npm - @directus/api - Versions diffs - 21.0.0 → 22.1.0 - Mend

@directus/api 21.0.0 → 22.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (299) hide show

package/dist/services/{permissions/index.d.ts → permissions.d.ts} RENAMED Viewed

@@ -1,12 +1,10 @@
-import type { Item, ItemPermissions, PermissionsAction, PrimaryKey, Query } from '@directus/types';
-import type Keyv from 'keyv';
-import type { AbstractServiceOptions, MutationOptions } from '../../types/index.js';
-import type { QueryOptions } from '../items.js';
-import { ItemsService } from '../items.js';
+import type { Item, ItemPermissions, PrimaryKey, Query } from '@directus/types';
+import type { AbstractServiceOptions, MutationOptions } from '../types/index.js';
+import type { QueryOptions } from './items.js';
+import { ItemsService } from './items.js';
 export declare class PermissionsService extends ItemsService {
-    systemCache: Keyv<any>;
     constructor(options: AbstractServiceOptions);
-    getAllowedFields(action: PermissionsAction, collection?: string): Record<string, string[]>;
+    private clearCaches;
     readByQuery(query: Query, opts?: QueryOptions): Promise<Partial<Item>[]>;
     createOne(data: Partial<Item>, opts?: MutationOptions): Promise<PrimaryKey>;
     createMany(data: Partial<Item>[], opts?: MutationOptions): Promise<PrimaryKey[]>;

package/dist/services/{permissions/index.js → permissions.js} RENAMED Viewed

@@ -1,32 +1,17 @@
 import { ForbiddenError } from '@directus/errors';
-import { clearSystemCache, getCache } from '../../cache.js';
-import { AuthorizationService } from '../authorization.js';
-import { ItemsService } from '../items.js';
-import { withAppMinimalPermissions } from './lib/with-app-minimal-permissions.js';
+import { clearSystemCache } from '../cache.js';
+import { withAppMinimalPermissions } from '../permissions/lib/with-app-minimal-permissions.js';
+import { validateAccess } from '../permissions/modules/validate-access/validate-access.js';
+import { ItemsService } from './items.js';
 export class PermissionsService extends ItemsService {
-    systemCache;
     constructor(options) {
         super('directus_permissions', options);
-        const { systemCache } = getCache();
-        this.systemCache = systemCache;
     }
-    getAllowedFields(action, collection) {
-        const results = this.accountability?.permissions?.filter((permission) => {
-            let matchesCollection = true;
-            if (collection) {
-                matchesCollection = permission.collection === collection;
-            }
-            const matchesAction = permission.action === action;
-            return collection ? matchesCollection && matchesAction : matchesAction;
-        }) ?? [];
-        const fieldsPerCollection = {};
-        for (const result of results) {
-            const { collection, fields } = result;
-            if (!fieldsPerCollection[collection])
-                fieldsPerCollection[collection] = [];
-            fieldsPerCollection[collection].push(...(fields ?? []));
+    async clearCaches(opts) {
+        await clearSystemCache({ autoPurgeCache: opts?.autoPurgeCache });
+        if (this.cache && opts?.autoPurgeCache !== false) {
+            await this.cache.clear();
         }
-        return fieldsPerCollection;
     }
     async readByQuery(query, opts) {
         const result = (await super.readByQuery(query, opts));
@@ -34,50 +19,32 @@ export class PermissionsService extends ItemsService {
     }
     async createOne(data, opts) {
         const res = await super.createOne(data, opts);
-        await clearSystemCache({ autoPurgeCache: opts?.autoPurgeCache });
-        if (this.cache && opts?.autoPurgeCache !== false) {
-            await this.cache.clear();
-        }
+        await this.clearCaches(opts);
         return res;
     }
     async createMany(data, opts) {
         const res = await super.createMany(data, opts);
-        await clearSystemCache({ autoPurgeCache: opts?.autoPurgeCache });
-        if (this.cache && opts?.autoPurgeCache !== false) {
-            await this.cache.clear();
-        }
+        await this.clearCaches(opts);
         return res;
     }
     async updateBatch(data, opts) {
         const res = await super.updateBatch(data, opts);
-        await clearSystemCache({ autoPurgeCache: opts?.autoPurgeCache });
-        if (this.cache && opts?.autoPurgeCache !== false) {
-            await this.cache.clear();
-        }
+        await this.clearCaches(opts);
         return res;
     }
     async updateMany(keys, data, opts) {
         const res = await super.updateMany(keys, data, opts);
-        await clearSystemCache({ autoPurgeCache: opts?.autoPurgeCache });
-        if (this.cache && opts?.autoPurgeCache !== false) {
-            await this.cache.clear();
-        }
+        await this.clearCaches(opts);
         return res;
     }
     async upsertMany(payloads, opts) {
         const res = await super.upsertMany(payloads, opts);
-        await clearSystemCache({ autoPurgeCache: opts?.autoPurgeCache });
-        if (this.cache && opts?.autoPurgeCache !== false) {
-            await this.cache.clear();
-        }
+        await this.clearCaches(opts);
         return res;
     }
     async deleteMany(keys, opts) {
         const res = await super.deleteMany(keys, opts);
-        await clearSystemCache({ autoPurgeCache: opts?.autoPurgeCache });
-        if (this.cache && opts?.autoPurgeCache !== false) {
-            await this.cache.clear();
-        }
+        await this.clearCaches(opts);
         return res;
     }
     async getItemPermissions(collection, primaryKey) {
@@ -115,16 +82,25 @@ export class PermissionsService extends ItemsService {
                 updateAction = 'create';
             }
         }
-        const authorizationService = new AuthorizationService({
-            knex: this.knex,
-            accountability: this.accountability,
-            schema: this.schema,
-        });
         await Promise.all(Object.keys(itemPermissions).map((key) => {
             const action = key;
             const checkAction = action === 'update' ? updateAction : action;
-            return authorizationService
-                .checkAccess(checkAction, collection, primaryKey)
+            if (!this.accountability) {
+                itemPermissions[action].access = true;
+                return Promise.resolve();
+            }
+            const opts = {
+                accountability: this.accountability,
+                action: checkAction,
+                collection,
+            };
+            if (primaryKey) {
+                opts.primaryKeys = [primaryKey];
+            }
+            return validateAccess(opts, {
+                schema: this.schema,
+                knex: this.knex,
+            })
                 .then(() => (itemPermissions[action].access = true))
                 .catch(() => { });
         }));

package/dist/services/policies.d.ts ADDED Viewed

@@ -0,0 +1,12 @@
+import type { Policy, PrimaryKey } from '@directus/types';
+import type { AbstractServiceOptions, MutationOptions } from '../types/index.js';
+import { ItemsService } from './items.js';
+export declare class PoliciesService extends ItemsService<Policy> {
+    constructor(options: AbstractServiceOptions);
+    private clearCaches;
+    private isIpAccessValid;
+    private assertValidIpAccess;
+    createOne(data: Partial<Policy>, opts?: MutationOptions): Promise<PrimaryKey>;
+    updateMany(keys: PrimaryKey[], data: Partial<Policy>, opts?: MutationOptions): Promise<PrimaryKey[]>;
+    deleteMany(keys: PrimaryKey[], opts?: MutationOptions): Promise<PrimaryKey[]>;
+}

package/dist/services/policies.js ADDED Viewed

@@ -0,0 +1,87 @@
+import { InvalidPayloadError } from '@directus/errors';
+import { getMatch } from 'ip-matching';
+import { clearSystemCache } from '../cache.js';
+import { clearCache as clearPermissionsCache } from '../permissions/cache.js';
+import { UserIntegrityCheckFlag } from '../utils/validate-user-count-integrity.js';
+import { ItemsService } from './items.js';
+export class PoliciesService extends ItemsService {
+    constructor(options) {
+        super('directus_policies', options);
+    }
+    async clearCaches(opts) {
+        await clearSystemCache({ autoPurgeCache: opts?.autoPurgeCache });
+        if (this.cache && opts?.autoPurgeCache !== false) {
+            await this.cache.clear();
+        }
+    }
+    isIpAccessValid(value) {
+        if (value === undefined)
+            return false;
+        if (value === null)
+            return true;
+        if (Array.isArray(value) && value.length === 0)
+            return true;
+        for (const ip of value) {
+            if (typeof ip !== 'string' || ip.includes('*'))
+                return false;
+            try {
+                const match = getMatch(ip);
+                if (match.type == 'IPMask')
+                    return false;
+            }
+            catch {
+                return false;
+            }
+        }
+        return true;
+    }
+    assertValidIpAccess(partialItem) {
+        if ('ip_access' in partialItem && !this.isIpAccessValid(partialItem['ip_access'])) {
+            throw new InvalidPayloadError({
+                reason: 'IP Access contains an incorrect value. Valid values are: IP addresses, IP ranges and CIDR blocks',
+            });
+        }
+    }
+    async createOne(data, opts = {}) {
+        this.assertValidIpAccess(data);
+        // A policy has been created, but the attachment to a user/role happens in the AccessService,
+        // so no need to check user integrity
+        const result = await super.createOne(data, opts);
+        // TODO is this necessary? Since the attachment should be handled in the AccessService
+        // A new policy has created, clear the permissions cache
+        await clearPermissionsCache();
+        return result;
+    }
+    async updateMany(keys, data, opts = {}) {
+        this.assertValidIpAccess(data);
+        if ('admin_access' in data) {
+            let flags = UserIntegrityCheckFlag.RemainingAdmins;
+            if (data['admin_access'] === true) {
+                // Only need to perform a full user count if the policy allows admin access
+                flags |= UserIntegrityCheckFlag.All;
+            }
+            opts.userIntegrityCheckFlags = (opts.userIntegrityCheckFlags ?? UserIntegrityCheckFlag.None) | flags;
+        }
+        if ('app_access' in data) {
+            opts.userIntegrityCheckFlags =
+                (opts.userIntegrityCheckFlags ?? UserIntegrityCheckFlag.None) | UserIntegrityCheckFlag.UserLimits;
+        }
+        if (opts.userIntegrityCheckFlags)
+            opts.onRequireUserIntegrityCheck?.(opts.userIntegrityCheckFlags);
+        const result = await super.updateMany(keys, data, opts);
+        if ('admin_access' in data || 'app_access' in data || 'ip_access' in data || 'enforce_tfa' in data) {
+            // Some relevant properties on policies have been updated, clear the caches
+            await this.clearCaches(opts);
+        }
+        return result;
+    }
+    async deleteMany(keys, opts = {}) {
+        opts.userIntegrityCheckFlags = UserIntegrityCheckFlag.All;
+        opts.onRequireUserIntegrityCheck?.(opts.userIntegrityCheckFlags);
+        const result = await super.deleteMany(keys, opts);
+        // TODO is this necessary? Since the detachment should be handled in the AccessService
+        // Some policies have been deleted, clear the permissions cache
+        await this.clearCaches(opts);
+        return result;
+    }
+}

package/dist/services/relations.d.ts CHANGED Viewed

@@ -5,10 +5,8 @@ import type { Knex } from 'knex';
 import type { Helpers } from '../database/helpers/index.js';
 import type { AbstractServiceOptions, MutationOptions } from '../types/index.js';
 import { ItemsService, type QueryOptions } from './items.js';
-import { PermissionsService } from './permissions/index.js';
 export declare class RelationsService {
     knex: Knex;
-    permissionsService: PermissionsService;
     schemaInspector: SchemaInspector;
     accountability: Accountability | null;
     schema: SchemaOverview;
@@ -34,10 +32,6 @@ export declare class RelationsService {
      * Delete an existing relationship
      */
     deleteOne(collection: string, field: string, opts?: MutationOptions): Promise<void>;
-    /**
-     * Whether or not the current user has read access to relations
-     */
-    private get hasReadAccess();
     /**
      * Combine raw schema foreign key information with Directus relations meta rows to form final
      * Relation objects

package/dist/services/relations.js CHANGED Viewed

@@ -1,3 +1,4 @@
+import { useEnv } from '@directus/env';
 import { ForbiddenError, InvalidPayloadError } from '@directus/errors';
 import { createInspector } from '@directus/schema';
 import { systemRelationRows } from '@directus/system-data';
@@ -6,16 +7,16 @@ import { clearSystemCache, getCache, getCacheValue, setCacheValue } from '../cac
 import { getHelpers } from '../database/helpers/index.js';
 import getDatabase, { getSchemaInspector } from '../database/index.js';
 import emitter from '../emitter.js';
+import { fetchAllowedFieldMap } from '../permissions/modules/fetch-allowed-field-map/fetch-allowed-field-map.js';
+import { fetchAllowedFields } from '../permissions/modules/fetch-allowed-fields/fetch-allowed-fields.js';
+import { validateAccess } from '../permissions/modules/validate-access/validate-access.js';
 import { getDefaultIndexName } from '../utils/get-default-index-name.js';
 import { getSchema } from '../utils/get-schema.js';
 import { transaction } from '../utils/transaction.js';
 import { ItemsService } from './items.js';
-import { PermissionsService } from './permissions/index.js';
-import { useEnv } from '@directus/env';
 const env = useEnv();
 export class RelationsService {
     knex;
-    permissionsService;
     schemaInspector;
     accountability;
     schema;
@@ -25,7 +26,6 @@ export class RelationsService {
     helpers;
     constructor(options) {
         this.knex = options.knex || getDatabase();
-        this.permissionsService = new PermissionsService(options);
         this.schemaInspector = options.knex ? createInspector(options.knex) : getSchemaInspector();
         this.schema = options.schema;
         this.accountability = options.accountability || null;
@@ -59,8 +59,15 @@ export class RelationsService {
         return foreignKeys;
     }
     async readAll(collection, opts) {
-        if (this.accountability && this.accountability.admin !== true && this.hasReadAccess === false) {
-            throw new ForbiddenError();
+        if (this.accountability) {
+            await validateAccess({
+                accountability: this.accountability,
+                action: 'read',
+                collection: 'directus_relations',
+            }, {
+                knex: this.knex,
+                schema: this.schema,
+            });
         }
         const metaReadQuery = {
             limit: -1,
@@ -86,18 +93,17 @@ export class RelationsService {
     }
     async readOne(collection, field) {
         if (this.accountability && this.accountability.admin !== true) {
-            if (this.hasReadAccess === false) {
-                throw new ForbiddenError();
-            }
-            const permissions = this.accountability.permissions?.find((permission) => {
-                return permission.action === 'read' && permission.collection === collection;
+            await validateAccess({
+                accountability: this.accountability,
+                action: 'read',
+                collection: 'directus_relations',
+            }, {
+                schema: this.schema,
+                knex: this.knex,
             });
-            if (!permissions || !permissions.fields)
+            const allowedFields = await fetchAllowedFields({ collection, action: 'read', accountability: this.accountability }, { schema: this.schema, knex: this.knex });
+            if (allowedFields.includes('*') === false && allowedFields.includes(field) === false) {
                 throw new ForbiddenError();
-            if (permissions.fields.includes('*') === false) {
-                const allowedFields = permissions.fields;
-                if (allowedFields.includes(field) === false)
-                    throw new ForbiddenError();
             }
         }
         const metaRow = await this.relationsItemService.readByQuery({
@@ -379,14 +385,6 @@ export class RelationsService {
             }
         }
     }
-    /**
-     * Whether or not the current user has read access to relations
-     */
-    get hasReadAccess() {
-        return !!this.accountability?.permissions?.find((permission) => {
-            return permission.collection === 'directus_relations' && permission.action === 'read';
-        });
-    }
     /**
      * Combine raw schema foreign key information with Directus relations meta rows to form final
      * Relation objects
@@ -435,12 +433,11 @@ export class RelationsService {
     async filterForbidden(relations) {
         if (this.accountability === null || this.accountability?.admin === true)
             return relations;
-        const allowedCollections = this.accountability.permissions
-            ?.filter((permission) => {
-            return permission.action === 'read';
-        })
-            .map(({ collection }) => collection) ?? [];
-        const allowedFields = this.permissionsService.getAllowedFields('read');
+        const allowedFields = await fetchAllowedFieldMap({
+            accountability: this.accountability,
+            action: 'read',
+        }, { schema: this.schema, knex: this.knex });
+        const allowedCollections = Object.keys(allowedFields);
         relations = toArray(relations);
         return relations.filter((relation) => {
             let collectionsAllowed = true;

package/dist/services/roles.d.ts CHANGED Viewed

@@ -1,18 +1,10 @@
-import type { Item, PrimaryKey, Query } from '@directus/types';
+import type { Item, PrimaryKey } from '@directus/types';
 import type { AbstractServiceOptions, MutationOptions } from '../types/index.js';
 import { ItemsService } from './items.js';
 export declare class RolesService extends ItemsService {
     constructor(options: AbstractServiceOptions);
-    private checkForOtherAdminRoles;
-    private checkForOtherAdminUsers;
-    private isIpAccessValid;
-    private assertValidIpAccess;
-    private getRoleAccessType;
-    createOne(data: Partial<Item>, opts?: MutationOptions): Promise<PrimaryKey>;
-    createMany(data: Partial<Item>[], opts?: MutationOptions): Promise<PrimaryKey[]>;
-    updateOne(key: PrimaryKey, data: Partial<Item>, opts?: MutationOptions): Promise<PrimaryKey>;
-    updateBatch(data: Partial<Item>[], opts?: MutationOptions): Promise<PrimaryKey[]>;
     updateMany(keys: PrimaryKey[], data: Partial<Item>, opts?: MutationOptions): Promise<PrimaryKey[]>;
-    updateByQuery(query: Query, data: Partial<Item>, opts?: MutationOptions | undefined): Promise<PrimaryKey[]>;
-    deleteMany(keys: PrimaryKey[]): Promise<PrimaryKey[]>;
+    deleteMany(keys: PrimaryKey[], opts?: MutationOptions): Promise<PrimaryKey[]>;
+    private validateRoleNesting;
+    private clearCaches;
 }