npm - @directus/api - Versions diffs - 21.0.0 → 22.0.0 - Mend

@directus/api 21.0.0 → 22.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (285) hide show

package/dist/services/authentication.js CHANGED Viewed

@@ -1,3 +1,5 @@
+import { fetchRolesTree } from '../permissions/lib/fetch-roles-tree.js';
+import { fetchGlobalAccess } from '../permissions/modules/fetch-global-access/fetch-global-access.js';
 import { Action } from '@directus/constants';
 import { useEnv } from '@directus/env';
 import { InvalidCredentialsError, InvalidOtpError, ServiceUnavailableError, UserSuspendedError, } from '@directus/errors';
@@ -48,10 +50,9 @@ export class AuthenticationService {
             throw err;
         }
         const user = await this.knex
-            .select('u.id', 'u.first_name', 'u.last_name', 'u.email', 'u.password', 'u.status', 'u.role', 'r.admin_access', 'r.app_access', 'u.tfa_secret', 'u.provider', 'u.external_identifier', 'u.auth_data')
-            .from('directus_users as u')
-            .leftJoin('directus_roles as r', 'u.role', 'r.id')
-            .where('u.id', userId)
+            .select('id', 'first_name', 'last_name', 'email', 'password', 'status', 'role', 'tfa_secret', 'provider', 'external_identifier', 'auth_data')
+            .from('directus_users')
+            .where('id', userId)
             .first();
         const updatedPayload = await emitter.emitFilter('auth.login', payload, {
             status: 'pending',
@@ -128,11 +129,13 @@ export class AuthenticationService {
                 throw new InvalidOtpError();
             }
         }
+        const roles = await fetchRolesTree(user.role, this.knex);
+        const globalAccess = await fetchGlobalAccess({ roles, user: user.id, ip: this.accountability?.ip ?? null }, this.knex);
         const tokenPayload = {
             id: user.id,
             role: user.role,
-            app_access: user.app_access,
-            admin_access: user.admin_access,
+            app_access: globalAccess.app,
+            admin_access: globalAccess.admin,
         };
         const refreshToken = nanoid(64);
         const refreshTokenExpiration = new Date(Date.now() + getMilliseconds(env['REFRESH_TOKEN_TTL'], 0));
@@ -207,9 +210,7 @@ export class AuthenticationService {
             user_provider: 'u.provider',
             user_external_identifier: 'u.external_identifier',
             user_auth_data: 'u.auth_data',
-            role_id: 'r.id',
-            role_admin_access: 'r.admin_access',
-            role_app_access: 'r.app_access',
+            user_role: 'u.role',
             share_id: 'd.id',
             share_item: 'd.item',
             share_role: 'd.role',
@@ -222,9 +223,6 @@ export class AuthenticationService {
             .from('directus_sessions AS s')
             .leftJoin('directus_users AS u', 's.user', 'u.id')
             .leftJoin('directus_shares AS d', 's.share', 'd.id')
-            .leftJoin('directus_roles AS r', (join) => {
-            join.onIn('r.id', [this.knex.ref('u.role'), this.knex.ref('d.role')]);
-        })
             .where('s.token', refreshToken)
             .andWhere('s.expires', '>=', new Date())
             .andWhere((subQuery) => {
@@ -248,6 +246,8 @@ export class AuthenticationService {
                 throw new InvalidCredentialsError();
             }
         }
+        const roles = await fetchRolesTree(record.user_role, this.knex);
+        const globalAccess = await fetchGlobalAccess({ user: record.user_id, roles, ip: this.accountability?.ip ?? null }, this.knex);
         if (record.user_id) {
             const provider = getAuthProvider(record.user_provider);
             await provider.refresh({
@@ -260,9 +260,9 @@ export class AuthenticationService {
                 provider: record.user_provider,
                 external_identifier: record.user_external_identifier,
                 auth_data: record.user_auth_data,
-                role: record.role_id,
-                app_access: record.role_app_access,
-                admin_access: record.role_admin_access,
+                role: record.user_role,
+                app_access: globalAccess.app,
+                admin_access: globalAccess.admin,
             });
         }
         let newRefreshToken = record.session_next_token ?? nanoid(64);
@@ -270,9 +270,9 @@ export class AuthenticationService {
         const refreshTokenExpiration = new Date(Date.now() + getMilliseconds(sessionDuration, 0));
         const tokenPayload = {
             id: record.user_id,
-            role: record.role_id,
-            app_access: record.role_app_access,
-            admin_access: record.role_admin_access,
+            role: record.user_role,
+            app_access: globalAccess.app,
+            admin_access: globalAccess.admin,
         };
         if (options?.session) {
             newRefreshToken = await this.updateStatefulSession(record, refreshToken, newRefreshToken, refreshTokenExpiration);

package/dist/services/collections.js CHANGED Viewed

@@ -9,6 +9,8 @@ import { ALIAS_TYPES } from '../constants.js';
 import { getHelpers } from '../database/helpers/index.js';
 import getDatabase, { getSchemaInspector } from '../database/index.js';
 import emitter from '../emitter.js';
+import { fetchAllowedCollections } from '../permissions/modules/fetch-allowed-collections/fetch-allowed-collections.js';
+import { validateAccess } from '../permissions/modules/validate-access/validate-access.js';
 import { getSchema } from '../utils/get-schema.js';
 import { shouldClearCache } from '../utils/should-clear-cache.js';
 import { transaction } from '../utils/transaction.js';
@@ -223,11 +225,13 @@ export class CollectionsService {
                 ...meta,
                 [item.collection]: item.group,
             }), {});
-            let collectionsYouHavePermissionToRead = this.accountability
-                .permissions.filter((permission) => {
-                return permission.action === 'read';
-            })
-                .map(({ collection }) => collection);
+            let collectionsYouHavePermissionToRead = await fetchAllowedCollections({
+                accountability: this.accountability,
+                action: 'read',
+            }, {
+                knex: this.knex,
+                schema: this.schema,
+            });
             for (const collection of collectionsYouHavePermissionToRead) {
                 const group = collectionsGroups[collection];
                 if (group)
@@ -279,18 +283,15 @@ export class CollectionsService {
      * Read many collections by name
      */
     async readMany(collectionKeys) {
-        if (this.accountability && this.accountability.admin !== true) {
-            const permissions = this.accountability.permissions.filter((permission) => {
-                return permission.action === 'read' && collectionKeys.includes(permission.collection);
-            });
-            if (collectionKeys.length !== permissions.length) {
-                const collectionsYouHavePermissionToRead = permissions.map(({ collection }) => collection);
-                for (const collectionKey of collectionKeys) {
-                    if (collectionsYouHavePermissionToRead.includes(collectionKey) === false) {
-                        throw new ForbiddenError();
-                    }
-                }
-            }
+        if (this.accountability) {
+            await Promise.all(collectionKeys.map((collection) => validateAccess({
+                accountability: this.accountability,
+                action: 'read',
+                collection,
+            }, {
+                schema: this.schema,
+                knex: this.knex,
+            })));
         }
         const collections = await this.readByQuery();
         return collections.filter(({ collection }) => collectionKeys.includes(collection));

package/dist/services/fields.d.ts CHANGED Viewed

@@ -18,7 +18,6 @@ export declare class FieldsService {
     systemCache: Keyv<any>;
     schemaCache: Keyv<any>;
     constructor(options: AbstractServiceOptions);
-    private get hasReadAccess();
     columnInfo(collection?: string): Promise<Column[]>;
     columnInfo(collection: string, field: string): Promise<Column>;
     readAll(collection?: string): Promise<Field[]>;

package/dist/services/fields.js CHANGED Viewed

@@ -1,4 +1,5 @@
-import { KNEX_TYPES, REGEX_BETWEEN_PARENS, DEFAULT_NUMERIC_PRECISION, DEFAULT_NUMERIC_SCALE, } from '@directus/constants';
+import { DEFAULT_NUMERIC_PRECISION, DEFAULT_NUMERIC_SCALE, KNEX_TYPES, REGEX_BETWEEN_PARENS, } from '@directus/constants';
+import { useEnv } from '@directus/env';
 import { ForbiddenError, InvalidPayloadError } from '@directus/errors';
 import { createInspector } from '@directus/schema';
 import { addFieldFlag, toArray } from '@directus/utils';
@@ -9,6 +10,9 @@ import { translateDatabaseError } from '../database/errors/translate.js';
 import { getHelpers } from '../database/helpers/index.js';
 import getDatabase, { getSchemaInspector } from '../database/index.js';
 import emitter from '../emitter.js';
+import { fetchPermissions } from '../permissions/lib/fetch-permissions.js';
+import { fetchPolicies } from '../permissions/lib/fetch-policies.js';
+import { validateAccess } from '../permissions/modules/validate-access/validate-access.js';
 import getDefaultValue from '../utils/get-default-value.js';
 import { getSystemFieldRowsWithAuthProviders } from '../utils/get-field-system-rows.js';
 import getLocalType from '../utils/get-local-type.js';
@@ -19,7 +23,6 @@ import { transaction } from '../utils/transaction.js';
 import { ItemsService } from './items.js';
 import { PayloadService } from './payload.js';
 import { RelationsService } from './relations.js';
-import { useEnv } from '@directus/env';
 const systemFieldRows = getSystemFieldRowsWithAuthProviders();
 const env = useEnv();
 export class FieldsService {
@@ -46,11 +49,6 @@ export class FieldsService {
         this.systemCache = systemCache;
         this.schemaCache = localSchemaCache;
     }
-    get hasReadAccess() {
-        return !!this.accountability?.permissions?.find((permission) => {
-            return permission.collection === 'directus_fields' && permission.action === 'read';
-        });
-    }
     async columnInfo(collection, field) {
         const schemaCacheIsEnabled = Boolean(env['CACHE_SCHEMA']);
         let columnInfo = null;
@@ -73,8 +71,15 @@ export class FieldsService {
     }
     async readAll(collection) {
         let fields;
-        if (this.accountability && this.accountability.admin !== true && this.hasReadAccess === false) {
-            throw new ForbiddenError();
+        if (this.accountability) {
+            await validateAccess({
+                accountability: this.accountability,
+                action: 'read',
+                collection: 'directus_fields',
+            }, {
+                schema: this.schema,
+                knex: this.knex,
+            });
         }
         const nonAuthorizedItemsService = new ItemsService('directus_fields', {
             knex: this.knex,
@@ -143,12 +148,27 @@ export class FieldsService {
         const result = [...columnsWithSystem, ...aliasFieldsAsField].filter((field) => knownCollections.includes(field.collection));
         // Filter the result so we only return the fields you have read access to
         if (this.accountability && this.accountability.admin !== true) {
-            const permissions = this.accountability.permissions.filter((permission) => {
-                return permission.action === 'read';
-            });
+            const policies = await fetchPolicies(this.accountability, { knex: this.knex, schema: this.schema });
+            const permissions = await fetchPermissions(collection
+                ? {
+                    action: 'read',
+                    policies,
+                    collections: [collection],
+                    accountability: this.accountability,
+                }
+                : {
+                    action: 'read',
+                    policies,
+                    accountability: this.accountability,
+                }, { knex: this.knex, schema: this.schema });
             const allowedFieldsInCollection = {};
             permissions.forEach((permission) => {
-                allowedFieldsInCollection[permission.collection] = permission.fields ?? [];
+                if (!allowedFieldsInCollection[permission.collection]) {
+                    allowedFieldsInCollection[permission.collection] = new Set();
+                }
+                for (const field of permission.fields ?? []) {
+                    allowedFieldsInCollection[permission.collection].add(field);
+                }
             });
             if (collection && collection in allowedFieldsInCollection === false) {
                 throw new ForbiddenError();
@@ -157,9 +177,9 @@ export class FieldsService {
                 if (field.collection in allowedFieldsInCollection === false)
                     return false;
                 const allowedFields = allowedFieldsInCollection[field.collection];
-                if (allowedFields[0] === '*')
+                if (allowedFields.has('*'))
                     return true;
-                return allowedFields.includes(field.field);
+                return allowedFields.has(field.field);
             });
         }
         // Update specific database type overrides
@@ -176,18 +196,27 @@ export class FieldsService {
     }
     async readOne(collection, field) {
         if (this.accountability && this.accountability.admin !== true) {
-            if (this.hasReadAccess === false) {
-                throw new ForbiddenError();
-            }
-            const permissions = this.accountability.permissions.find((permission) => {
-                return permission.action === 'read' && permission.collection === collection;
+            await validateAccess({
+                accountability: this.accountability,
+                action: 'read',
+                collection,
+            }, {
+                schema: this.schema,
+                knex: this.knex,
             });
-            if (!permissions || !permissions.fields)
+            const policies = await fetchPolicies(this.accountability, { knex: this.knex, schema: this.schema });
+            const permissions = await fetchPermissions({ action: 'read', policies, collections: [collection], accountability: this.accountability }, { knex: this.knex, schema: this.schema });
+            let hasAccess = false;
+            for (const permission of permissions) {
+                if (permission.fields) {
+                    if (permission.fields.includes('*') || permission.fields.includes(field)) {
+                        hasAccess = true;
+                        break;
+                    }
+                }
+            }
+            if (!hasAccess) {
                 throw new ForbiddenError();
-            if (permissions.fields.includes('*') === false) {
-                const allowedFields = permissions.fields;
-                if (allowedFields.includes(field) === false)
-                    throw new ForbiddenError();
             }
         }
         let column = undefined;

package/dist/services/files.js CHANGED Viewed

@@ -12,6 +12,7 @@ import url from 'url';
 import { RESUMABLE_UPLOADS } from '../constants.js';
 import emitter from '../emitter.js';
 import { useLogger } from '../logger/index.js';
+import { validateAccess } from '../permissions/modules/validate-access/validate-access.js';
 import { getAxios } from '../request/index.js';
 import { getStorage } from '../storage/index.js';
 import { extractMetadata } from './files/lib/extract-metadata.js';
@@ -157,9 +158,15 @@ export class FilesService extends ItemsService {
      * Import a single file from an external URL
      */
     async importOne(importURL, body) {
-        const fileCreatePermissions = this.accountability?.permissions?.find((permission) => permission.collection === 'directus_files' && permission.action === 'create');
-        if (this.accountability && this.accountability?.admin !== true && !fileCreatePermissions) {
-            throw new ForbiddenError();
+        if (this.accountability) {
+            await validateAccess({
+                accountability: this.accountability,
+                action: 'create',
+                collection: 'directus_files',
+            }, {
+                knex: this.knex,
+                schema: this.schema,
+            });
         }
         let fileResponse;
         try {

package/dist/services/graphql/index.d.ts CHANGED Viewed

@@ -20,9 +20,9 @@ export declare class GraphQLService {
     /**
      * Generate the GraphQL schema. Pulls from the schema information generated by the get-schema util.
      */
-    getSchema(): GraphQLSchema;
-    getSchema(type: 'schema'): GraphQLSchema;
-    getSchema(type: 'sdl'): GraphQLSchema | string;
+    getSchema(): Promise<GraphQLSchema>;
+    getSchema(type: 'schema'): Promise<GraphQLSchema>;
+    getSchema(type: 'sdl'): Promise<GraphQLSchema | string>;
     /**
      * Generic resolver that's used for every "regular" items/system query. Converts the incoming GraphQL AST / fragments into
      * Directus' query structure which is then executed by the services.

package/dist/services/graphql/index.js CHANGED Viewed

@@ -11,6 +11,9 @@ import { clearSystemCache, getCache } from '../../cache.js';
 import { DEFAULT_AUTH_PROVIDER, GENERATE_SPECIAL, REFRESH_COOKIE_OPTIONS, SESSION_COOKIE_OPTIONS, } from '../../constants.js';
 import getDatabase from '../../database/index.js';
 import { rateLimiter } from '../../middleware/rate-limiter-registration.js';
+import { fetchAllowedFieldMap } from '../../permissions/modules/fetch-allowed-field-map/fetch-allowed-field-map.js';
+import { fetchInconsistentFieldMap } from '../../permissions/modules/fetch-inconsistent-field-map/fetch-inconsistent-field-map.js';
+import { createDefaultAccountability } from '../../permissions/utils/create-default-accountability.js';
 import { generateHash } from '../../utils/generate-hash.js';
 import { getGraphQLType } from '../../utils/get-graphql-type.js';
 import { getIPFromReq } from '../../utils/get-ip-from-req.js';
@@ -48,6 +51,9 @@ import { GraphQLVoid } from './types/void.js';
 import { addPathToValidationError } from './utils/add-path-to-validation-error.js';
 import processError from './utils/process-error.js';
 import { sanitizeGraphqlSchema } from './utils/sanitize-gql-schema.js';
+import { fetchAccountabilityCollectionAccess } from '../../permissions/modules/fetch-accountability-collection-access/fetch-accountability-collection-access.js';
+import { fetchAccountabilityPolicyGlobals } from '../../permissions/modules/fetch-accountability-policy-globals/fetch-accountability-policy-globals.js';
+import { RolesService } from '../roles.js';
 const env = useEnv();
 const validationRules = Array.from(specifiedRules);
 if (env['GRAPHQL_INTROSPECTION'] === false) {
@@ -80,7 +86,7 @@ export class GraphQLService {
      * Execute a GraphQL structure
      */
     async execute({ document, variables, operationName, contextValue, }) {
-        const schema = this.getSchema();
+        const schema = await this.getSchema();
         const validationErrors = validate(schema, document, validationRules).map((validationError) => addPathToValidationError(validationError));
         if (validationErrors.length > 0) {
             throw new GraphQLValidationError({ errors: validationErrors });
@@ -108,7 +114,7 @@ export class GraphQLService {
             formattedResult.extensions = result['extensions'];
         return formattedResult;
     }
-    getSchema(type = 'schema') {
+    async getSchema(type = 'schema') {
         const key = `${this.scope}_${type}_${this.accountability?.role}_${this.accountability?.user}`;
         const cachedSchema = cache.get(key);
         if (cachedSchema)
@@ -116,20 +122,53 @@ export class GraphQLService {
         // eslint-disable-next-line @typescript-eslint/no-this-alias
         const self = this;
         const schemaComposer = new SchemaComposer();
+        let schema;
         const sanitizedSchema = sanitizeGraphqlSchema(this.schema);
-        const schema = {
-            read: this.accountability?.admin === true
-                ? sanitizedSchema
-                : reduceSchema(sanitizedSchema, this.accountability?.permissions || null, ['read']),
-            create: this.accountability?.admin === true
-                ? sanitizedSchema
-                : reduceSchema(sanitizedSchema, this.accountability?.permissions || null, ['create']),
-            update: this.accountability?.admin === true
-                ? sanitizedSchema
-                : reduceSchema(sanitizedSchema, this.accountability?.permissions || null, ['update']),
-            delete: this.accountability?.admin === true
-                ? sanitizedSchema
-                : reduceSchema(sanitizedSchema, this.accountability?.permissions || null, ['delete']),
+        if (!this.accountability || this.accountability.admin) {
+            schema = {
+                read: sanitizedSchema,
+                create: sanitizedSchema,
+                update: sanitizedSchema,
+                delete: sanitizedSchema,
+            };
+        }
+        else {
+            schema = {
+                read: reduceSchema(sanitizedSchema, await fetchAllowedFieldMap({
+                    accountability: this.accountability,
+                    action: 'read',
+                }, { schema: this.schema, knex: this.knex })),
+                create: reduceSchema(sanitizedSchema, await fetchAllowedFieldMap({
+                    accountability: this.accountability,
+                    action: 'create',
+                }, { schema: this.schema, knex: this.knex })),
+                update: reduceSchema(sanitizedSchema, await fetchAllowedFieldMap({
+                    accountability: this.accountability,
+                    action: 'update',
+                }, { schema: this.schema, knex: this.knex })),
+                delete: reduceSchema(sanitizedSchema, await fetchAllowedFieldMap({
+                    accountability: this.accountability,
+                    action: 'delete',
+                }, { schema: this.schema, knex: this.knex })),
+            };
+        }
+        const inconsistentFields = {
+            read: await fetchInconsistentFieldMap({
+                accountability: this.accountability,
+                action: 'read',
+            }, { schema: this.schema, knex: this.knex }),
+            create: await fetchInconsistentFieldMap({
+                accountability: this.accountability,
+                action: 'create',
+            }, { schema: this.schema, knex: this.knex }),
+            update: await fetchInconsistentFieldMap({
+                accountability: this.accountability,
+                action: 'update',
+            }, { schema: this.schema, knex: this.knex }),
+            delete: await fetchInconsistentFieldMap({
+                accountability: this.accountability,
+                action: 'delete',
+            }, { schema: this.schema, knex: this.knex }),
         };
         const subscriptionEventType = schemaComposer.createEnumTC({
             name: 'EventEnum',
@@ -300,16 +339,18 @@ export class GraphQLService {
                     name: action === 'read' ? collection.collection : `${action}_${collection.collection}`,
                     fields: Object.values(collection.fields).reduce((acc, field) => {
                         let type = getGraphQLType(field.type, field.special);
+                        const fieldIsInconsistent = inconsistentFields[action][collection.collection]?.includes(field.field);
                         // GraphQL doesn't differentiate between not-null and has-to-be-submitted. We
                         // can't non-null in update, as that would require every not-nullable field to be
                         // submitted on updates
                         if (field.nullable === false &&
                             !field.defaultValue &&
                             !GENERATE_SPECIAL.some((flag) => field.special.includes(flag)) &&
+                            fieldIsInconsistent === false &&
                             action !== 'update') {
                             type = new GraphQLNonNull(type);
                         }
-                        if (collection.primary === field.field) {
+                        if (collection.primary === field.field && fieldIsInconsistent === false) {
                             // permissions IDs need to be nullable https://github.com/directus/directus/issues/20509
                             if (collection.collection === 'directus_permissions') {
                                 type = GraphQLID;
@@ -1762,7 +1803,7 @@ export class GraphQLService {
                         accountability: this.accountability,
                         scope: args['scope'] ?? 'items',
                     });
-                    return service.getSchema('sdl');
+                    return await service.getSchema('sdl');
                 },
             },
             server_ping: {
@@ -1815,7 +1856,7 @@ export class GraphQLService {
                     otp: GraphQLString,
                 },
                 resolve: async (_, args, { req, res }) => {
-                    const accountability = { role: null };
+                    const accountability = createDefaultAccountability();
                     if (req?.ip)
                         accountability.ip = req.ip;
                     const userAgent = req?.get('user-agent');
@@ -1855,7 +1896,7 @@ export class GraphQLService {
                     mode: AuthMode,
                 },
                 resolve: async (_, args, { req, res }) => {
-                    const accountability = { role: null };
+                    const accountability = createDefaultAccountability();
                     if (req?.ip)
                         accountability.ip = req.ip;
                     const userAgent = req?.get('user-agent');
@@ -1913,7 +1954,7 @@ export class GraphQLService {
                     mode: AuthMode,
                 },
                 resolve: async (_, args, { req, res }) => {
-                    const accountability = { role: null };
+                    const accountability = createDefaultAccountability();
                     if (req?.ip)
                         accountability.ip = req.ip;
                     const userAgent = req?.get('user-agent');
@@ -1963,7 +2004,7 @@ export class GraphQLService {
                     reset_url: GraphQLString,
                 },
                 resolve: async (_, args, { req }) => {
-                    const accountability = { role: null };
+                    const accountability = createDefaultAccountability();
                     if (req?.ip)
                         accountability.ip = req.ip;
                     const userAgent = req?.get('user-agent');
@@ -1991,7 +2032,7 @@ export class GraphQLService {
                     password: new GraphQLNonNull(GraphQLString),
                 },
                 resolve: async (_, args, { req }) => {
-                    const accountability = { role: null };
+                    const accountability = createDefaultAccountability();
                     if (req?.ip)
                         accountability.ip = req.ip;
                     const userAgent = req?.get('user-agent');
@@ -2632,6 +2673,69 @@ export class GraphQLService {
                 },
             });
         }
+        if ('directus_permissions' in schema.read.collections) {
+            schemaComposer.Query.addFields({
+                permissions_me: {
+                    type: schemaComposer.createScalarTC({
+                        name: 'permissions_me_type',
+                        parseValue: (value) => value,
+                        serialize: (value) => value,
+                    }),
+                    resolve: async (_, _args, __, _info) => {
+                        if (!this.accountability?.user && !this.accountability?.role)
+                            return null;
+                        const result = await fetchAccountabilityCollectionAccess(this.accountability, {
+                            schema: this.schema,
+                            knex: getDatabase(),
+                        });
+                        return result;
+                    },
+                },
+            });
+        }
+        if ('directus_roles' in schema.read.collections) {
+            schemaComposer.Query.addFields({
+                roles_me: {
+                    type: ReadCollectionTypes['directus_roles'].List,
+                    resolve: async (_, args, __, info) => {
+                        if (!this.accountability?.user && !this.accountability?.role)
+                            return null;
+                        const service = new RolesService({
+                            accountability: this.accountability,
+                            schema: this.schema,
+                        });
+                        const selections = this.replaceFragmentsInSelections(info.fieldNodes[0]?.selectionSet?.selections, info.fragments);
+                        const query = this.getQuery(args, selections || [], info.variableValues);
+                        query.limit = -1;
+                        const roles = await service.readMany(this.accountability.roles, query);
+                        return roles;
+                    },
+                },
+            });
+        }
+        if ('directus_policies' in schema.read.collections) {
+            schemaComposer.Query.addFields({
+                policies_me_globals: {
+                    type: schemaComposer.createObjectTC({
+                        name: 'policy_me_globals_type',
+                        fields: {
+                            enforce_tfa: 'Boolean',
+                            app_access: 'Boolean',
+                            admin_access: 'Boolean',
+                        },
+                    }),
+                    resolve: async (_, _args, __, _info) => {
+                        if (!this.accountability?.user && !this.accountability?.role)
+                            return null;
+                        const result = await fetchAccountabilityPolicyGlobals(this.accountability, {
+                            schema: this.schema,
+                            knex: getDatabase(),
+                        });
+                        return result;
+                    },
+                },
+            });
+        }
         if ('directus_users' in schema.update.collections && this.accountability?.user) {
             schemaComposer.Mutation.addFields({
                 update_users_me: {

package/dist/services/graphql/subscription.js CHANGED Viewed

@@ -1,7 +1,6 @@
 import { EventEmitter, on } from 'events';
 import { useBus } from '../../bus/index.js';
 import { getSchema } from '../../utils/get-schema.js';
-import { refreshAccountability } from '../../websocket/authenticate.js';
 import { getPayload } from '../../websocket/utils/items.js';
 const messages = createPubSub(new EventEmitter());
 export function bindPubSub() {
@@ -19,7 +18,6 @@ export function createSubscriptionGenerator(self, event) {
             if ('event' in args && eventData['action'] !== args['event']) {
                 continue; // skip filtered events
             }
-            const accountability = await refreshAccountability(self.accountability);
             const schema = await getSchema();
             const subscription = {
                 collection: eventData['collection'],
@@ -35,7 +33,7 @@ export function createSubscriptionGenerator(self, event) {
             if (eventData['action'] === 'create') {
                 try {
                     subscription.item = eventData['key'];
-                    const result = await getPayload(subscription, accountability, schema, eventData);
+                    const result = await getPayload(subscription, self.accountability, schema, eventData);
                     yield {
                         [event]: {
                             key: eventData['key'],
@@ -52,7 +50,7 @@ export function createSubscriptionGenerator(self, event) {
                 for (const key of eventData['keys']) {
                     try {
                         subscription.item = key;
-                        const result = await getPayload(subscription, accountability, schema, eventData);
+                        const result = await getPayload(subscription, self.accountability, schema, eventData);
                         yield {
                             [event]: {
                                 key,

package/dist/services/import-export.d.ts CHANGED Viewed

@@ -2,7 +2,7 @@
 import type { Accountability, File, Query, SchemaOverview } from '@directus/types';
 import type { Knex } from 'knex';
 import type { Readable } from 'node:stream';
-import type { AbstractServiceOptions } from '../types/index.js';
+import type { AbstractServiceOptions, FunctionFieldNode, FieldNode, NestedCollectionNode } from '../types/index.js';
 type ExportFormat = 'csv' | 'json' | 'xml' | 'yaml';
 export declare class ImportService {
     knex: Knex;
@@ -32,6 +32,8 @@ export declare class ExportService {
     transform(input: Record<string, any>[], format: ExportFormat, options?: {
         includeHeader?: boolean;
         includeFooter?: boolean;
+        fields?: string[] | null;
     }): string;
 }
+export declare function getHeadingsForCsvExport(nodes: (NestedCollectionNode | FieldNode | FunctionFieldNode)[] | undefined, prefix?: string): string[];
 export {};