilter(this.knex, this.schema, dbQuery, filter, collection, {}));
+            ({ hasJoins } = applyFilter(this.knex, this.schema, dbQuery, filter, collection, {}, cases));
         }
         if (query.search) {
             applySearch(this.knex, this.schema, dbQuery, query.search, collection);
@@ -72,7 +109,7 @@ export class MetaService {
         else {
             dbQuery.count('*', { as: 'count' });
         }
-        const records = await dbQuery;
-        return Number(records[0]['count']);
+        const result = await dbQuery.first();
+        return Number(result?.count ?? 0);
     }
 }

package/dist/services/notifications.js

@@ -1,5 +1,7 @@
 import { useEnv } from '@directus/env';
 import { useLogger } from '../logger/index.js';
+import { fetchRolesTree } from '../permissions/lib/fetch-roles-tree.js';
+import { fetchGlobalAccess } from '../permissions/modules/fetch-global-access/fetch-global-access.js';
 import { md } from '../utils/md.js';
 import { Url } from '../utils/url.js';
 import { ItemsService } from './items.js';
@@ -23,18 +25,24 @@ export class NotificationsService extends ItemsService {
     async sendEmail(data) {
         if (data.recipient) {
             const user = await this.usersService.readOne(data.recipient, {
-                fields: ['id', 'email', 'email_notifications', 'role.app_access'],
+                fields: ['id', 'email', 'email_notifications', 'role'],
             });
-            const manageUserAccountUrl = new Url(env['PUBLIC_URL'])
-                .addPath('admin', 'users', user['id'])
-                .toString();
-            const html = data.message ? md(data.message) : '';
             if (user['email'] && user['email_notifications'] === true) {
+                const manageUserAccountUrl = new Url(env['PUBLIC_URL'])
+                    .addPath('admin', 'users', user['id'])
+                    .toString();
+                const html = data.message ? md(data.message) : '';
+                const roles = await fetchRolesTree(user['role'], this.knex);
+                const { app: app_access } = await fetchGlobalAccess({
+                    user: user['id'],
+                    roles,
+                    ip: null,
+                }, this.knex);
                 this.mailService
                     .send({
                     template: {
                         name: 'base',
-                        data: user['role']?.app_access ? { url: manageUserAccountUrl, html } : { html },
+                        data: app_access ? { url: manageUserAccountUrl, html } : { html },
                     },
                     to: user['email'],
                     subject: data.subject,

package/dist/services/payload.d.ts

@@ -2,6 +2,7 @@ import type { Accountability, Item, PrimaryKey, SchemaOverview } from '@directus
 import type { Knex } from 'knex';
 import type { Helpers } from '../database/helpers/index.js';
 import type { AbstractServiceOptions, ActionEventParams, MutationOptions } from '../types/index.js';
+import { UserIntegrityCheckFlag } from '../utils/validate-user-count-integrity.js';
 type Action = 'create' | 'read' | 'update';
 type Transformers = {
     [type: string]: (context: {
@@ -13,6 +14,11 @@ type Transformers = {
         helpers: Helpers;
     }) => Promise<any>;
 };
+type PayloadServiceProcessRelationResult = {
+    revisions: PrimaryKey[];
+    nestedActionEvents: ActionEventParams[];
+    userIntegrityCheckFlags: UserIntegrityCheckFlag;
+};
 /**
  * Process a given payload for a collection to ensure the special fields (hash, uuid, date etc) are
  * handled correctly.
@@ -46,26 +52,19 @@ export declare class PayloadService {
     /**
      * Recursively save/update all nested related Any-to-One items
      */
-    processA2O(data: Partial<Item>, opts?: MutationOptions): Promise<{
+    processA2O(data: Partial<Item>, opts?: MutationOptions): Promise<PayloadServiceProcessRelationResult & {
         payload: Partial<Item>;
-        revisions: PrimaryKey[];
-        nestedActionEvents: ActionEventParams[];
     }>;
     /**
      * Save/update all nested related m2o items inside the payload
      */
-    processM2O(data: Partial<Item>, opts?: MutationOptions): Promise<{
+    processM2O(data: Partial<Item>, opts?: MutationOptions): Promise<PayloadServiceProcessRelationResult & {
         payload: Partial<Item>;
-        revisions: PrimaryKey[];
-        nestedActionEvents: ActionEventParams[];
     }>;
     /**
      * Recursively save/update all nested related o2m items
      */
-    processO2M(data: Partial<Item>, parent: PrimaryKey, opts?: MutationOptions): Promise<{
-        revisions: PrimaryKey[];
-        nestedActionEvents: ActionEventParams[];
-    }>;
+    processO2M(data: Partial<Item>, parent: PrimaryKey, opts?: MutationOptions): Promise<PayloadServiceProcessRelationResult>;
     /**
      * Transforms the input partial payload to match the output structure, to have consistency
      * between delta and data