npm - @directus/api - Versions diffs - 21.0.0 → 22.0.0 - Mend

@directus/api 21.0.0 → 22.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (285) hide show

package/dist/services/roles.js CHANGED Viewed

@@ -1,441 +1,51 @@
-import { InvalidPayloadError, UnprocessableContentError } from '@directus/errors';
-import { getMatch } from 'ip-matching';
-import { omit } from 'lodash-es';
-import { checkIncreasedUserLimits } from '../telemetry/utils/check-increased-user-limits.js';
-import { getRoleCountsByUsers } from '../telemetry/utils/get-role-counts-by-users.js';
-import {} from '../telemetry/utils/get-user-count.js';
-import { getUserCountsByRoles } from '../telemetry/utils/get-user-counts-by-roles.js';
-import { shouldCheckUserLimits } from '../telemetry/utils/should-check-user-limits.js';
-import { shouldClearCache } from '../utils/should-clear-cache.js';
+import { InvalidPayloadError } from '@directus/errors';
+import { clearSystemCache } from '../cache.js';
+import { fetchRolesTree } from '../permissions/lib/fetch-roles-tree.js';
 import { transaction } from '../utils/transaction.js';
+import { UserIntegrityCheckFlag } from '../utils/validate-user-count-integrity.js';
 import { ItemsService } from './items.js';
-import { PermissionsService } from './permissions/index.js';
+import { AccessService } from './access.js';
 import { PresetsService } from './presets.js';
 import { UsersService } from './users.js';
 export class RolesService extends ItemsService {
     constructor(options) {
         super('directus_roles', options);
     }
-    async checkForOtherAdminRoles(excludeKeys) {
-        // Make sure there's at least one admin role left after this deletion is done
-        const otherAdminRoles = await this.knex
-            .count('*', { as: 'count' })
-            .from('directus_roles')
-            .whereNotIn('id', excludeKeys)
-            .andWhere({ admin_access: true })
-            .first();
-        const otherAdminRolesCount = Number(otherAdminRoles?.count ?? 0);
-        if (otherAdminRolesCount === 0) {
-            throw new UnprocessableContentError({ reason: `You can't delete the last admin role` });
-        }
-    }
-    async checkForOtherAdminUsers(key, users) {
-        const role = await this.knex.select('admin_access').from('directus_roles').where('id', '=', key).first();
-        // No-op if role doesn't exist
-        if (!role)
-            return;
-        const usersBefore = (await this.knex.select('id').from('directus_users').where('role', '=', key)).map((user) => user.id);
-        const usersAdded = [];
-        const usersUpdated = [];
-        const usersCreated = [];
-        const usersRemoved = [];
-        if (Array.isArray(users)) {
-            const usersKept = [];
-            for (const user of users) {
-                if (typeof user === 'string') {
-                    if (usersBefore.includes(user)) {
-                        usersKept.push(user);
-                    }
-                    else {
-                        usersAdded.push({ id: user });
-                    }
-                }
-                else if (user.id) {
-                    if (usersBefore.includes(user.id)) {
-                        usersKept.push(user.id);
-                        usersUpdated.push(user);
-                    }
-                    else {
-                        usersAdded.push(user);
-                    }
-                }
-                else {
-                    usersCreated.push(user);
-                }
-            }
-            usersRemoved.push(...usersBefore.filter((user) => !usersKept.includes(user)));
-        }
-        else {
-            for (const user of users.update) {
-                if (usersBefore.includes(user['id'])) {
-                    usersUpdated.push(user);
-                }
-                else {
-                    usersAdded.push(user);
-                }
-            }
-            usersCreated.push(...users.create);
-            usersRemoved.push(...users.delete);
-        }
-        if (role.admin_access === false || role.admin_access === 0) {
-            // Admin users might have moved in from other role, thus becoming non-admin
-            if (usersAdded.length > 0) {
-                const otherAdminUsers = await this.knex
-                    .count('*', { as: 'count' })
-                    .from('directus_users')
-                    .leftJoin('directus_roles', 'directus_users.role', 'directus_roles.id')
-                    .whereNotIn('directus_users.id', usersAdded.map((user) => user.id))
-                    .andWhere({ 'directus_roles.admin_access': true, status: 'active' })
-                    .first();
-                const otherAdminUsersCount = Number(otherAdminUsers?.count ?? 0);
-                if (otherAdminUsersCount === 0) {
-                    throw new UnprocessableContentError({ reason: `You can't remove the last admin user from the admin role` });
-                }
-            }
-            return;
-        }
-        // Only added or created new users
-        if (usersUpdated.length === 0 && usersRemoved.length === 0)
-            return;
-        // Active admin user(s) about to be created
-        if (usersCreated.some((user) => !('status' in user) || user.status === 'active'))
-            return;
-        const usersDeactivated = [...usersAdded, ...usersUpdated]
-            .filter((user) => 'status' in user && user.status !== 'active')
-            .map((user) => user.id);
-        const usersAddedNonDeactivated = usersAdded
-            .filter((user) => !usersDeactivated.includes(user.id))
-            .map((user) => user.id);
-        // Active user(s) about to become admin
-        if (usersAddedNonDeactivated.length > 0) {
-            const userCount = await this.knex
-                .count('*', { as: 'count' })
-                .from('directus_users')
-                .whereIn('id', usersAddedNonDeactivated)
-                .andWhere({ status: 'active' })
-                .first();
-            if (Number(userCount?.count ?? 0) > 0) {
-                return;
-            }
-        }
-        const otherAdminUsers = await this.knex
-            .count('*', { as: 'count' })
-            .from('directus_users')
-            .leftJoin('directus_roles', 'directus_users.role', 'directus_roles.id')
-            .whereNotIn('directus_users.id', [...usersDeactivated, ...usersRemoved])
-            .andWhere({ 'directus_roles.admin_access': true, status: 'active' })
-            .first();
-        const otherAdminUsersCount = Number(otherAdminUsers?.count ?? 0);
-        if (otherAdminUsersCount === 0) {
-            throw new UnprocessableContentError({ reason: `You can't remove the last admin user from the admin role` });
-        }
-        return;
-    }
-    isIpAccessValid(value) {
-        if (value === undefined)
-            return false;
-        if (value === null)
-            return true;
-        if (Array.isArray(value) && value.length === 0)
-            return true;
-        for (const ip of value) {
-            if (typeof ip !== 'string' || ip.includes('*'))
-                return false;
-            try {
-                const match = getMatch(ip);
-                if (match.type == 'IPMask')
-                    return false;
-            }
-            catch {
-                return false;
-            }
-        }
-        return true;
-    }
-    assertValidIpAccess(partialItem) {
-        if ('ip_access' in partialItem && !this.isIpAccessValid(partialItem['ip_access'])) {
-            throw new InvalidPayloadError({
-                reason: 'IP Access contains an incorrect value. Valid values are: IP addresses, IP ranges and CIDR blocks',
-            });
-        }
-    }
-    getRoleAccessType(data) {
-        if ('admin_access' in data && data['admin_access'] === true) {
-            return 'admin';
-        }
-        else if (('app_access' in data && data['app_access'] === true) || 'app_access' in data === false) {
-            return 'app';
-        }
-        else {
-            return 'api';
-        }
+    // No need to check user integrity in createOne, as the creation of a role itself does not influence the number of
+    // users, as the role of a user is actually updated in the UsersService on the user, which will make sure to
+    // initiate a user integrity check if necessary. Same goes for role nesting check as well as cache clearing.
+    async updateMany(keys, data, opts = {}) {
+        if ('parent' in data) {
+            // If the parent of a role changed we need to make a full integrity check.
+            // Anything related to policies will be checked in the AccessService, where the policies are attached to roles
+            opts.userIntegrityCheckFlags = UserIntegrityCheckFlag.All;
+            opts.onRequireUserIntegrityCheck?.(opts.userIntegrityCheckFlags);
+            await this.validateRoleNesting(keys, data['parent']);
+        }
+        const result = await super.updateMany(keys, data, opts);
+        // Only clear the permissions cache if the parent role has changed
+        // If anything policies related has changed, the cache will be cleared in the AccessService as well
+        if ('parent' in data) {
+            await this.clearCaches();
+        }
+        return result;
     }
-    async createOne(data, opts) {
-        this.assertValidIpAccess(data);
-        if (shouldCheckUserLimits()) {
-            const increasedCounts = {
-                admin: 0,
-                app: 0,
-                api: 0,
-            };
-            const existingIds = [];
-            if ('users' in data) {
-                const type = this.getRoleAccessType(data);
-                increasedCounts[type] += data['users'].length;
-                for (const user of data['users']) {
-                    if (typeof user === 'string') {
-                        existingIds.push(user);
-                    }
-                    else if (typeof user === 'object' && 'id' in user) {
-                        existingIds.push(user['id']);
-                    }
-                }
-            }
-            await checkIncreasedUserLimits(this.knex, increasedCounts, existingIds);
-        }
-        return super.createOne(data, opts);
-    }
-    async createMany(data, opts) {
-        const needsUserLimitCheck = shouldCheckUserLimits();
-        const increasedCounts = {
-            admin: 0,
-            app: 0,
-            api: 0,
-        };
-        const existingIds = [];
-        for (const partialItem of data) {
-            this.assertValidIpAccess(partialItem);
-            if (needsUserLimitCheck && 'users' in partialItem) {
-                const type = this.getRoleAccessType(partialItem);
-                increasedCounts[type] += partialItem['users'].length;
-                for (const user of partialItem['users']) {
-                    if (typeof user === 'string') {
-                        existingIds.push(user);
-                    }
-                    else if (typeof user === 'object' && 'id' in user) {
-                        existingIds.push(user['id']);
-                    }
-                }
-            }
-        }
-        if (needsUserLimitCheck) {
-            await checkIncreasedUserLimits(this.knex, increasedCounts, existingIds);
-        }
-        return super.createMany(data, opts);
-    }
-    async updateOne(key, data, opts) {
-        this.assertValidIpAccess(data);
-        try {
-            if ('users' in data) {
-                await this.checkForOtherAdminUsers(key, data['users']);
-            }
-            if (shouldCheckUserLimits()) {
-                const increasedCounts = {
-                    admin: 0,
-                    app: 0,
-                    api: 0,
-                };
-                let increasedUsers = 0;
-                const existingIds = [];
-                let existingRole = await this.knex
-                    .count('directus_users.id', { as: 'count' })
-                    .select('directus_roles.admin_access', 'directus_roles.app_access')
-                    .from('directus_users')
-                    .where('directus_roles.id', '=', key)
-                    .andWhere('directus_users.status', '=', 'active')
-                    .leftJoin('directus_roles', 'directus_users.role', '=', 'directus_roles.id')
-                    .groupBy('directus_roles.admin_access', 'directus_roles.app_access')
-                    .first();
-                if (!existingRole) {
-                    try {
-                        const role = (await this.knex
-                            .select('admin_access', 'app_access')
-                            .from('directus_roles')
-                            .where('id', '=', key)
-                            .first()) ?? { admin_access: null, app_access: null };
-                        existingRole = { count: 0, ...role };
-                    }
-                    catch {
-                        existingRole = { count: 0, admin_access: null, app_access: null };
-                    }
-                }
-                if ('users' in data) {
-                    const users = data['users'];
-                    if (Array.isArray(users)) {
-                        increasedUsers = users.length - Number(existingRole.count);
-                        for (const user of users) {
-                            if (typeof user === 'string') {
-                                existingIds.push(user);
-                            }
-                            else if (typeof user === 'object' && 'id' in user) {
-                                existingIds.push(user['id']);
-                            }
-                        }
-                    }
-                    else {
-                        increasedUsers += users.create.length;
-                        increasedUsers -= users.delete.length;
-                        const userIds = [];
-                        for (const user of users.update) {
-                            if ('status' in user) {
-                                // account for users being activated and deactivated
-                                if (user['status'] === 'active') {
-                                    increasedUsers++;
-                                }
-                                else {
-                                    increasedUsers--;
-                                }
-                            }
-                            userIds.push(user.id);
-                        }
-                        try {
-                            const existingCounts = await getRoleCountsByUsers(this.knex, userIds);
-                            if (existingRole.admin_access) {
-                                increasedUsers += existingCounts.app + existingCounts.api;
-                            }
-                            else if (existingRole.app_access) {
-                                increasedUsers += existingCounts.admin + existingCounts.api;
-                            }
-                            else {
-                                increasedUsers += existingCounts.admin + existingCounts.app;
-                            }
-                        }
-                        catch {
-                            // ignore failed user call
-                        }
-                    }
-                }
-                let isAccessChanged = false;
-                let accessType = 'api';
-                if ('app_access' in data) {
-                    if (data['app_access'] === true) {
-                        accessType = 'app';
-                        if (!existingRole.app_access)
-                            isAccessChanged = true;
-                    }
-                    else if (existingRole.app_access) {
-                        isAccessChanged = true;
-                    }
-                }
-                else if (existingRole.app_access) {
-                    accessType = 'app';
-                }
-                if ('admin_access' in data) {
-                    if (data['admin_access'] === true) {
-                        accessType = 'admin';
-                        if (!existingRole.admin_access)
-                            isAccessChanged = true;
-                    }
-                    else if (existingRole.admin_access) {
-                        isAccessChanged = true;
-                    }
-                }
-                else if (existingRole.admin_access) {
-                    accessType = 'admin';
-                }
-                if (isAccessChanged) {
-                    increasedCounts[accessType] += Number(existingRole.count);
-                }
-                increasedCounts[accessType] += increasedUsers;
-                await checkIncreasedUserLimits(this.knex, increasedCounts, existingIds);
-            }
-        }
-        catch (err) {
-            (opts || (opts = {})).preMutationError = err;
-        }
-        return super.updateOne(key, data, opts);
-    }
-    async updateBatch(data, opts = {}) {
-        for (const partialItem of data) {
-            this.assertValidIpAccess(partialItem);
-        }
-        const primaryKeyField = this.schema.collections[this.collection].primary;
-        if (!opts.mutationTracker) {
-            opts.mutationTracker = this.createMutationTracker();
-        }
-        const keys = [];
-        try {
-            await transaction(this.knex, async (trx) => {
-                const service = new RolesService({
-                    accountability: this.accountability,
-                    knex: trx,
-                    schema: this.schema,
-                });
-                for (const item of data) {
-                    const combinedOpts = Object.assign({ autoPurgeCache: false }, opts);
-                    keys.push(await service.updateOne(item[primaryKeyField], omit(item, primaryKeyField), combinedOpts));
-                }
-            });
-        }
-        finally {
-            if (shouldClearCache(this.cache, opts, this.collection)) {
-                await this.cache.clear();
-            }
-        }
-        return keys;
-    }
-    async updateMany(keys, data, opts) {
-        this.assertValidIpAccess(data);
-        try {
-            if ('admin_access' in data && data['admin_access'] === false) {
-                await this.checkForOtherAdminRoles(keys);
-            }
-            if (shouldCheckUserLimits() && ('admin_access' in data || 'app_access' in data)) {
-                const existingCounts = await getUserCountsByRoles(this.knex, keys);
-                const increasedCounts = {
-                    admin: 0,
-                    app: 0,
-                    api: 0,
-                };
-                const type = this.getRoleAccessType(data);
-                for (const [existingType, existingCount] of Object.entries(existingCounts)) {
-                    if (existingType === type)
-                        continue;
-                    increasedCounts[type] += existingCount;
-                }
-                await checkIncreasedUserLimits(this.knex, increasedCounts);
-            }
-        }
-        catch (err) {
-            (opts || (opts = {})).preMutationError = err;
-        }
-        return super.updateMany(keys, data, opts);
-    }
-    async updateByQuery(query, data, opts) {
-        this.assertValidIpAccess(data);
-        return super.updateByQuery(query, data, opts);
-    }
-    async deleteMany(keys) {
-        const opts = {};
-        try {
-            await this.checkForOtherAdminRoles(keys);
-        }
-        catch (err) {
-            opts.preMutationError = err;
-        }
+    async deleteMany(keys, opts = {}) {
+        opts.userIntegrityCheckFlags = UserIntegrityCheckFlag.All;
+        opts.onRequireUserIntegrityCheck?.(opts.userIntegrityCheckFlags);
         await transaction(this.knex, async (trx) => {
-            const itemsService = new ItemsService('directus_roles', {
-                knex: trx,
-                accountability: this.accountability,
-                schema: this.schema,
-            });
-            const permissionsService = new PermissionsService({
+            const options = {
                 knex: trx,
                 accountability: this.accountability,
                 schema: this.schema,
-            });
-            const presetsService = new PresetsService({
-                knex: trx,
-                accountability: this.accountability,
-                schema: this.schema,
-            });
-            const usersService = new UsersService({
-                knex: trx,
-                accountability: this.accountability,
-                schema: this.schema,
-            });
+            };
+            const itemsService = new ItemsService('directus_roles', options);
+            const rolesService = new RolesService(options);
+            const accessService = new AccessService(options);
+            const presetsService = new PresetsService(options);
+            const usersService = new UsersService(options);
             // Delete permissions/presets for this role, suspend all remaining users in role
-            await permissionsService.deleteByQuery({
+            await accessService.deleteByQuery({
                 filter: { role: { _in: keys } },
             }, { ...opts, bypassLimits: true });
             await presetsService.deleteByQuery({
@@ -447,8 +57,31 @@ export class RolesService extends ItemsService {
                 status: 'suspended',
                 role: null,
             }, { ...opts, bypassLimits: true });
+            // If the about to be deleted roles are the parent of other roles set those parents to null
+            // Use a newly created RolesService here that works within the current transaction
+            await rolesService.updateByQuery({
+                filter: { parent: { _in: keys } },
+            }, { parent: null });
             await itemsService.deleteMany(keys, opts);
         });
+        // Since nested roles could be updated, clear caches
+        await this.clearCaches();
         return keys;
     }
+    async validateRoleNesting(ids, parent) {
+        if (ids.includes(parent)) {
+            throw new InvalidPayloadError({ reason: 'A role cannot be a parent of itself' });
+        }
+        const roles = await fetchRolesTree(parent, this.knex);
+        if (ids.some((id) => roles.includes(id))) {
+            // The role tree up from the parent already includes this role, so it would create a circular reference
+            throw new InvalidPayloadError({ reason: 'A role cannot have a parent that is already a descendant of itself' });
+        }
+    }
+    async clearCaches(opts) {
+        await clearSystemCache({ autoPurgeCache: opts?.autoPurgeCache });
+        if (this.cache && opts?.autoPurgeCache !== false) {
+            await this.cache.clear();
+        }
+    }
 }

package/dist/services/shares.d.ts CHANGED Viewed

@@ -1,9 +1,7 @@
 import type { Item, PrimaryKey } from '@directus/types';
 import type { AbstractServiceOptions, LoginResult, MutationOptions } from '../types/index.js';
-import { AuthorizationService } from './authorization.js';
 import { ItemsService } from './items.js';
 export declare class SharesService extends ItemsService {
-    authorizationService: AuthorizationService;
     constructor(options: AbstractServiceOptions);
     createOne(data: Partial<Item>, opts?: MutationOptions): Promise<PrimaryKey>;
     login(payload: Record<string, any>, options?: Partial<{

package/dist/services/shares.js CHANGED Viewed

@@ -3,29 +3,33 @@ import { ForbiddenError, InvalidCredentialsError } from '@directus/errors';
 import argon2 from 'argon2';
 import jwt from 'jsonwebtoken';
 import { useLogger } from '../logger/index.js';
+import { validateAccess } from '../permissions/modules/validate-access/validate-access.js';
 import { getMilliseconds } from '../utils/get-milliseconds.js';
 import { getSecret } from '../utils/get-secret.js';
 import { md } from '../utils/md.js';
 import { Url } from '../utils/url.js';
 import { userName } from '../utils/user-name.js';
-import { AuthorizationService } from './authorization.js';
 import { ItemsService } from './items.js';
 import { MailService } from './mail/index.js';
 import { UsersService } from './users.js';
 const env = useEnv();
 const logger = useLogger();
 export class SharesService extends ItemsService {
-    authorizationService;
     constructor(options) {
         super('directus_shares', options);
-        this.authorizationService = new AuthorizationService({
-            accountability: this.accountability,
-            knex: this.knex,
-            schema: this.schema,
-        });
     }
     async createOne(data, opts) {
-        await this.authorizationService.checkAccess('share', data['collection'], data['item']);
+        if (this.accountability) {
+            await validateAccess({
+                accountability: this.accountability,
+                action: 'share',
+                collection: data['collection'],
+                primaryKeys: [data['item']],
+            }, {
+                schema: this.schema,
+                knex: this.knex,
+            });
+        }
         return super.createOne(data, opts);
     }
     async login(payload, options) {

package/dist/services/specifications.d.ts CHANGED Viewed

@@ -9,7 +9,7 @@ export declare class SpecificationService {
     schema: SchemaOverview;
     oas: OASSpecsService;
     graphql: GraphQLSpecsService;
-    constructor({ accountability, knex, schema }: AbstractServiceOptions);
+    constructor(options: AbstractServiceOptions);
 }
 interface SpecificationSubService {
     generate: (_?: any) => Promise<any>;
@@ -18,7 +18,7 @@ declare class OASSpecsService implements SpecificationSubService {
     accountability: Accountability | null;
     knex: Knex;
     schema: SchemaOverview;
-    constructor({ knex, schema, accountability }: AbstractServiceOptions);
+    constructor(options: AbstractServiceOptions);
     generate(host?: string): Promise<OpenAPIObject>;
     private generateTags;
     private generatePaths;