@directus/api 21.0.0 → 22.1.0

package/dist/services/items.js

@@ -5,15 +5,18 @@ import { isSystemCollection } from '@directus/system-data';
 import { assign, clone, cloneDeep, omit, pick, without } from 'lodash-es';
 import { getCache } from '../cache.js';
 import { translateDatabaseError } from '../database/errors/translate.js';
+import { getAstFromQuery } from '../database/get-ast-from-query/get-ast-from-query.js';
 import { getHelpers } from '../database/helpers/index.js';
 import getDatabase from '../database/index.js';
-import runAST from '../database/run-ast.js';
+import { runAst } from '../database/run-ast/run-ast.js';
 import emitter from '../emitter.js';
-import getASTFromQuery from '../utils/get-ast-from-query.js';
+import { processAst } from '../permissions/modules/process-ast/process-ast.js';
+import { processPayload } from '../permissions/modules/process-payload/process-payload.js';
+import { validateAccess } from '../permissions/modules/validate-access/validate-access.js';
 import { shouldClearCache } from '../utils/should-clear-cache.js';
 import { transaction } from '../utils/transaction.js';
 import { validateKeys } from '../utils/validate-keys.js';
-import { AuthorizationService } from './authorization.js';
+import { UserIntegrityCheckFlag, validateUserCountIntegrity } from '../utils/validate-user-count-integrity.js';
 import { PayloadService } from './payload.js';
 const env = useEnv();
 export class ItemsService {
@@ -98,17 +101,13 @@ export class ItemsService {
         // that any errors thrown in any nested relational changes will bubble up and cancel the whole
         // update tree
         const primaryKey = await transaction(this.knex, async (trx) => {
-            // We're creating new services instances so they can use the transaction as their Knex interface
-            const payloadService = new PayloadService(this.collection, {
-                accountability: this.accountability,
-                knex: trx,
-                schema: this.schema,
-            });
-            const authorizationService = new AuthorizationService({
+            const serviceOptions = {
                 accountability: this.accountability,
                 knex: trx,
                 schema: this.schema,
-            });
+            };
+            // We're creating new services instances so they can use the transaction as their Knex interface
+            const payloadService = new PayloadService(this.collection, serviceOptions);
             // Run all hooks that are attached to this event so the end user has the chance to augment the
             // item that is about to be saved
             const payloadAfterHooks = opts.emitEvents !== false
@@ -123,13 +122,21 @@ export class ItemsService {
                 })
                 : payload;
             const payloadWithPresets = this.accountability
-                ? authorizationService.validatePayload('create', this.collection, payloadAfterHooks)
+                ? await processPayload({
+                    accountability: this.accountability,
+                    action: 'create',
+                    collection: this.collection,
+                    payload: payloadAfterHooks,
+                }, {
+                    knex: trx,
+                    schema: this.schema,
+                })
                 : payloadAfterHooks;
             if (opts.preMutationError) {
                 throw opts.preMutationError;
             }
-            const { payload: payloadWithM2O, revisions: revisionsM2O, nestedActionEvents: nestedActionEventsM2O, } = await payloadService.processM2O(payloadWithPresets, opts);
-            const { payload: payloadWithA2O, revisions: revisionsA2O, nestedActionEvents: nestedActionEventsA2O, } = await payloadService.processA2O(payloadWithM2O, opts);
+            const { payload: payloadWithM2O, revisions: revisionsM2O, nestedActionEvents: nestedActionEventsM2O, userIntegrityCheckFlags: userIntegrityCheckFlagsM2O, } = await payloadService.processM2O(payloadWithPresets, opts);
+            const { payload: payloadWithA2O, revisions: revisionsA2O, nestedActionEvents: nestedActionEventsA2O, userIntegrityCheckFlags: userIntegrityCheckFlagsA2O, } = await payloadService.processA2O(payloadWithM2O, opts);
             const payloadWithoutAliases = pick(payloadWithA2O, without(fields, ...aliases));
             const payloadWithTypeCasting = await payloadService.processValues('create', payloadWithoutAliases);
             // The primary key can already exist in the payload.
@@ -187,10 +194,22 @@ export class ItemsService {
             }
             // At this point, the primary key is guaranteed to be set.
             primaryKey = primaryKey;
-            const { revisions: revisionsO2M, nestedActionEvents: nestedActionEventsO2M } = await payloadService.processO2M(payloadWithPresets, primaryKey, opts);
+            const { revisions: revisionsO2M, nestedActionEvents: nestedActionEventsO2M, userIntegrityCheckFlags: userIntegrityCheckFlagsO2M, } = await payloadService.processO2M(payloadWithPresets, primaryKey, opts);
             nestedActionEvents.push(...nestedActionEventsM2O);
             nestedActionEvents.push(...nestedActionEventsA2O);
             nestedActionEvents.push(...nestedActionEventsO2M);
+            const userIntegrityCheckFlags = (opts.userIntegrityCheckFlags ?? UserIntegrityCheckFlag.None) |
+                userIntegrityCheckFlagsM2O |
+                userIntegrityCheckFlagsA2O |
+                userIntegrityCheckFlagsO2M;
+            if (userIntegrityCheckFlags) {
+                if (opts.onRequireUserIntegrityCheck) {
+                    opts.onRequireUserIntegrityCheck(userIntegrityCheckFlags);
+                }
+                else {
+                    await validateUserCountIntegrity({ flags: userIntegrityCheckFlags, knex: trx });
+                }
+            }
             // If this is an authenticated action, and accountability tracking is enabled, save activity row
             if (this.accountability && this.schema.collections[this.collection].accountability !== null) {
                 const activityService = new ActivityService({
@@ -281,6 +300,7 @@ export class ItemsService {
             opts.mutationTracker = this.createMutationTracker();
         const { primaryKeys, nestedActionEvents } = await transaction(this.knex, async (knex) => {
             const service = this.fork({ knex });
+            let userIntegrityCheckFlags = opts.userIntegrityCheckFlags ?? UserIntegrityCheckFlag.None;
             const primaryKeys = [];
             const nestedActionEvents = [];
             const pkField = this.schema.collections[this.collection].primary;
@@ -294,12 +314,21 @@ export class ItemsService {
                 const primaryKey = await service.createOne(payload, {
                     ...(opts || {}),
                     autoPurgeCache: false,
+                    onRequireUserIntegrityCheck: (flags) => (userIntegrityCheckFlags |= flags),
                     bypassEmitAction: (params) => nestedActionEvents.push(params),
                     mutationTracker: opts.mutationTracker,
                     bypassAutoIncrementSequenceReset,
                 });
                 primaryKeys.push(primaryKey);
             }
+            if (userIntegrityCheckFlags) {
+                if (opts.onRequireUserIntegrityCheck) {
+                    opts.onRequireUserIntegrityCheck(userIntegrityCheckFlags);
+                }
+                else {
+                    await validateUserCountIntegrity({ flags: userIntegrityCheckFlags, knex });
+                }
+            }
             return { primaryKeys, nestedActionEvents };
         });
         if (opts.emitEvents !== false) {
@@ -332,27 +361,21 @@ export class ItemsService {
                 accountability: this.accountability,
             })
             : query;
-        let ast = await getASTFromQuery(this.collection, updatedQuery, this.schema, {
+        let ast = await getAstFromQuery({
+            collection: this.collection,
+            query: updatedQuery,
             accountability: this.accountability,
-            // By setting the permissions action, you can read items using the permissions for another
-            // operation's permissions. This is used to dynamically check if you have update/delete
-            // access to (a) certain item(s)
-            action: opts?.permissionsAction || 'read',
+        }, {
+            schema: this.schema,
             knex: this.knex,
         });
-        if (this.accountability && this.accountability.admin !== true) {
-            const authorizationService = new AuthorizationService({
-                accountability: this.accountability,
-                knex: this.knex,
-                schema: this.schema,
-            });
-            ast = await authorizationService.processAST(ast, opts?.permissionsAction);
-        }
-        const records = await runAST(ast, this.schema, {
+        ast = await processAst({ ast, action: 'read', accountability: this.accountability }, { knex: this.knex, schema: this.schema });
+        const records = await runAst(ast, this.schema, {
             knex: this.knex,
             // GraphQL requires relational keys to be returned regardless
             stripNonRequested: opts?.stripNonRequested !== undefined ? opts.stripNonRequested : true,
         });
+        // TODO when would this happen?
         if (records === null) {
             throw new ForbiddenError();
         }
@@ -450,13 +473,26 @@ export class ItemsService {
         try {
             await transaction(this.knex, async (knex) => {
                 const service = this.fork({ knex });
+                let userIntegrityCheckFlags = opts.userIntegrityCheckFlags ?? UserIntegrityCheckFlag.None;
                 for (const item of data) {
                     const primaryKey = item[primaryKeyField];
                     if (!primaryKey)
                         throw new InvalidPayloadError({ reason: `Item in update misses primary key` });
-                    const combinedOpts = Object.assign({ autoPurgeCache: false }, opts);
+                    const combinedOpts = {
+                        autoPurgeCache: false,
+                        ...opts,
+                        onRequireUserIntegrityCheck: (flags) => (userIntegrityCheckFlags |= flags),
+                    };
                     keys.push(await service.updateOne(primaryKey, omit(item, primaryKeyField), combinedOpts));
                 }
+                if (userIntegrityCheckFlags) {
+                    if (opts.onRequireUserIntegrityCheck) {
+                        opts.onRequireUserIntegrityCheck(userIntegrityCheckFlags);
+                    }
+                    else {
+                        await validateUserCountIntegrity({ flags: userIntegrityCheckFlags, knex });
+                    }
+                }
             });
         }
         finally {
@@ -485,11 +521,6 @@ export class ItemsService {
             .map((field) => field.field);
         const payload = cloneDeep(data);
         const nestedActionEvents = [];
-        const authorizationService = new AuthorizationService({
-            accountability: this.accountability,
-            knex: this.knex,
-            schema: this.schema,
-        });
         // Run all hooks that are attached to this event so the end user has the chance to augment the
         // item that is about to be saved
         const payloadAfterHooks = opts.emitEvents !== false
@@ -507,10 +538,26 @@ export class ItemsService {
         // Sort keys to ensure that the order is maintained
         keys.sort();
         if (this.accountability) {
-            await authorizationService.checkAccess('update', this.collection, keys);
+            await validateAccess({
+                accountability: this.accountability,
+                action: 'update',
+                collection: this.collection,
+                primaryKeys: keys,
+            }, {
+                schema: this.schema,
+                knex: this.knex,
+            });
         }
         const payloadWithPresets = this.accountability
-            ? authorizationService.validatePayload('update', this.collection, payloadAfterHooks)
+            ? await processPayload({
+                accountability: this.accountability,
+                action: 'update',
+                collection: this.collection,
+                payload: payloadAfterHooks,
+            }, {
+                knex: this.knex,
+                schema: this.schema,
+            })
             : payloadAfterHooks;
         if (opts.preMutationError) {
             throw opts.preMutationError;
@@ -521,8 +568,8 @@ export class ItemsService {
                 knex: trx,
                 schema: this.schema,
             });
-            const { payload: payloadWithM2O, revisions: revisionsM2O, nestedActionEvents: nestedActionEventsM2O, } = await payloadService.processM2O(payloadWithPresets, opts);
-            const { payload: payloadWithA2O, revisions: revisionsA2O, nestedActionEvents: nestedActionEventsA2O, } = await payloadService.processA2O(payloadWithM2O, opts);
+            const { payload: payloadWithM2O, revisions: revisionsM2O, nestedActionEvents: nestedActionEventsM2O, userIntegrityCheckFlags: userIntegrityCheckFlagsM2O, } = await payloadService.processM2O(payloadWithPresets, opts);
+            const { payload: payloadWithA2O, revisions: revisionsA2O, nestedActionEvents: nestedActionEventsA2O, userIntegrityCheckFlags: userIntegrityCheckFlagsA2O, } = await payloadService.processA2O(payloadWithM2O, opts);
             const payloadWithoutAliasAndPK = pick(payloadWithA2O, without(fields, primaryKeyField, ...aliases));
             const payloadWithTypeCasting = await payloadService.processValues('update', payloadWithoutAliasAndPK);
             if (Object.keys(payloadWithTypeCasting).length > 0) {
@@ -534,12 +581,25 @@ export class ItemsService {
                 }
             }
             const childrenRevisions = [...revisionsM2O, ...revisionsA2O];
+            let userIntegrityCheckFlags = opts.userIntegrityCheckFlags ??
+                UserIntegrityCheckFlag.None | userIntegrityCheckFlagsM2O | userIntegrityCheckFlagsA2O;
             nestedActionEvents.push(...nestedActionEventsM2O);
             nestedActionEvents.push(...nestedActionEventsA2O);
             for (const key of keys) {
-                const { revisions, nestedActionEvents: nestedActionEventsO2M } = await payloadService.processO2M(payloadWithA2O, key, opts);
+                const { revisions, nestedActionEvents: nestedActionEventsO2M, userIntegrityCheckFlags: userIntegrityCheckFlagsO2M, } = await payloadService.processO2M(payloadWithA2O, key, opts);
                 childrenRevisions.push(...revisions);
                 nestedActionEvents.push(...nestedActionEventsO2M);
+                userIntegrityCheckFlags |= userIntegrityCheckFlagsO2M;
+            }
+            if (userIntegrityCheckFlags) {
+                if (opts?.onRequireUserIntegrityCheck) {
+                    opts.onRequireUserIntegrityCheck(userIntegrityCheckFlags);
+                }
+                else {
+                    // Having no onRequireUserIntegrityCheck callback indicates that
+                    // this is the top level invocation of the nested updates, so perform the user integrity check
+                    await validateUserCountIntegrity({ flags: userIntegrityCheckFlags, knex: trx });
+                }
             }
             // If this is an authenticated action, and accountability tracking is enabled, save activity row
             if (this.accountability && this.schema.collections[this.collection].accountability !== null) {
@@ -708,13 +768,16 @@ export class ItemsService {
         const { ActivityService } = await import('./activity.js');
         const primaryKeyField = this.schema.collections[this.collection].primary;
         validateKeys(this.schema, this.collection, primaryKeyField, keys);
-        if (this.accountability && this.accountability.admin !== true) {
-            const authorizationService = new AuthorizationService({
+        if (this.accountability) {
+            await validateAccess({
                 accountability: this.accountability,
-                schema: this.schema,
+                action: 'delete',
+                collection: this.collection,
+                primaryKeys: keys,
+            }, {
                 knex: this.knex,
+                schema: this.schema,
             });
-            await authorizationService.checkAccess('delete', this.collection, keys);
         }
         if (opts.preMutationError) {
             throw opts.preMutationError;
@@ -730,6 +793,14 @@ export class ItemsService {
         }
         await transaction(this.knex, async (trx) => {
             await trx(this.collection).whereIn(primaryKeyField, keys).delete();
+            if (opts.userIntegrityCheckFlags) {
+                if (opts.onRequireUserIntegrityCheck) {
+                    opts.onRequireUserIntegrityCheck(opts.userIntegrityCheckFlags);
+                }
+                else {
+                    await validateUserCountIntegrity({ flags: opts.userIntegrityCheckFlags, knex: trx });
+                }
+            }
             if (this.accountability && this.schema.collections[this.collection].accountability !== null) {
                 const activityService = new ActivityService({
                     knex: trx,

package/dist/services/meta.js

@@ -1,5 +1,8 @@
 import getDatabase from '../database/index.js';
-import { ForbiddenError } from '@directus/errors';
+import { fetchPermissions } from '../permissions/lib/fetch-permissions.js';
+import { fetchPolicies } from '../permissions/lib/fetch-policies.js';
+import { dedupeAccess } from '../permissions/modules/process-ast/utils/dedupe-access.js';
+import { validateAccess } from '../permissions/modules/validate-access/validate-access.js';
 import { applyFilter, applySearch } from '../utils/apply-query.js';
 export class MetaService {
     knex;
@@ -28,39 +31,73 @@ export class MetaService {
         }, {});
     }
     async totalCount(collection) {
-        const dbQuery = this.knex(collection).count('*', { as: 'count' }).first();
-        if (this.accountability?.admin !== true) {
-            const permissionsRecord = this.accountability?.permissions?.find((permission) => {
-                return permission.action === 'read' && permission.collection === collection;
-            });
-            if (!permissionsRecord)
-                throw new ForbiddenError();
-            const permissions = permissionsRecord.permissions ?? {};
-            applyFilter(this.knex, this.schema, dbQuery, permissions, collection, {});
+        const dbQuery = this.knex(collection);
+        let hasJoins = false;
+        if (this.accountability && this.accountability.admin === false) {
+            const context = { knex: this.knex, schema: this.schema };
+            await validateAccess({
+                accountability: this.accountability,
+                action: 'read',
+                collection,
+            }, context);
+            const policies = await fetchPolicies(this.accountability, context);
+            const permissions = await fetchPermissions({
+                action: 'read',
+                policies,
+                accountability: this.accountability,
+                ...(collection ? { collections: [collection] } : {}),
+            }, context);
+            const rules = dedupeAccess(permissions);
+            const cases = rules.map(({ rule }) => rule);
+            const filter = {
+                _or: cases,
+            };
+            const result = applyFilter(this.knex, this.schema, dbQuery, filter, collection, {}, cases);
+            hasJoins = result.hasJoins;
+        }
+        if (hasJoins) {
+            const primaryKeyName = this.schema.collections[collection].primary;
+            dbQuery.countDistinct({ count: [`${collection}.${primaryKeyName}`] });
+        }
+        else {
+            dbQuery.count('*', { as: 'count' });
         }
-        const result = await dbQuery;
+        const result = await dbQuery.first();
         return Number(result?.count ?? 0);
     }
     async filterCount(collection, query) {
         const dbQuery = this.knex(collection);
         let filter = query.filter || {};
         let hasJoins = false;
-        if (this.accountability?.admin !== true) {
-            const permissionsRecord = this.accountability?.permissions?.find((permission) => {
-                return permission.action === 'read' && permission.collection === collection;
-            });
-            if (!permissionsRecord)
-                throw new ForbiddenError();
-            const permissions = permissionsRecord.permissions ?? {};
+        let cases = [];
+        if (this.accountability && this.accountability.admin === false) {
+            const context = { knex: this.knex, schema: this.schema };
+            await validateAccess({
+                accountability: this.accountability,
+                action: 'read',
+                collection,
+            }, context);
+            const policies = await fetchPolicies(this.accountability, context);
+            const permissions = await fetchPermissions({
+                action: 'read',
+                policies,
+                accountability: this.accountability,
+                ...(collection ? { collections: [collection] } : {}),
+            }, context);
+            const rules = dedupeAccess(permissions);
+            cases = rules.map(({ rule }) => rule);
+            const permissionsFilter = {
+                _or: cases,
+            };
             if (Object.keys(filter).length > 0) {
-                filter = { _and: [permissions, filter] };
+                filter = { _and: [permissionsFilter, filter] };
             }
             else {
-                filter = permissions;
+                filter = permissionsFilter;
             }
         }
         if (Object.keys(filter).length > 0) {
-            ({ hasJoins } = applyFilter(this.knex, this.schema, dbQuery, filter, collection, {}));
+            ({ hasJoins } = applyFilter(this.knex, this.schema, dbQuery, filter, collection, {}, cases));
         }
         if (query.search) {
             applySearch(this.knex, this.schema, dbQuery, query.search, collection);
@@ -72,7 +109,7 @@ export class MetaService {
         else {
             dbQuery.count('*', { as: 'count' });
         }
-        const records = await dbQuery;
-        return Number(records[0]['count']);
+        const result = await dbQuery.first();
+        return Number(result?.count ?? 0);
     }
 }

package/dist/services/notifications.js

@@ -1,5 +1,7 @@
 import { useEnv } from '@directus/env';
 import { useLogger } from '../logger/index.js';
+import { fetchRolesTree } from '../permissions/lib/fetch-roles-tree.js';
+import { fetchGlobalAccess } from '../permissions/modules/fetch-global-access/fetch-global-access.js';
 import { md } from '../utils/md.js';
 import { Url } from '../utils/url.js';
 import { ItemsService } from './items.js';
@@ -23,18 +25,24 @@ export class NotificationsService extends ItemsService {
     async sendEmail(data) {
         if (data.recipient) {
             const user = await this.usersService.readOne(data.recipient, {
-                fields: ['id', 'email', 'email_notifications', 'role.app_access'],
+                fields: ['id', 'email', 'email_notifications', 'role'],
             });
-            const manageUserAccountUrl = new Url(env['PUBLIC_URL'])
-                .addPath('admin', 'users', user['id'])
-                .toString();
-            const html = data.message ? md(data.message) : '';
             if (user['email'] && user['email_notifications'] === true) {
+                const manageUserAccountUrl = new Url(env['PUBLIC_URL'])
+                    .addPath('admin', 'users', user['id'])
+                    .toString();
+                const html = data.message ? md(data.message) : '';
+                const roles = await fetchRolesTree(user['role'], this.knex);
+                const { app: app_access } = await fetchGlobalAccess({
+                    user: user['id'],
+                    roles,
+                    ip: null,
+                }, this.knex);
                 this.mailService
                     .send({
                     template: {
                         name: 'base',
-                        data: user['role']?.app_access ? { url: manageUserAccountUrl, html } : { html },
+                        data: app_access ? { url: manageUserAccountUrl, html } : { html },
                     },
                     to: user['email'],
                     subject: data.subject,

package/dist/services/payload.d.ts

@@ -2,6 +2,7 @@ import type { Accountability, Item, PrimaryKey, SchemaOverview } from '@directus
 import type { Knex } from 'knex';
 import type { Helpers } from '../database/helpers/index.js';
 import type { AbstractServiceOptions, ActionEventParams, MutationOptions } from '../types/index.js';
+import { UserIntegrityCheckFlag } from '../utils/validate-user-count-integrity.js';
 type Action = 'create' | 'read' | 'update';
 type Transformers = {
     [type: string]: (context: {
@@ -13,6 +14,11 @@ type Transformers = {
         helpers: Helpers;
     }) => Promise<any>;
 };
+type PayloadServiceProcessRelationResult = {
+    revisions: PrimaryKey[];
+    nestedActionEvents: ActionEventParams[];
+    userIntegrityCheckFlags: UserIntegrityCheckFlag;
+};
 /**
  * Process a given payload for a collection to ensure the special fields (hash, uuid, date etc) are
  * handled correctly.
@@ -46,26 +52,19 @@ export declare class PayloadService {
     /**
      * Recursively save/update all nested related Any-to-One items
      */
-    processA2O(data: Partial<Item>, opts?: MutationOptions): Promise<{
+    processA2O(data: Partial<Item>, opts?: MutationOptions): Promise<PayloadServiceProcessRelationResult & {
         payload: Partial<Item>;
-        revisions: PrimaryKey[];
-        nestedActionEvents: ActionEventParams[];
     }>;
     /**
      * Save/update all nested related m2o items inside the payload
      */
-    processM2O(data: Partial<Item>, opts?: MutationOptions): Promise<{
+    processM2O(data: Partial<Item>, opts?: MutationOptions): Promise<PayloadServiceProcessRelationResult & {
         payload: Partial<Item>;
-        revisions: PrimaryKey[];
-        nestedActionEvents: ActionEventParams[];
     }>;
     /**
      * Recursively save/update all nested related o2m items
      */
-    processO2M(data: Partial<Item>, parent: PrimaryKey, opts?: MutationOptions): Promise<{
-        revisions: PrimaryKey[];
-        nestedActionEvents: ActionEventParams[];
-    }>;
+    processO2M(data: Partial<Item>, parent: PrimaryKey, opts?: MutationOptions): Promise<PayloadServiceProcessRelationResult>;
     /**
      * Transforms the input partial payload to match the output structure, to have consistency
      * between delta and data

package/dist/services/payload.js

@@ -9,6 +9,7 @@ import { parse as wktToGeoJSON } from 'wellknown';
 import { getHelpers } from '../database/helpers/index.js';
 import getDatabase from '../database/index.js';
 import { generateHash } from '../utils/generate-hash.js';
+import { UserIntegrityCheckFlag } from '../utils/validate-user-count-integrity.js';
 /**
  * Process a given payload for a collection to ensure the special fields (hash, uuid, date etc) are
  * handled correctly.
@@ -317,6 +318,7 @@ export class PayloadService {
             return relation.collection === this.collection;
         });
         const revisions = [];
+        let userIntegrityCheckFlags = UserIntegrityCheckFlag.None;
         const nestedActionEvents = [];
         const payload = cloneDeep(data);
         // Only process related records that are actually in the payload
@@ -362,6 +364,7 @@ export class PayloadService {
                 if (Object.keys(fieldsToUpdate).length > 0) {
                     await service.updateOne(relatedPrimaryKey, relatedRecord, {
                         onRevisionCreate: (pk) => revisions.push(pk),
+                        onRequireUserIntegrityCheck: (flags) => (userIntegrityCheckFlags |= flags),
                         bypassEmitAction: (params) => opts?.bypassEmitAction ? opts.bypassEmitAction(params) : nestedActionEvents.push(params),
                         emitEvents: opts?.emitEvents,
                         mutationTracker: opts?.mutationTracker,
@@ -371,6 +374,7 @@ export class PayloadService {
             else {
                 relatedPrimaryKey = await service.createOne(relatedRecord, {
                     onRevisionCreate: (pk) => revisions.push(pk),
+                    onRequireUserIntegrityCheck: (flags) => (userIntegrityCheckFlags |= flags),
                     bypassEmitAction: (params) => opts?.bypassEmitAction ? opts.bypassEmitAction(params) : nestedActionEvents.push(params),
                     emitEvents: opts?.emitEvents,
                     mutationTracker: opts?.mutationTracker,
@@ -379,7 +383,7 @@ export class PayloadService {
             // Overwrite the nested object with just the primary key, so the parent level can be saved correctly
             payload[relation.field] = relatedPrimaryKey;
         }
-        return { payload, revisions, nestedActionEvents };
+        return { payload, revisions, nestedActionEvents, userIntegrityCheckFlags };
     }
     /**
      * Save/update all nested related m2o items inside the payload
@@ -388,6 +392,7 @@ export class PayloadService {
         const payload = cloneDeep(data);
         // All the revisions saved on this level
         const revisions = [];
+        let userIntegrityCheckFlags = UserIntegrityCheckFlag.None;
         const nestedActionEvents = [];
         // Many to one relations that exist on the current collection
         const relations = this.schema.relations.filter((relation) => {
@@ -424,6 +429,7 @@ export class PayloadService {
                 if (Object.keys(fieldsToUpdate).length > 0) {
                     await service.updateOne(relatedPrimaryKey, relatedRecord, {
                         onRevisionCreate: (pk) => revisions.push(pk),
+                        onRequireUserIntegrityCheck: (flags) => (userIntegrityCheckFlags |= flags),
                         bypassEmitAction: (params) => opts?.bypassEmitAction ? opts.bypassEmitAction(params) : nestedActionEvents.push(params),
                         emitEvents: opts?.emitEvents,
                         mutationTracker: opts?.mutationTracker,
@@ -433,6 +439,7 @@ export class PayloadService {
             else {
                 relatedPrimaryKey = await service.createOne(relatedRecord, {
                     onRevisionCreate: (pk) => revisions.push(pk),
+                    onRequireUserIntegrityCheck: (flags) => (userIntegrityCheckFlags |= flags),
                     bypassEmitAction: (params) => opts?.bypassEmitAction ? opts.bypassEmitAction(params) : nestedActionEvents.push(params),
                     emitEvents: opts?.emitEvents,
                     mutationTracker: opts?.mutationTracker,
@@ -441,13 +448,14 @@ export class PayloadService {
             // Overwrite the nested object with just the primary key, so the parent level can be saved correctly
             payload[relation.field] = relatedPrimaryKey;
         }
-        return { payload, revisions, nestedActionEvents };
+        return { payload, revisions, nestedActionEvents, userIntegrityCheckFlags };
     }
     /**
      * Recursively save/update all nested related o2m items
      */
     async processO2M(data, parent, opts) {
         const revisions = [];
+        let userIntegrityCheckFlags = UserIntegrityCheckFlag.None;
         const nestedActionEvents = [];
         const relations = this.schema.relations.filter((relation) => {
             return relation.related_collection === this.collection;
@@ -516,6 +524,7 @@ export class PayloadService {
                 }
                 savedPrimaryKeys.push(...(await service.upsertMany(recordsToUpsert, {
                     onRevisionCreate: (pk) => revisions.push(pk),
+                    onRequireUserIntegrityCheck: (flags) => (userIntegrityCheckFlags |= flags),
                     bypassEmitAction: (params) => opts?.bypassEmitAction ? opts.bypassEmitAction(params) : nestedActionEvents.push(params),
                     emitEvents: opts?.emitEvents,
                     mutationTracker: opts?.mutationTracker,
@@ -540,6 +549,7 @@ export class PayloadService {
                 if (relation.meta.one_deselect_action === 'delete') {
                     // There's no revision for a deletion
                     await service.deleteByQuery(query, {
+                        onRequireUserIntegrityCheck: (flags) => (userIntegrityCheckFlags |= flags),
                         bypassEmitAction: (params) => opts?.bypassEmitAction ? opts.bypassEmitAction(params) : nestedActionEvents.push(params),
                         emitEvents: opts?.emitEvents,
                         mutationTracker: opts?.mutationTracker,
@@ -548,6 +558,7 @@ export class PayloadService {
                 else {
                     await service.updateByQuery(query, { [relation.field]: null }, {
                         onRevisionCreate: (pk) => revisions.push(pk),
+                        onRequireUserIntegrityCheck: (flags) => (userIntegrityCheckFlags |= flags),
                         bypassEmitAction: (params) => opts?.bypassEmitAction ? opts.bypassEmitAction(params) : nestedActionEvents.push(params),
                         emitEvents: opts?.emitEvents,
                         mutationTracker: opts?.mutationTracker,
@@ -590,6 +601,7 @@ export class PayloadService {
                     }
                     await service.createMany(createPayload, {
                         onRevisionCreate: (pk) => revisions.push(pk),
+                        onRequireUserIntegrityCheck: (flags) => (userIntegrityCheckFlags |= flags),
                         bypassEmitAction: (params) => opts?.bypassEmitAction ? opts.bypassEmitAction(params) : nestedActionEvents.push(params),
                         emitEvents: opts?.emitEvents,
                         mutationTracker: opts?.mutationTracker,
@@ -603,6 +615,7 @@ export class PayloadService {
                             [relation.field]: parent || payload[currentPrimaryKeyField],
                         }, {
                             onRevisionCreate: (pk) => revisions.push(pk),
+                            onRequireUserIntegrityCheck: (flags) => (userIntegrityCheckFlags |= flags),
                             bypassEmitAction: (params) => opts?.bypassEmitAction ? opts.bypassEmitAction(params) : nestedActionEvents.push(params),
                             emitEvents: opts?.emitEvents,
                             mutationTracker: opts?.mutationTracker,
@@ -628,6 +641,7 @@ export class PayloadService {
                     };
                     if (relation.meta.one_deselect_action === 'delete') {
                         await service.deleteByQuery(query, {
+                            onRequireUserIntegrityCheck: (flags) => (userIntegrityCheckFlags |= flags),
                             bypassEmitAction: (params) => opts?.bypassEmitAction ? opts.bypassEmitAction(params) : nestedActionEvents.push(params),
                             emitEvents: opts?.emitEvents,
                             mutationTracker: opts?.mutationTracker,
@@ -636,6 +650,7 @@ export class PayloadService {
                     else {
                         await service.updateByQuery(query, { [relation.field]: null }, {
                             onRevisionCreate: (pk) => revisions.push(pk),
+                            onRequireUserIntegrityCheck: (flags) => (userIntegrityCheckFlags |= flags),
                             bypassEmitAction: (params) => opts?.bypassEmitAction ? opts.bypassEmitAction(params) : nestedActionEvents.push(params),
                             emitEvents: opts?.emitEvents,
                             mutationTracker: opts?.mutationTracker,
@@ -644,7 +659,7 @@ export class PayloadService {
                 }
             }
         }
-        return { revisions, nestedActionEvents };
+        return { revisions, nestedActionEvents, userIntegrityCheckFlags };
     }
     /**
      * Transforms the input partial payload to match the output structure, to have consistency