@directus/api 21.0.0 → 22.0.0

package/dist/database/migrations/20240806A-permissions-policies.js

@@ -0,0 +1,338 @@
+import { processChunk, toBoolean } from '@directus/utils';
+import { flatten, intersection, isEqual, merge, omit, uniq } from 'lodash-es';
+import { randomUUID } from 'node:crypto';
+import { fetchPermissions } from '../../permissions/lib/fetch-permissions.js';
+import { fetchPolicies } from '../../permissions/lib/fetch-policies.js';
+import { fetchRolesTree } from '../../permissions/lib/fetch-roles-tree.js';
+import { getSchema } from '../../utils/get-schema.js';
+// Adapted from https://github.com/directus/directus/blob/141b8adbf4dd8e06530a7929f34e3fc68a522053/api/src/utils/merge-permissions.ts#L4
+export function mergePermissions(strategy, ...permissions) {
+    const allPermissions = flatten(permissions);
+    const mergedPermissions = allPermissions
+        .reduce((acc, val) => {
+        const key = `${val.collection}__${val.action}`;
+        const current = acc.get(key);
+        acc.set(key, current ? mergePermission(strategy, current, val) : val);
+        return acc;
+    }, new Map())
+        .values();
+    return Array.from(mergedPermissions);
+}
+export function mergePermission(strategy, currentPerm, newPerm) {
+    const logicalKey = `_${strategy}`;
+    let { permissions, validation, fields, presets } = currentPerm;
+    if (newPerm.permissions) {
+        if (currentPerm.permissions && Object.keys(currentPerm.permissions)[0] === logicalKey) {
+            permissions = {
+                [logicalKey]: [
+                    ...currentPerm.permissions[logicalKey],
+                    newPerm.permissions,
+                ],
+            };
+        }
+        else if (currentPerm.permissions) {
+            // Empty {} supersedes other permissions in _OR merge
+            if (strategy === 'or' && (isEqual(currentPerm.permissions, {}) || isEqual(newPerm.permissions, {}))) {
+                permissions = {};
+            }
+            else {
+                permissions = {
+                    [logicalKey]: [currentPerm.permissions, newPerm.permissions],
+                };
+            }
+        }
+        else {
+            permissions = {
+                [logicalKey]: [newPerm.permissions],
+            };
+        }
+    }
+    if (newPerm.validation) {
+        if (currentPerm.validation && Object.keys(currentPerm.validation)[0] === logicalKey) {
+            validation = {
+                [logicalKey]: [
+                    ...currentPerm.validation[logicalKey],
+                    newPerm.validation,
+                ],
+            };
+        }
+        else if (currentPerm.validation) {
+            // Empty {} supersedes other validations in _OR merge
+            if (strategy === 'or' && (isEqual(currentPerm.validation, {}) || isEqual(newPerm.validation, {}))) {
+                validation = {};
+            }
+            else {
+                validation = {
+                    [logicalKey]: [currentPerm.validation, newPerm.validation],
+                };
+            }
+        }
+        else {
+            validation = {
+                [logicalKey]: [newPerm.validation],
+            };
+        }
+    }
+    if (newPerm.fields) {
+        if (Array.isArray(currentPerm.fields) && strategy === 'or') {
+            fields = uniq([...currentPerm.fields, ...newPerm.fields]);
+        }
+        else if (Array.isArray(currentPerm.fields) && strategy === 'and') {
+            fields = intersection(currentPerm.fields, newPerm.fields);
+        }
+        else {
+            fields = newPerm.fields;
+        }
+        if (fields.includes('*'))
+            fields = ['*'];
+    }
+    if (newPerm.presets) {
+        presets = merge({}, presets, newPerm.presets);
+    }
+    return omit({
+        ...currentPerm,
+        permissions,
+        validation,
+        fields,
+        presets,
+    }, ['id', 'system']);
+}
+async function fetchRoleAccess(roles, context) {
+    const roleAccess = {
+        admin_access: false,
+        app_access: false,
+        ip_access: null,
+        enforce_tfa: false,
+    };
+    const accessRows = await context
+        .knex('directus_access')
+        .select('directus_policies.id', 'directus_policies.admin_access', 'directus_policies.app_access', 'directus_policies.ip_access', 'directus_policies.enforce_tfa')
+        .where('role', 'in', roles)
+        .leftJoin('directus_policies', 'directus_policies.id', 'directus_access.policy');
+    const ipAccess = new Set();
+    for (const { admin_access, app_access, ip_access, enforce_tfa } of accessRows) {
+        roleAccess.admin_access ||= toBoolean(admin_access);
+        roleAccess.app_access ||= toBoolean(app_access);
+        roleAccess.enforce_tfa ||= toBoolean(enforce_tfa);
+        if (ip_access && ip_access.length) {
+            ip_access.split(',').forEach((ip) => ipAccess.add(ip));
+        }
+    }
+    if (ipAccess.size > 0) {
+        roleAccess.ip_access = Array.from(ipAccess).join(',');
+    }
+    return roleAccess;
+}
+/**
+ * The public role used to be `null`, we gotta create a single new policy for the permissions
+ * previously attached to the public role (marked through `role = null`).
+ */
+const PUBLIC_POLICY_ID = 'abf8a154-5b1c-4a46-ac9c-7300570f4f17';
+export async function up(knex) {
+    /////////////////////////////////////////////////////////////////////////////////////////////////
+    // If the policies table already exists the migration has already run
+    if (await knex.schema.hasTable('directus_policies')) {
+        return;
+    }
+    /////////////////////////////////////////////////////////////////////////////////////////////////
+    // Create new policies table that mirrors previous Roles
+    await knex.schema.createTable('directus_policies', (table) => {
+        table.uuid('id').primary();
+        table.string('name', 100).notNullable();
+        table.string('icon', 64).notNullable().defaultTo('badge');
+        table.text('description');
+        table.text('ip_access');
+        table.boolean('enforce_tfa').defaultTo(false).notNullable();
+        table.boolean('admin_access').defaultTo(false).notNullable();
+        table.boolean('app_access').defaultTo(false).notNullable();
+    });
+    /////////////////////////////////////////////////////////////////////////////////////////////////
+    // Copy over all existing roles into new policies
+    const roles = await knex
+        .select('id', 'name', 'icon', 'description', 'ip_access', 'enforce_tfa', 'admin_access', 'app_access')
+        .from('directus_roles');
+    if (roles.length > 0) {
+        await processChunk(roles, 100, async (chunk) => {
+            await knex('directus_policies').insert(chunk);
+        });
+    }
+    await knex
+        .insert({
+        id: PUBLIC_POLICY_ID,
+        name: '$t:public_label',
+        icon: 'public',
+        description: '$t:public_description',
+        app_access: false,
+    })
+        .into('directus_policies');
+    // Change the admin policy description to $t:admin_policy_description
+    await knex('directus_policies')
+        .update({
+        description: '$t:admin_policy_description',
+    })
+        .where('description', 'LIKE', '$t:admin_description');
+    /////////////////////////////////////////////////////////////////////////////////////////////////
+    // Remove access control + add nesting to roles
+    await knex.schema.alterTable('directus_roles', (table) => {
+        table.dropColumn('ip_access');
+        table.dropColumn('enforce_tfa');
+        table.dropColumn('admin_access');
+        table.dropColumn('app_access');
+        table.uuid('parent').references('directus_roles.id');
+    });
+    /////////////////////////////////////////////////////////////////////////////////////////////////
+    // Link permissions to policies instead of roles
+    await knex.schema.alterTable('directus_permissions', (table) => {
+        table.uuid('policy').references('directus_policies.id').onDelete('CASCADE');
+        // Drop the foreign key constraint here in order to update `null` role to public policy ID
+        table.dropForeign('role');
+    });
+    await knex('directus_permissions')
+        .update({
+        role: PUBLIC_POLICY_ID,
+    })
+        .whereNull('role');
+    await knex('directus_permissions').update({
+        policy: knex.ref('role'),
+    });
+    await knex.schema.alterTable('directus_permissions', (table) => {
+        table.dropColumns('role');
+        table.dropNullable('policy');
+    });
+    /////////////////////////////////////////////////////////////////////////////////////////////////
+    // Setup junction table between roles/users and policies
+    // This could be a A2O style setup with a collection/item field rather than individual foreign
+    // keys, but we want to be able to show the reverse-relationship on the individual policies as
+    // well, which would require the O2A type to exist in Directus which currently doesn't.
+    // Shouldn't be the end of the world here, as we know we're only attaching policies to two other
+    // collections.
+    await knex.schema.createTable('directus_access', (table) => {
+        table.uuid('id').primary();
+        table.uuid('role').references('directus_roles.id').nullable().onDelete('CASCADE');
+        table.uuid('user').references('directus_users.id').nullable().onDelete('CASCADE');
+        table.uuid('policy').references('directus_policies.id').notNullable().onDelete('CASCADE');
+        table.integer('sort');
+    });
+    /////////////////////////////////////////////////////////////////////////////////////////////////
+    // Attach policies to existing roles for backwards compatibility
+    const policyAttachments = roles.map((role) => ({
+        id: randomUUID(),
+        role: role.id,
+        user: null,
+        policy: role.id,
+        sort: 1,
+    }));
+    await processChunk(policyAttachments, 100, async (chunk) => {
+        await knex('directus_access').insert(chunk);
+    });
+    await knex('directus_access').insert({
+        id: randomUUID(),
+        role: null,
+        user: null,
+        policy: PUBLIC_POLICY_ID,
+        sort: 1,
+    });
+}
+export async function down(knex) {
+    /////////////////////////////////////////////////////////////////////////////////////////////////
+    // Reinstate access control fields on directus roles
+    await knex.schema.alterTable('directus_roles', (table) => {
+        table.text('ip_access');
+        table.boolean('enforce_tfa').defaultTo(false).notNullable();
+        table.boolean('admin_access').defaultTo(false).notNullable();
+        table.boolean('app_access').defaultTo(true).notNullable();
+    });
+    /////////////////////////////////////////////////////////////////////////////////////////////////
+    // Copy policy access control rules back to roles
+    const originalPermissions = await knex
+        .select('id')
+        .from('directus_permissions')
+        .whereNot({ policy: PUBLIC_POLICY_ID });
+    await knex.schema.alterTable('directus_permissions', (table) => {
+        table.uuid('role').nullable();
+        table.setNullable('policy');
+    });
+    const context = { knex, schema: await getSchema() };
+    // fetch all roles
+    const roles = await knex.select('id').from('directus_roles');
+    // simulate Public Role
+    roles.push({ id: null });
+    // role permissions to be inserted once all processing is completed
+    const rolePermissions = [];
+    for (const role of roles) {
+        const roleTree = await fetchRolesTree(role.id, knex);
+        let roleAccess = null;
+        if (role.id !== null) {
+            roleAccess = await fetchRoleAccess(roleTree, context);
+            await knex('directus_roles').update(roleAccess).where({ id: role.id });
+        }
+        if (roleAccess === null || !roleAccess.admin_access) {
+            // fetch all of the roles policies
+            const policies = await fetchPolicies({ roles: roleTree, user: null, ip: null }, context);
+            //  fetch all of the policies permissions
+            const rawPermissions = await fetchPermissions({
+                accountability: { role: null, roles: roleTree, user: null, app: roleAccess?.app_access || false },
+                policies,
+                bypassDynamicVariableProcessing: true,
+            }, context);
+            // merge all permissions to single version (v10) and save for later use
+            mergePermissions('or', rawPermissions).forEach((permission) => {
+                // System permissions are automatically populated
+                if (permission.system) {
+                    return;
+                }
+                // convert merged permissions to storage ready format
+                if (Array.isArray(permission.fields)) {
+                    permission.fields = permission.fields.join(',');
+                }
+                if (permission.permissions) {
+                    permission.permissions = JSON.stringify(permission.permissions);
+                }
+                if (permission.validation) {
+                    permission.validation = JSON.stringify(permission.validation);
+                }
+                if (permission.presets) {
+                    permission.presets = JSON.stringify(permission.presets);
+                }
+                rolePermissions.push({ role: role.id, ...omit(permission, ['id', 'policy']) });
+            });
+        }
+    }
+    /////////////////////////////////////////////////////////////////////////////////////////////////
+    // Remove role nesting support
+    await knex.schema.alterTable('directus_roles', (table) => {
+        table.dropForeign('parent');
+        table.dropColumn('parent');
+    });
+    /////////////////////////////////////////////////////////////////////////////////////////////////
+    // Drop all permissions that are only attached to a user
+    // TODO query all policies that are attached to a user and delete their permissions,
+    //  since we don't know were to put them now and it'll cause a foreign key problem
+    //  as soon as we reference directus_roles in directus_permissions again
+    /////////////////////////////////////////////////////////////////////////////////////////////////
+    // Drop policy attachments
+    await knex.schema.dropTable('directus_access');
+    /////////////////////////////////////////////////////////////////////////////////////////////////
+    // Reattach permissions to roles instead of policies
+    await knex('directus_permissions')
+        .update({
+        role: null,
+    })
+        .where({ role: PUBLIC_POLICY_ID });
+    // remove all v11 permissions
+    await processChunk(originalPermissions, 100, async (chunk) => {
+        await knex('directus_permissions').delete(chunk);
+    });
+    // insert all v10 permissions
+    await processChunk(rolePermissions, 100, async (chunk) => {
+        await knex('directus_permissions').insert(chunk);
+    });
+    await knex.schema.alterTable('directus_permissions', (table) => {
+        table.uuid('role').references('directus_roles.id').alter();
+        table.dropForeign('policy');
+        table.dropColumn('policy');
+    });
+    /////////////////////////////////////////////////////////////////////////////////////////////////
+    // Drop policies table
+    await knex.schema.dropTable('directus_policies');
+}

package/dist/database/run-ast/lib/get-db-query.d.ts

@@ -0,0 +1,4 @@
+import type { Filter, Query, SchemaOverview } from '@directus/types';
+import type { Knex } from 'knex';
+import type { FieldNode, FunctionFieldNode, O2MNode } from '../../../types/ast.js';
+export declare function getDBQuery(schema: SchemaOverview, knex: Knex, table: string, fieldNodes: (FieldNode | FunctionFieldNode)[], o2mNodes: O2MNode[], query: Query, cases: Filter[]): Knex.QueryBuilder;

package/dist/database/run-ast/lib/get-db-query.js

@@ -0,0 +1,218 @@
+import { useEnv } from '@directus/env';
+import { cloneDeep } from 'lodash-es';
+import applyQuery, { applyLimit, applySort, generateAlias } from '../../../utils/apply-query.js';
+import { getCollectionFromAlias } from '../../../utils/get-collection-from-alias.js';
+import { getColumn } from '../../../utils/get-column.js';
+import { getHelpers } from '../../helpers/index.js';
+import { applyCaseWhen } from '../utils/apply-case-when.js';
+import { getColumnPreprocessor } from '../utils/get-column-pre-processor.js';
+import { getNodeAlias } from '../utils/get-field-alias.js';
+import { getInnerQueryColumnPreProcessor } from '../utils/get-inner-query-column-pre-processor.js';
+import { withPreprocessBindings } from '../utils/with-preprocess-bindings.js';
+export function getDBQuery(schema, knex, table, fieldNodes, o2mNodes, query, cases) {
+    const aliasMap = Object.create(null);
+    const env = useEnv();
+    const preProcess = getColumnPreprocessor(knex, schema, table, cases, aliasMap);
+    const queryCopy = cloneDeep(query);
+    const helpers = getHelpers(knex);
+    const hasCaseWhen = o2mNodes.some((node) => node.whenCase && node.whenCase.length > 0) ||
+        fieldNodes.some((node) => node.whenCase && node.whenCase.length > 0);
+    queryCopy.limit = typeof queryCopy.limit === 'number' ? queryCopy.limit : Number(env['QUERY_LIMIT_DEFAULT']);
+    // Queries with aggregates and groupBy will not have duplicate result
+    if (queryCopy.aggregate || queryCopy.group) {
+        const flatQuery = knex.from(table);
+        // Map the group fields to their respective field nodes
+        const groupWhenCases = hasCaseWhen
+            ? queryCopy.group?.map((field) => fieldNodes.find(({ fieldKey }) => fieldKey === field)?.whenCase ?? [])
+            : undefined;
+        const dbQuery = applyQuery(knex, table, flatQuery, queryCopy, schema, cases, { aliasMap, groupWhenCases }).query;
+        flatQuery.select(fieldNodes.map((node) => preProcess(node)));
+        withPreprocessBindings(knex, dbQuery);
+        return dbQuery;
+    }
+    const primaryKey = schema.collections[table].primary;
+    let dbQuery = knex.from(table);
+    let sortRecords;
+    const innerQuerySortRecords = [];
+    let hasMultiRelationalSort;
+    if (queryCopy.sort) {
+        const sortResult = applySort(knex, schema, dbQuery, queryCopy, table, aliasMap, true);
+        if (sortResult) {
+            sortRecords = sortResult.sortRecords;
+            hasMultiRelationalSort = sortResult.hasMultiRelationalSort;
+        }
+    }
+    const { hasMultiRelationalFilter } = applyQuery(knex, table, dbQuery, queryCopy, schema, cases, {
+        aliasMap,
+        isInnerQuery: true,
+        hasMultiRelationalSort,
+    });
+    const needsInnerQuery = hasMultiRelationalSort || hasMultiRelationalFilter;
+    if (needsInnerQuery) {
+        dbQuery.select(`${table}.${primaryKey}`);
+        // Only add distinct if there are no case/when constructs, since otherwise we rely on group by
+        if (!hasCaseWhen)
+            dbQuery.distinct();
+    }
+    else {
+        dbQuery.select(fieldNodes.map((node) => preProcess(node)));
+        // Add flags for o2m fields with case/when to the let the DB to the partial item permissions
+        dbQuery.select(o2mNodes
+            .filter((node) => node.whenCase && node.whenCase.length > 0)
+            .map((node) => {
+            const columnCases = node.whenCase.map((index) => cases[index]);
+            return applyCaseWhen({
+                column: knex.raw(1),
+                columnCases,
+                aliasMap,
+                cases,
+                table,
+                alias: node.fieldKey,
+            }, { knex, schema });
+        }));
+    }
+    if (sortRecords) {
+        // Clears the order if any, eg: from MSSQL offset
+        dbQuery.clear('order');
+        if (needsInnerQuery) {
+            let orderByString = '';
+            const orderByFields = [];
+            sortRecords.map((sortRecord) => {
+                if (orderByString.length !== 0) {
+                    orderByString += ', ';
+                }
+                const sortAlias = `sort_${generateAlias()}`;
+                if (sortRecord.column.includes('.')) {
+                    const [alias, field] = sortRecord.column.split('.');
+                    const originalCollectionName = getCollectionFromAlias(alias, aliasMap);
+                    dbQuery.select(getColumn(knex, alias, field, sortAlias, schema, { originalCollectionName }));
+                    orderByString += `?? ${sortRecord.order}`;
+                    orderByFields.push(getColumn(knex, alias, field, false, schema, { originalCollectionName }));
+                }
+                else {
+                    dbQuery.select(getColumn(knex, table, sortRecord.column, sortAlias, schema));
+                    orderByString += `?? ${sortRecord.order}`;
+                    orderByFields.push(getColumn(knex, table, sortRecord.column, false, schema));
+                }
+                innerQuerySortRecords.push({ alias: sortAlias, order: sortRecord.order });
+            });
+            if (hasMultiRelationalSort) {
+                dbQuery = helpers.schema.applyMultiRelationalSort(knex, dbQuery, table, primaryKey, orderByString, orderByFields);
+                // Start order by with directus_row_number. The directus_row_number is derived from a window function that
+                // is ordered by the sort fields within every primary key partition. That ensures that the result with the
+                // row number = 1 is the top-most row of every partition, according to the selected sort fields.
+                // Since the only relevant result is the first row of this partition, adding the directus_row_number to the
+                // order by here ensures that all rows with a directus_row_number = 1 show up first in the inner query result,
+                // and are correctly truncated by the limit, but not earlier.
+                orderByString = `?? asc, ${orderByString}`;
+                orderByFields.unshift(knex.ref('directus_row_number'));
+            }
+            dbQuery.orderByRaw(orderByString, orderByFields);
+        }
+        else {
+            sortRecords.map((sortRecord) => {
+                if (sortRecord.column.includes('.')) {
+                    const [alias, field] = sortRecord.column.split('.');
+                    sortRecord.column = getColumn(knex, alias, field, false, schema, {
+                        originalCollectionName: getCollectionFromAlias(alias, aliasMap),
+                    });
+                }
+                else {
+                    sortRecord.column = getColumn(knex, table, sortRecord.column, false, schema);
+                }
+            });
+            dbQuery.orderBy(sortRecords);
+        }
+    }
+    if (!needsInnerQuery)
+        return dbQuery;
+    const innerCaseWhenAliasPrefix = generateAlias();
+    if (hasCaseWhen) {
+        /* If there are cases, we need to employ a trick in order to evaluate the case/when structure in the inner query,
+           while passing the result of the evaluation to the outer query. The case/when needs to be evaluated in the inner
+           query since only there all joined in tables, that might be required for the case/when, are available.
+
+           The problem is, that the resulting columns can not be directly selected in the inner query,
+           as a `SELECT DISTINCT` does not work for all datatypes in all vendors.
+
+           So instead of having an inner query which might look like this:
+
+           SELECT DISTINCT ...,
+             CASE WHEN <condition> THEN <actual-column> END AS <alias>
+
+           a group-by query is generated.
+
+             Another problem is that all not all rows with the same primary key are guaranteed to have the same value for
+             the columns with the case/when, so we to `or` those together, but counting the number of flags in a group by
+             operation. This way the flag is set to > 0 if any of the rows in the group allows access to the column.
+
+           The inner query only evaluates the condition and passes up or-ed flag, that is used in the wrapper query to select
+           the actual column:
+
+           SELECT ...,
+             COUNT (CASE WHEN <condition> THEN 1 END) AS <random-prefix>_<alias>
+             ...
+             GROUP BY <primary-key>
+
+            Then, in the wrapper query there is no need to evaluate the condition again, but instead rely on the flag:
+
+            SELECT ...,
+              CASE WHEN `inner`.<random-prefix>_<alias> > 0 THEN <actual-column> END AS <alias>
+         */
+        const innerPreprocess = getInnerQueryColumnPreProcessor(knex, schema, table, cases, aliasMap, innerCaseWhenAliasPrefix);
+        // To optimize the query we avoid having unnecessary columns in the inner query, that don't have a caseWhen, since
+        // they are selected in the outer query directly
+        dbQuery.select(fieldNodes.map(innerPreprocess).filter((x) => x !== null));
+        // In addition to the regular columns select a flag that indicates if a user has access to o2m related field
+        // based on the case/when of that field.
+        dbQuery.select(o2mNodes.map(innerPreprocess).filter((x) => x !== null));
+        const groupByFields = [knex.raw('??.??', [table, primaryKey])];
+        if (hasMultiRelationalSort) {
+            // Sort fields that are not directly in the table the primary key is from need to be included in the group
+            // by clause, otherwise this causes problems on some DBs
+            groupByFields.push(...innerQuerySortRecords.map(({ alias }) => knex.raw('??', alias)));
+        }
+        dbQuery.groupBy(groupByFields);
+    }
+    const wrapperQuery = knex
+        .from(table)
+        .innerJoin(knex.raw('??', dbQuery.as('inner')), `${table}.${primaryKey}`, `inner.${primaryKey}`);
+    if (!hasCaseWhen) {
+        // No need for case/when in the wrapper query, just select the preprocessed columns
+        wrapperQuery.select(fieldNodes.map((node) => preProcess(node)));
+    }
+    else {
+        // This applies a simplified case/when construct in the wrapper query, that only looks at flag > 1
+        // Distinguish between column with and without case/when and handle them differently
+        const plainColumns = fieldNodes.filter((fieldNode) => !fieldNode.whenCase || fieldNode.whenCase.length === 0);
+        const whenCaseColumns = fieldNodes.filter((fieldNode) => fieldNode.whenCase && fieldNode.whenCase.length > 0);
+        // Select the plain columns
+        wrapperQuery.select(plainColumns.map((node) => preProcess(node)));
+        // Select the case/when columns based on the flag from the inner query
+        wrapperQuery.select(whenCaseColumns.map((fieldNode) => {
+            const alias = getNodeAlias(fieldNode);
+            const innerAlias = `${innerCaseWhenAliasPrefix}_${alias}`;
+            // Preprocess the column without the case/when, since that is applied in a simpler fashion in the select
+            const column = preProcess({ ...fieldNode, whenCase: [] }, { noAlias: true });
+            return knex.raw(`CASE WHEN ??.?? > 0 THEN ?? END as ??`, ['inner', innerAlias, column, alias]);
+        }));
+        // Pass the flags of o2m fields up through the wrapper query
+        wrapperQuery.select(o2mNodes
+            .filter((node) => node.whenCase && node.whenCase.length > 0)
+            .map((node) => {
+            const alias = node.fieldKey;
+            const innerAlias = `${innerCaseWhenAliasPrefix}_${alias}`;
+            return knex.raw(`CASE WHEN ??.?? > 0 THEN 1 END as ??`, ['inner', innerAlias, alias]);
+        }));
+    }
+    if (sortRecords) {
+        innerQuerySortRecords.map((innerQuerySortRecord) => {
+            wrapperQuery.orderBy(`inner.${innerQuerySortRecord.alias}`, innerQuerySortRecord.order);
+        });
+        if (hasMultiRelationalSort) {
+            wrapperQuery.where('inner.directus_row_number', '=', 1);
+            applyLimit(knex, wrapperQuery, queryCopy.limit);
+        }
+    }
+    return wrapperQuery;
+}

package/dist/database/run-ast/lib/parse-current-level.d.ts

@@ -0,0 +1,7 @@
+import type { Query, SchemaOverview } from '@directus/types';
+import type { FieldNode, FunctionFieldNode, NestedCollectionNode } from '../../../types/ast.js';
+export declare function parseCurrentLevel(schema: SchemaOverview, collection: string, children: (NestedCollectionNode | FieldNode | FunctionFieldNode)[], query: Query): Promise<{
+    fieldNodes: FieldNode[];
+    nestedCollectionNodes: NestedCollectionNode[];
+    primaryKeyField: string;
+}>;

package/dist/database/run-ast/lib/parse-current-level.js

@@ -0,0 +1,41 @@
+import { parseFilterKey } from '../../../utils/parse-filter-key.js';
+export async function parseCurrentLevel(schema, collection, children, query) {
+    const primaryKeyField = schema.collections[collection].primary;
+    const columnsInCollection = Object.keys(schema.collections[collection].fields);
+    const columnsToSelectInternal = [];
+    const nestedCollectionNodes = [];
+    for (const child of children) {
+        if (child.type === 'field' || child.type === 'functionField') {
+            const { fieldName } = parseFilterKey(child.name);
+            if (columnsInCollection.includes(fieldName)) {
+                columnsToSelectInternal.push(child.fieldKey);
+            }
+            continue;
+        }
+        if (!child.relation)
+            continue;
+        if (child.type === 'm2o') {
+            columnsToSelectInternal.push(child.relation.field);
+        }
+        if (child.type === 'a2o') {
+            columnsToSelectInternal.push(child.relation.field);
+            columnsToSelectInternal.push(child.relation.meta.one_collection_field);
+        }
+        nestedCollectionNodes.push(child);
+    }
+    const isAggregate = (query.group || (query.aggregate && Object.keys(query.aggregate).length > 0)) ?? false;
+    /** Always fetch primary key in case there's a nested relation that needs it. Aggregate payloads
+     * can't have nested relational fields
+     */
+    if (isAggregate === false && columnsToSelectInternal.includes(primaryKeyField) === false) {
+        columnsToSelectInternal.push(primaryKeyField);
+    }
+    /** Make sure select list has unique values */
+    const columnsToSelect = [...new Set(columnsToSelectInternal)];
+    const fieldNodes = columnsToSelect.map((column) => children.find((childNode) => (childNode.type === 'field' || childNode.type === 'functionField') && childNode.fieldKey === column) ?? {
+        type: 'field',
+        name: column,
+        fieldKey: column,
+    });
+    return { fieldNodes, nestedCollectionNodes, primaryKeyField };
+}

package/dist/database/run-ast/run-ast.d.ts

@@ -0,0 +1,7 @@
+import type { Item, SchemaOverview } from '@directus/types';
+import type { AST, NestedCollectionNode } from '../../types/ast.js';
+import type { RunASTOptions } from './types.js';
+/**
+ * Execute a given AST using Knex. Returns array of items based on requested AST.
+ */
+export declare function runAst(originalAST: AST | NestedCollectionNode, schema: SchemaOverview, options?: RunASTOptions): Promise<null | Item | Item[]>;