npm - @directus/api - Versions diffs - 21.0.0 → 22.1.0 - Mend

@directus/api 21.0.0 → 22.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (299) hide show

package/dist/services/graphql/index.js CHANGED Viewed

@@ -11,6 +11,9 @@ import { clearSystemCache, getCache } from '../../cache.js';
 import { DEFAULT_AUTH_PROVIDER, GENERATE_SPECIAL, REFRESH_COOKIE_OPTIONS, SESSION_COOKIE_OPTIONS, } from '../../constants.js';
 import getDatabase from '../../database/index.js';
 import { rateLimiter } from '../../middleware/rate-limiter-registration.js';
+import { fetchAllowedFieldMap } from '../../permissions/modules/fetch-allowed-field-map/fetch-allowed-field-map.js';
+import { fetchInconsistentFieldMap } from '../../permissions/modules/fetch-inconsistent-field-map/fetch-inconsistent-field-map.js';
+import { createDefaultAccountability } from '../../permissions/utils/create-default-accountability.js';
 import { generateHash } from '../../utils/generate-hash.js';
 import { getGraphQLType } from '../../utils/get-graphql-type.js';
 import { getIPFromReq } from '../../utils/get-ip-from-req.js';
@@ -48,6 +51,9 @@ import { GraphQLVoid } from './types/void.js';
 import { addPathToValidationError } from './utils/add-path-to-validation-error.js';
 import processError from './utils/process-error.js';
 import { sanitizeGraphqlSchema } from './utils/sanitize-gql-schema.js';
+import { fetchAccountabilityCollectionAccess } from '../../permissions/modules/fetch-accountability-collection-access/fetch-accountability-collection-access.js';
+import { fetchAccountabilityPolicyGlobals } from '../../permissions/modules/fetch-accountability-policy-globals/fetch-accountability-policy-globals.js';
+import { RolesService } from '../roles.js';
 const env = useEnv();
 const validationRules = Array.from(specifiedRules);
 if (env['GRAPHQL_INTROSPECTION'] === false) {
@@ -80,7 +86,7 @@ export class GraphQLService {
      * Execute a GraphQL structure
      */
     async execute({ document, variables, operationName, contextValue, }) {
-        const schema = this.getSchema();
+        const schema = await this.getSchema();
         const validationErrors = validate(schema, document, validationRules).map((validationError) => addPathToValidationError(validationError));
         if (validationErrors.length > 0) {
             throw new GraphQLValidationError({ errors: validationErrors });
@@ -108,7 +114,7 @@ export class GraphQLService {
             formattedResult.extensions = result['extensions'];
         return formattedResult;
     }
-    getSchema(type = 'schema') {
+    async getSchema(type = 'schema') {
         const key = `${this.scope}_${type}_${this.accountability?.role}_${this.accountability?.user}`;
         const cachedSchema = cache.get(key);
         if (cachedSchema)
@@ -116,20 +122,53 @@ export class GraphQLService {
         // eslint-disable-next-line @typescript-eslint/no-this-alias
         const self = this;
         const schemaComposer = new SchemaComposer();
+        let schema;
         const sanitizedSchema = sanitizeGraphqlSchema(this.schema);
-        const schema = {
-            read: this.accountability?.admin === true
-                ? sanitizedSchema
-                : reduceSchema(sanitizedSchema, this.accountability?.permissions || null, ['read']),
-            create: this.accountability?.admin === true
-                ? sanitizedSchema
-                : reduceSchema(sanitizedSchema, this.accountability?.permissions || null, ['create']),
-            update: this.accountability?.admin === true
-                ? sanitizedSchema
-                : reduceSchema(sanitizedSchema, this.accountability?.permissions || null, ['update']),
-            delete: this.accountability?.admin === true
-                ? sanitizedSchema
-                : reduceSchema(sanitizedSchema, this.accountability?.permissions || null, ['delete']),
+        if (!this.accountability || this.accountability.admin) {
+            schema = {
+                read: sanitizedSchema,
+                create: sanitizedSchema,
+                update: sanitizedSchema,
+                delete: sanitizedSchema,
+            };
+        }
+        else {
+            schema = {
+                read: reduceSchema(sanitizedSchema, await fetchAllowedFieldMap({
+                    accountability: this.accountability,
+                    action: 'read',
+                }, { schema: this.schema, knex: this.knex })),
+                create: reduceSchema(sanitizedSchema, await fetchAllowedFieldMap({
+                    accountability: this.accountability,
+                    action: 'create',
+                }, { schema: this.schema, knex: this.knex })),
+                update: reduceSchema(sanitizedSchema, await fetchAllowedFieldMap({
+                    accountability: this.accountability,
+                    action: 'update',
+                }, { schema: this.schema, knex: this.knex })),
+                delete: reduceSchema(sanitizedSchema, await fetchAllowedFieldMap({
+                    accountability: this.accountability,
+                    action: 'delete',
+                }, { schema: this.schema, knex: this.knex })),
+            };
+        }
+        const inconsistentFields = {
+            read: await fetchInconsistentFieldMap({
+                accountability: this.accountability,
+                action: 'read',
+            }, { schema: this.schema, knex: this.knex }),
+            create: await fetchInconsistentFieldMap({
+                accountability: this.accountability,
+                action: 'create',
+            }, { schema: this.schema, knex: this.knex }),
+            update: await fetchInconsistentFieldMap({
+                accountability: this.accountability,
+                action: 'update',
+            }, { schema: this.schema, knex: this.knex }),
+            delete: await fetchInconsistentFieldMap({
+                accountability: this.accountability,
+                action: 'delete',
+            }, { schema: this.schema, knex: this.knex }),
         };
         const subscriptionEventType = schemaComposer.createEnumTC({
             name: 'EventEnum',
@@ -300,16 +339,18 @@ export class GraphQLService {
                     name: action === 'read' ? collection.collection : `${action}_${collection.collection}`,
                     fields: Object.values(collection.fields).reduce((acc, field) => {
                         let type = getGraphQLType(field.type, field.special);
+                        const fieldIsInconsistent = inconsistentFields[action][collection.collection]?.includes(field.field);
                         // GraphQL doesn't differentiate between not-null and has-to-be-submitted. We
                         // can't non-null in update, as that would require every not-nullable field to be
                         // submitted on updates
                         if (field.nullable === false &&
                             !field.defaultValue &&
                             !GENERATE_SPECIAL.some((flag) => field.special.includes(flag)) &&
+                            fieldIsInconsistent === false &&
                             action !== 'update') {
                             type = new GraphQLNonNull(type);
                         }
-                        if (collection.primary === field.field) {
+                        if (collection.primary === field.field && fieldIsInconsistent === false) {
                             // permissions IDs need to be nullable https://github.com/directus/directus/issues/20509
                             if (collection.collection === 'directus_permissions') {
                                 type = GraphQLID;
@@ -1762,7 +1803,7 @@ export class GraphQLService {
                         accountability: this.accountability,
                         scope: args['scope'] ?? 'items',
                     });
-                    return service.getSchema('sdl');
+                    return await service.getSchema('sdl');
                 },
             },
             server_ping: {
@@ -1815,7 +1856,7 @@ export class GraphQLService {
                     otp: GraphQLString,
                 },
                 resolve: async (_, args, { req, res }) => {
-                    const accountability = { role: null };
+                    const accountability = createDefaultAccountability();
                     if (req?.ip)
                         accountability.ip = req.ip;
                     const userAgent = req?.get('user-agent');
@@ -1855,7 +1896,7 @@ export class GraphQLService {
                     mode: AuthMode,
                 },
                 resolve: async (_, args, { req, res }) => {
-                    const accountability = { role: null };
+                    const accountability = createDefaultAccountability();
                     if (req?.ip)
                         accountability.ip = req.ip;
                     const userAgent = req?.get('user-agent');
@@ -1913,7 +1954,7 @@ export class GraphQLService {
                     mode: AuthMode,
                 },
                 resolve: async (_, args, { req, res }) => {
-                    const accountability = { role: null };
+                    const accountability = createDefaultAccountability();
                     if (req?.ip)
                         accountability.ip = req.ip;
                     const userAgent = req?.get('user-agent');
@@ -1963,7 +2004,7 @@ export class GraphQLService {
                     reset_url: GraphQLString,
                 },
                 resolve: async (_, args, { req }) => {
-                    const accountability = { role: null };
+                    const accountability = createDefaultAccountability();
                     if (req?.ip)
                         accountability.ip = req.ip;
                     const userAgent = req?.get('user-agent');
@@ -1991,7 +2032,7 @@ export class GraphQLService {
                     password: new GraphQLNonNull(GraphQLString),
                 },
                 resolve: async (_, args, { req }) => {
-                    const accountability = { role: null };
+                    const accountability = createDefaultAccountability();
                     if (req?.ip)
                         accountability.ip = req.ip;
                     const userAgent = req?.get('user-agent');
@@ -2632,6 +2673,69 @@ export class GraphQLService {
                 },
             });
         }
+        if ('directus_permissions' in schema.read.collections) {
+            schemaComposer.Query.addFields({
+                permissions_me: {
+                    type: schemaComposer.createScalarTC({
+                        name: 'permissions_me_type',
+                        parseValue: (value) => value,
+                        serialize: (value) => value,
+                    }),
+                    resolve: async (_, _args, __, _info) => {
+                        if (!this.accountability?.user && !this.accountability?.role)
+                            return null;
+                        const result = await fetchAccountabilityCollectionAccess(this.accountability, {
+                            schema: this.schema,
+                            knex: getDatabase(),
+                        });
+                        return result;
+                    },
+                },
+            });
+        }
+        if ('directus_roles' in schema.read.collections) {
+            schemaComposer.Query.addFields({
+                roles_me: {
+                    type: ReadCollectionTypes['directus_roles'].List,
+                    resolve: async (_, args, __, info) => {
+                        if (!this.accountability?.user && !this.accountability?.role)
+                            return null;
+                        const service = new RolesService({
+                            accountability: this.accountability,
+                            schema: this.schema,
+                        });
+                        const selections = this.replaceFragmentsInSelections(info.fieldNodes[0]?.selectionSet?.selections, info.fragments);
+                        const query = this.getQuery(args, selections || [], info.variableValues);
+                        query.limit = -1;
+                        const roles = await service.readMany(this.accountability.roles, query);
+                        return roles;
+                    },
+                },
+            });
+        }
+        if ('directus_policies' in schema.read.collections) {
+            schemaComposer.Query.addFields({
+                policies_me_globals: {
+                    type: schemaComposer.createObjectTC({
+                        name: 'policy_me_globals_type',
+                        fields: {
+                            enforce_tfa: 'Boolean',
+                            app_access: 'Boolean',
+                            admin_access: 'Boolean',
+                        },
+                    }),
+                    resolve: async (_, _args, __, _info) => {
+                        if (!this.accountability?.user && !this.accountability?.role)
+                            return null;
+                        const result = await fetchAccountabilityPolicyGlobals(this.accountability, {
+                            schema: this.schema,
+                            knex: getDatabase(),
+                        });
+                        return result;
+                    },
+                },
+            });
+        }
         if ('directus_users' in schema.update.collections && this.accountability?.user) {
             schemaComposer.Mutation.addFields({
                 update_users_me: {

package/dist/services/graphql/subscription.js CHANGED Viewed

@@ -1,7 +1,6 @@
 import { EventEmitter, on } from 'events';
 import { useBus } from '../../bus/index.js';
 import { getSchema } from '../../utils/get-schema.js';
-import { refreshAccountability } from '../../websocket/authenticate.js';
 import { getPayload } from '../../websocket/utils/items.js';
 const messages = createPubSub(new EventEmitter());
 export function bindPubSub() {
@@ -19,7 +18,6 @@ export function createSubscriptionGenerator(self, event) {
             if ('event' in args && eventData['action'] !== args['event']) {
                 continue; // skip filtered events
             }
-            const accountability = await refreshAccountability(self.accountability);
             const schema = await getSchema();
             const subscription = {
                 collection: eventData['collection'],
@@ -35,7 +33,7 @@ export function createSubscriptionGenerator(self, event) {
             if (eventData['action'] === 'create') {
                 try {
                     subscription.item = eventData['key'];
-                    const result = await getPayload(subscription, accountability, schema, eventData);
+                    const result = await getPayload(subscription, self.accountability, schema, eventData);
                     yield {
                         [event]: {
                             key: eventData['key'],
@@ -52,7 +50,7 @@ export function createSubscriptionGenerator(self, event) {
                 for (const key of eventData['keys']) {
                     try {
                         subscription.item = key;
-                        const result = await getPayload(subscription, accountability, schema, eventData);
+                        const result = await getPayload(subscription, self.accountability, schema, eventData);
                         yield {
                             [event]: {
                                 key,

package/dist/services/import-export.d.ts CHANGED Viewed

@@ -2,7 +2,7 @@
 import type { Accountability, File, Query, SchemaOverview } from '@directus/types';
 import type { Knex } from 'knex';
 import type { Readable } from 'node:stream';
-import type { AbstractServiceOptions } from '../types/index.js';
+import type { AbstractServiceOptions, FunctionFieldNode, FieldNode, NestedCollectionNode } from '../types/index.js';
 type ExportFormat = 'csv' | 'json' | 'xml' | 'yaml';
 export declare class ImportService {
     knex: Knex;
@@ -32,6 +32,8 @@ export declare class ExportService {
     transform(input: Record<string, any>[], format: ExportFormat, options?: {
         includeHeader?: boolean;
         includeFooter?: boolean;
+        fields?: string[] | null;
     }): string;
 }
+export declare function getHeadingsForCsvExport(nodes: (NestedCollectionNode | FieldNode | FunctionFieldNode)[] | undefined, prefix?: string): string[];
 export {};

package/dist/services/import-export.js CHANGED Viewed

@@ -15,6 +15,7 @@ import StreamArray from 'stream-json/streamers/StreamArray.js';
 import getDatabase from '../database/index.js';
 import emitter from '../emitter.js';
 import { useLogger } from '../logger/index.js';
+import { validateAccess } from '../permissions/modules/validate-access/validate-access.js';
 import { getDateFormatted } from '../utils/get-date-formatted.js';
 import { getService } from '../utils/get-service.js';
 import { transaction } from '../utils/transaction.js';
@@ -23,6 +24,7 @@ import { userName } from '../utils/user-name.js';
 import { FilesService } from './files.js';
 import { NotificationsService } from './notifications.js';
 import { UsersService } from './users.js';
+import { parseFields } from '../database/get-ast-from-query/lib/parse-fields.js';
 const env = useEnv();
 const logger = useLogger();
 export class ImportService {
@@ -37,10 +39,23 @@ export class ImportService {
     async import(collection, mimetype, stream) {
         if (this.accountability?.admin !== true && isSystemCollection(collection))
             throw new ForbiddenError();
-        const createPermissions = this.accountability?.permissions?.find((permission) => permission.collection === collection && permission.action === 'create');
-        const updatePermissions = this.accountability?.permissions?.find((permission) => permission.collection === collection && permission.action === 'update');
-        if (this.accountability?.admin !== true && (!createPermissions || !updatePermissions)) {
-            throw new ForbiddenError();
+        if (this.accountability) {
+            await validateAccess({
+                accountability: this.accountability,
+                action: 'create',
+                collection,
+            }, {
+                schema: this.schema,
+                knex: this.knex,
+            });
+            await validateAccess({
+                accountability: this.accountability,
+                action: 'update',
+                collection,
+            }, {
+                schema: this.schema,
+                knex: this.knex,
+            });
         }
         switch (mimetype) {
             case 'application/json':
@@ -248,9 +263,26 @@ export class ExportService {
                     });
                     readCount += result.length;
                     if (result.length) {
+                        let csvHeadings = null;
+                        if (format === 'csv') {
+                            if (!query.fields)
+                                query.fields = ['*'];
+                            // to ensure the all headings are included in the CSV file, all possible fields need to be determined.
+                            const parsedFields = await parseFields({
+                                parentCollection: collection,
+                                fields: query.fields,
+                                query: query,
+                                accountability: this.accountability,
+                            }, {
+                                schema: this.schema,
+                                knex: database,
+                            });
+                            csvHeadings = getHeadingsForCsvExport(parsedFields);
+                        }
                         await appendFile(tmpFile.path, this.transform(result, format, {
                             includeHeader: batch === 0,
                             includeFooter: batch + 1 === batchesRequired,
+                            fields: csvHeadings,
                         }));
                     }
                 }
@@ -345,11 +377,12 @@ Your export of ${collection} is ready. <a href="${href}">Click here to view.</a>
         if (format === 'csv') {
             if (input.length === 0)
                 return '';
-            const parser = new CSVParser({
-                transforms: [CSVTransforms.flatten({ separator: '.' })],
-                header: options?.includeHeader !== false,
-            });
-            let string = parser.parse(input);
+            const transforms = [CSVTransforms.flatten({ separator: '.' })];
+            const header = options?.includeHeader !== false;
+            const transformOptions = options?.fields
+                ? { transforms, header, fields: options?.fields }
+                : { transforms, header };
+            let string = new CSVParser(transformOptions).parse(input);
             if (options?.includeHeader === false) {
                 string = '\n' + string;
             }
@@ -361,3 +394,28 @@ Your export of ${collection} is ready. <a href="${href}">Click here to view.</a>
         throw new ServiceUnavailableError({ service: 'export', reason: `Illegal export type used: "${format}"` });
     }
 }
+/*
+ * Recursive function to traverse the field nodes, to determine the headings for the CSV export file.
+ *
+ * Relational nodes which target a single item get expanded, which means that their nested fields get their own column in the csv file.
+ * For relational nodes which target a multiple items, the nested field names are not going to be expanded.
+ * Instead they will be stored as a single value/cell of the CSV file.
+ */
+export function getHeadingsForCsvExport(nodes, prefix = '') {
+    let fieldNames = [];
+    if (!nodes)
+        return fieldNames;
+    nodes.forEach((node) => {
+        switch (node.type) {
+            case 'field':
+            case 'functionField':
+            case 'o2m':
+            case 'a2o':
+                fieldNames.push(prefix ? `${prefix}.${node.fieldKey}` : node.fieldKey);
+                break;
+            case 'm2o':
+                fieldNames = fieldNames.concat(getHeadingsForCsvExport(node.children, prefix ? `${prefix}.${node.fieldKey}` : node.fieldKey));
+        }
+    });
+    return fieldNames;
+}

package/dist/services/index.d.ts CHANGED Viewed

@@ -1,7 +1,7 @@
+export * from './access.js';
 export * from './activity.js';
 export * from './assets.js';
 export * from './authentication.js';
-export * from './authorization.js';
 export * from './collections.js';
 export * from './dashboards.js';
 export * from './extensions.js';
@@ -18,7 +18,8 @@ export * from './notifications.js';
 export * from './operations.js';
 export * from './panels.js';
 export * from './payload.js';
-export * from './permissions/index.js';
+export * from './permissions.js';
+export * from './policies.js';
 export * from './presets.js';
 export * from './relations.js';
 export * from './revisions.js';

package/dist/services/index.js CHANGED Viewed

@@ -1,7 +1,7 @@
+export * from './access.js';
 export * from './activity.js';
 export * from './assets.js';
 export * from './authentication.js';
-export * from './authorization.js';
 export * from './collections.js';
 export * from './dashboards.js';
 export * from './extensions.js';
@@ -18,7 +18,8 @@ export * from './notifications.js';
 export * from './operations.js';
 export * from './panels.js';
 export * from './payload.js';
-export * from './permissions/index.js';
+export * from './permissions.js';
+export * from './policies.js';
 export * from './presets.js';
 export * from './relations.js';
 export * from './revisions.js';