@directus/api 21.0.0 → 22.1.0

package/dist/services/specifications.js

@@ -1,14 +1,17 @@
 import { useEnv } from '@directus/env';
 import formatTitle from '@directus/format-title';
 import { spec } from '@directus/specs';
+import { isSystemCollection } from '@directus/system-data';
 import { version } from 'directus/version';
 import { cloneDeep, mergeWith } from 'lodash-es';
 import { OAS_REQUIRED_SCHEMAS } from '../constants.js';
 import getDatabase from '../database/index.js';
+import { fetchPermissions } from '../permissions/lib/fetch-permissions.js';
+import { fetchPolicies } from '../permissions/lib/fetch-policies.js';
+import { fetchAllowedFieldMap } from '../permissions/modules/fetch-allowed-field-map/fetch-allowed-field-map.js';
 import { getRelationType } from '../utils/get-relation-type.js';
 import { reduceSchema } from '../utils/reduce-schema.js';
 import { GraphQLService } from './graphql/index.js';
-import { isSystemCollection } from '@directus/system-data';
 const env = useEnv();
 export class SpecificationService {
     accountability;
@@ -16,29 +19,38 @@ export class SpecificationService {
     schema;
     oas;
     graphql;
-    constructor({ accountability, knex, schema }) {
-        this.accountability = accountability || null;
-        this.knex = knex || getDatabase();
-        this.schema = schema;
-        this.oas = new OASSpecsService({ knex, schema, accountability });
-        this.graphql = new GraphQLSpecsService({ knex, schema, accountability });
+    constructor(options) {
+        this.accountability = options.accountability || null;
+        this.knex = options.knex || getDatabase();
+        this.schema = options.schema;
+        this.oas = new OASSpecsService(options);
+        this.graphql = new GraphQLSpecsService(options);
     }
 }
 class OASSpecsService {
     accountability;
     knex;
     schema;
-    constructor({ knex, schema, accountability }) {
-        this.accountability = accountability || null;
-        this.knex = knex || getDatabase();
-        this.schema =
-            this.accountability?.admin === true ? schema : reduceSchema(schema, accountability?.permissions || null);
+    constructor(options) {
+        this.accountability = options.accountability || null;
+        this.knex = options.knex || getDatabase();
+        this.schema = options.schema;
     }
     async generate(host) {
-        const permissions = this.accountability?.permissions ?? [];
-        const tags = await this.generateTags();
+        let schema = this.schema;
+        let permissions = [];
+        if (this.accountability && this.accountability.admin !== true) {
+            const allowedFields = await fetchAllowedFieldMap({
+                accountability: this.accountability,
+                action: 'read',
+            }, { schema, knex: this.knex });
+            schema = reduceSchema(schema, allowedFields);
+            const policies = await fetchPolicies(this.accountability, { schema, knex: this.knex });
+            permissions = await fetchPermissions({ action: 'read', policies, accountability: this.accountability }, { schema, knex: this.knex });
+        }
+        const tags = await this.generateTags(schema);
         const paths = await this.generatePaths(permissions, tags);
-        const components = await this.generateComponents(tags);
+        const components = await this.generateComponents(schema, tags);
         const isDefaultPublicUrl = env['PUBLIC_URL'] === '/';
         const url = isDefaultPublicUrl && host ? host : env['PUBLIC_URL'];
         const spec = {
@@ -62,9 +74,9 @@ class OASSpecsService {
             spec.components = components;
         return spec;
     }
-    async generateTags() {
+    async generateTags(schema) {
         const systemTags = cloneDeep(spec.tags);
-        const collections = Object.values(this.schema.collections);
+        const collections = Object.values(schema.collections);
         const tags = [];
         for (const systemTag of systemTags) {
             // Check if necessary authentication level is given
@@ -246,7 +258,7 @@ class OASSpecsService {
         }
         return paths;
     }
-    async generateComponents(tags) {
+    async generateComponents(schema, tags) {
         if (!tags)
             return;
         let components = cloneDeep(spec.components);
@@ -264,7 +276,7 @@ class OASSpecsService {
                 };
             }
         }
-        const collections = Object.values(this.schema.collections);
+        const collections = Object.values(schema.collections);
         for (const collection of collections) {
             const tag = tags.find((tag) => tag['x-collection'] === collection.collection);
             if (!tag)
@@ -277,7 +289,7 @@ class OASSpecsService {
                 schemaComponent['x-collection'] = collection.collection;
                 for (const field of fieldsInCollection) {
                     schemaComponent.properties[field.field] =
-                        cloneDeep(spec.components.schemas[tag.name].properties[field.field]) || this.generateField(collection.collection, field, tags);
+                        cloneDeep(spec.components.schemas[tag.name].properties[field.field]) || this.generateField(schema, collection.collection, field, tags);
                 }
                 components.schemas[tag.name] = schemaComponent;
             }
@@ -288,7 +300,7 @@ class OASSpecsService {
                     'x-collection': collection.collection,
                 };
                 for (const field of fieldsInCollection) {
-                    schemaComponent.properties[field.field] = this.generateField(collection.collection, field, tags);
+                    schemaComponent.properties[field.field] = this.generateField(schema, collection.collection, field, tags);
                 }
                 components.schemas[tag.name] = schemaComponent;
             }
@@ -311,13 +323,13 @@ class OASSpecsService {
                 return 'read';
         }
     }
-    generateField(collection, field, tags) {
+    generateField(schema, collection, field, tags) {
         let propertyObject = {};
         propertyObject.nullable = field.nullable;
         if (field.note) {
             propertyObject.description = field.note;
         }
-        const relation = this.schema.relations.find((relation) => (relation.collection === collection && relation.field === field.field) ||
+        const relation = schema.relations.find((relation) => (relation.collection === collection && relation.field === field.field) ||
             (relation.related_collection === collection && relation.meta?.one_field === field.field));
         if (!relation) {
             propertyObject = {
@@ -335,10 +347,10 @@ class OASSpecsService {
                 const relatedTag = tags.find((tag) => tag['x-collection'] === relation.related_collection);
                 if (!relatedTag ||
                     !relation.related_collection ||
-                    relation.related_collection in this.schema.collections === false) {
+                    relation.related_collection in schema.collections === false) {
                     return propertyObject;
                 }
-                const relatedCollection = this.schema.collections[relation.related_collection];
+                const relatedCollection = schema.collections[relation.related_collection];
                 const relatedPrimaryKeyField = relatedCollection.fields[relatedCollection.primary];
                 propertyObject.oneOf = [
                     {
@@ -351,10 +363,10 @@ class OASSpecsService {
             }
             else if (relationType === 'o2m') {
                 const relatedTag = tags.find((tag) => tag['x-collection'] === relation.collection);
-                if (!relatedTag || !relation.related_collection || relation.collection in this.schema.collections === false) {
+                if (!relatedTag || !relation.related_collection || relation.collection in schema.collections === false) {
                     return propertyObject;
                 }
-                const relatedCollection = this.schema.collections[relation.collection];
+                const relatedCollection = schema.collections[relation.collection];
                 const relatedPrimaryKeyField = relatedCollection.fields[relatedCollection.primary];
                 if (!relatedTag || !relatedPrimaryKeyField)
                     return propertyObject;

package/dist/services/users.d.ts

@@ -13,11 +13,6 @@ export declare class UsersService extends ItemsService {
      * directus_settings.auth_password_policy
      */
     private checkPasswordPolicy;
-    private checkRemainingAdminExistence;
-    /**
-     * Make sure there's at least one active admin user when updating user status
-     */
-    private checkRemainingActiveAdmin;
     /**
      * Get basic information of user identified by email
      */
@@ -52,4 +47,5 @@ export declare class UsersService extends ItemsService {
     verifyRegistration(token: string): Promise<string>;
     requestPasswordReset(email: string, url: string | null, subject?: string | null): Promise<void>;
     resetPassword(token: string, password: string): Promise<void>;
+    private clearCaches;
 }

package/dist/services/users.js

@@ -1,23 +1,22 @@
 import { useEnv } from '@directus/env';
-import { ForbiddenError, InvalidPayloadError, RecordNotUniqueError, UnprocessableContentError } from '@directus/errors';
-import { getSimpleHash, toArray, toBoolean, validatePayload } from '@directus/utils';
+import { ForbiddenError, InvalidPayloadError, RecordNotUniqueError } from '@directus/errors';
+import { getSimpleHash, toArray, validatePayload } from '@directus/utils';
 import { FailedValidationError, joiValidationErrorItemToErrorExtensions } from '@directus/validation';
 import Joi from 'joi';
 import jwt from 'jsonwebtoken';
-import { isEmpty, mergeWith } from 'lodash-es';
+import { isEmpty } from 'lodash-es';
 import { performance } from 'perf_hooks';
+import { clearSystemCache } from '../cache.js';
 import getDatabase from '../database/index.js';
 import { useLogger } from '../logger/index.js';
-import { checkIncreasedUserLimits } from '../telemetry/utils/check-increased-user-limits.js';
-import { getRoleCountsByRoles } from '../telemetry/utils/get-role-counts-by-roles.js';
-import { getRoleCountsByUsers } from '../telemetry/utils/get-role-counts-by-users.js';
-import {} from '../telemetry/utils/get-user-count.js';
-import { shouldCheckUserLimits } from '../telemetry/utils/should-check-user-limits.js';
+import { validateRemainingAdminUsers } from '../permissions/modules/validate-remaining-admin/validate-remaining-admin-users.js';
+import { createDefaultAccountability } from '../permissions/utils/create-default-accountability.js';
 import { getSecret } from '../utils/get-secret.js';
 import isUrlAllowed from '../utils/is-url-allowed.js';
 import { verifyJWT } from '../utils/jwt.js';
 import { stall } from '../utils/stall.js';
 import { Url } from '../utils/url.js';
+import { UserIntegrityCheckFlag } from '../utils/validate-user-count-integrity.js';
 import { ItemsService } from './items.js';
 import { MailService } from './mail/index.js';
 import { SettingsService } from './settings.js';
@@ -88,42 +87,11 @@ export class UsersService extends ItemsService {
             }
         }
     }
-    async checkRemainingAdminExistence(excludeKeys) {
-        // Make sure there's at least one admin user left after this deletion is done
-        const otherAdminUsers = await this.knex
-            .count('*', { as: 'count' })
-            .from('directus_users')
-            .whereNotIn('directus_users.id', excludeKeys)
-            .andWhere({ 'directus_roles.admin_access': true })
-            .leftJoin('directus_roles', 'directus_users.role', 'directus_roles.id')
-            .first();
-        const otherAdminUsersCount = +(otherAdminUsers?.count || 0);
-        if (otherAdminUsersCount === 0) {
-            throw new UnprocessableContentError({ reason: `You can't remove the last admin user from the role` });
-        }
-    }
-    /**
-     * Make sure there's at least one active admin user when updating user status
-     */
-    async checkRemainingActiveAdmin(excludeKeys) {
-        const otherAdminUsers = await this.knex
-            .count('*', { as: 'count' })
-            .from('directus_users')
-            .whereNotIn('directus_users.id', excludeKeys)
-            .andWhere({ 'directus_roles.admin_access': true })
-            .andWhere({ 'directus_users.status': 'active' })
-            .leftJoin('directus_roles', 'directus_users.role', 'directus_roles.id')
-            .first();
-        const otherAdminUsersCount = +(otherAdminUsers?.count || 0);
-        if (otherAdminUsersCount === 0) {
-            throw new UnprocessableContentError({ reason: `You can't change the active status of the last admin user` });
-        }
-    }
     /**
      * Get basic information of user identified by email
      */
     async getUserByEmail(email) {
-        return await this.knex
+        return this.knex
             .select('id', 'role', 'status', 'password', 'email')
             .from('directus_users')
             .whereRaw(`LOWER(??) = ?`, ['email', email.toLowerCase()])
@@ -158,51 +126,34 @@ export class UsersService extends ItemsService {
     /**
      * Create a new user
      */
-    async createOne(data, opts) {
+    async createOne(data, opts = {}) {
         try {
-            if (data['email']) {
+            if ('email' in data) {
                 this.validateEmail(data['email']);
                 await this.checkUniqueEmails([data['email']]);
             }
-            if (data['password']) {
+            if ('password' in data) {
                 await this.checkPasswordPolicy([data['password']]);
             }
-            if (shouldCheckUserLimits() && data['role']) {
-                const increasedCounts = {
-                    admin: 0,
-                    app: 0,
-                    api: 0,
-                };
-                if (typeof data['role'] === 'object') {
-                    if ('admin_access' in data['role'] && data['role']['admin_access'] === true) {
-                        increasedCounts.admin++;
-                    }
-                    else if ('app_access' in data['role'] && data['role']['app_access'] === true) {
-                        increasedCounts.app++;
-                    }
-                    else {
-                        increasedCounts.api++;
-                    }
-                }
-                else {
-                    const existingRoleCounts = await getRoleCountsByRoles(this.knex, [data['role']]);
-                    mergeWith(increasedCounts, existingRoleCounts, (x, y) => x + y);
-                }
-                await checkIncreasedUserLimits(this.knex, increasedCounts);
-            }
         }
         catch (err) {
-            (opts || (opts = {})).preMutationError = err;
+            opts.preMutationError = err;
+        }
+        if (!('status' in data) || data['status'] === 'active') {
+            // Creating a user only requires checking user limits if the user is active, no need to care about the role
+            opts.userIntegrityCheckFlags =
+                (opts.userIntegrityCheckFlags ?? UserIntegrityCheckFlag.None) | UserIntegrityCheckFlag.UserLimits;
+            opts.onRequireUserIntegrityCheck?.(opts.userIntegrityCheckFlags);
         }
         return await super.createOne(data, opts);
     }
     /**
      * Create multiple new users
      */
-    async createMany(data, opts) {
-        const emails = data['map']((payload) => payload['email']).filter((email) => email);
-        const passwords = data['map']((payload) => payload['password']).filter((password) => password);
-        const roles = data['map']((payload) => payload['role']).filter((role) => role);
+    async createMany(data, opts = {}) {
+        const emails = data.map((payload) => payload['email']).filter((email) => email);
+        const passwords = data.map((payload) => payload['password']).filter((password) => password);
+        const someActive = data.some((payload) => !('status' in payload) || payload['status'] === 'active');
         try {
             if (emails.length) {
                 this.validateEmail(emails);
@@ -211,96 +162,30 @@ export class UsersService extends ItemsService {
             if (passwords.length) {
                 await this.checkPasswordPolicy(passwords);
             }
-            if (shouldCheckUserLimits() && roles.length) {
-                const increasedCounts = {
-                    admin: 0,
-                    app: 0,
-                    api: 0,
-                };
-                const existingRoles = [];
-                for (const role of roles) {
-                    if (typeof role === 'object') {
-                        if ('admin_access' in role && role['admin_access'] === true) {
-                            increasedCounts.admin++;
-                        }
-                        else if ('app_access' in role && role['app_access'] === true) {
-                            increasedCounts.app++;
-                        }
-                        else {
-                            increasedCounts.api++;
-                        }
-                    }
-                    else {
-                        existingRoles.push(role);
-                    }
-                }
-                const existingRoleCounts = await getRoleCountsByRoles(this.knex, existingRoles);
-                mergeWith(increasedCounts, existingRoleCounts, (x, y) => x + y);
-                await checkIncreasedUserLimits(this.knex, increasedCounts);
-            }
         }
         catch (err) {
-            (opts || (opts = {})).preMutationError = err;
+            opts.preMutationError = err;
+        }
+        if (someActive) {
+            // Creating users only requires checking user limits if the users are active, no need to care about the role
+            opts.userIntegrityCheckFlags =
+                (opts.userIntegrityCheckFlags ?? UserIntegrityCheckFlag.None) | UserIntegrityCheckFlag.UserLimits;
+            opts.onRequireUserIntegrityCheck?.(opts.userIntegrityCheckFlags);
         }
-        return await super.createMany(data, opts);
+        // Use generic ItemsService to avoid calling `UserService.createOne` to avoid additional work of validating emails,
+        // as this requires one query per email if done in `createOne`
+        const itemsService = new ItemsService(this.collection, {
+            schema: this.schema,
+            accountability: this.accountability,
+            knex: this.knex,
+        });
+        return await itemsService.createMany(data, opts);
     }
     /**
      * Update many users by primary key
      */
-    async updateMany(keys, data, opts) {
+    async updateMany(keys, data, opts = {}) {
         try {
-            const needsUserLimitCheck = shouldCheckUserLimits();
-            if (data['role']) {
-                /*
-                 * data['role'] has the following cases:
-                 * - a string with existing role id
-                 * - an object with existing role id for GraphQL mutations
-                 * - an object with data for new role
-                 */
-                const role = data['role']?.id ?? data['role'];
-                let newRole;
-                if (typeof role === 'string') {
-                    newRole = await this.knex
-                        .select('admin_access', 'app_access')
-                        .from('directus_roles')
-                        .where('id', role)
-                        .first();
-                }
-                else {
-                    newRole = role;
-                }
-                if (!newRole?.admin_access) {
-                    await this.checkRemainingAdminExistence(keys);
-                }
-                if (needsUserLimitCheck && newRole) {
-                    const existingCounts = await getRoleCountsByUsers(this.knex, keys);
-                    const increasedCounts = {
-                        admin: 0,
-                        app: 0,
-                        api: 0,
-                    };
-                    if (toBoolean(newRole.admin_access)) {
-                        increasedCounts.admin = keys.length - existingCounts.admin;
-                    }
-                    else if (toBoolean(newRole.app_access)) {
-                        increasedCounts.app = keys.length - existingCounts.app;
-                    }
-                    else {
-                        increasedCounts.api = keys.length - existingCounts.api;
-                    }
-                    await checkIncreasedUserLimits(this.knex, increasedCounts);
-                }
-            }
-            if (needsUserLimitCheck && data['role'] === null) {
-                await checkIncreasedUserLimits(this.knex, { admin: 0, app: 0, api: 1 });
-            }
-            if (data['status'] !== undefined && data['status'] !== 'active') {
-                await this.checkRemainingActiveAdmin(keys);
-            }
-            if (needsUserLimitCheck && data['status'] === 'active') {
-                const increasedCounts = await getRoleCountsByUsers(this.knex, keys, { inactiveUsers: true });
-                await checkIncreasedUserLimits(this.knex, increasedCounts);
-            }
             if (data['email']) {
                 if (keys.length > 1) {
                     throw new RecordNotUniqueError({
@@ -331,19 +216,45 @@ export class UsersService extends ItemsService {
             }
         }
         catch (err) {
-            (opts || (opts = {})).preMutationError = err;
+            opts.preMutationError = err;
+        }
+        if ('role' in data) {
+            opts.userIntegrityCheckFlags = UserIntegrityCheckFlag.All;
         }
-        return await super.updateMany(keys, data, opts);
+        if ('status' in data) {
+            if (data['status'] === 'active') {
+                // User are being activated, no need to check if there are enough admins
+                opts.userIntegrityCheckFlags =
+                    (opts.userIntegrityCheckFlags ?? UserIntegrityCheckFlag.None) | UserIntegrityCheckFlag.UserLimits;
+            }
+            else {
+                opts.userIntegrityCheckFlags = UserIntegrityCheckFlag.All;
+            }
+        }
+        if (opts.userIntegrityCheckFlags) {
+            opts.onRequireUserIntegrityCheck?.(opts.userIntegrityCheckFlags);
+        }
+        const result = await super.updateMany(keys, data, opts);
+        // Only clear the caches if the role has been updated
+        if ('role' in data) {
+            await this.clearCaches(opts);
+        }
+        return result;
     }
     /**
      * Delete multiple users by primary key
      */
-    async deleteMany(keys, opts) {
-        try {
-            await this.checkRemainingAdminExistence(keys);
+    async deleteMany(keys, opts = {}) {
+        if (opts?.onRequireUserIntegrityCheck) {
+            opts.onRequireUserIntegrityCheck(opts?.userIntegrityCheckFlags ?? UserIntegrityCheckFlag.None);
         }
-        catch (err) {
-            (opts || (opts = {})).preMutationError = err;
+        else {
+            try {
+                await validateRemainingAdminUsers({ excludeUsers: keys }, { knex: this.knex, schema: this.schema });
+            }
+            catch (err) {
+                opts.preMutationError = err;
+            }
         }
         // Manual constraint, see https://github.com/directus/directus/pull/19912
         await this.knex('directus_notifications').update({ sender: null }).whereIn('sender', keys);
@@ -566,10 +477,16 @@ export class UsersService extends ItemsService {
             knex: this.knex,
             schema: this.schema,
             accountability: {
-                ...(this.accountability ?? { role: null }),
+                ...(this.accountability ?? createDefaultAccountability()),
                 admin: true, // We need to skip permissions checks for the update call below
             },
         });
         await service.updateOne(user.id, { password, status: 'active' }, opts);
     }
+    async clearCaches(opts) {
+        await clearSystemCache({ autoPurgeCache: opts?.autoPurgeCache });
+        if (this.cache && opts?.autoPurgeCache !== false) {
+            await this.cache.clear();
+        }
+    }
 }

package/dist/services/utils.js

@@ -3,6 +3,8 @@ import { systemCollectionRows } from '@directus/system-data';
 import { clearSystemCache, getCache } from '../cache.js';
 import getDatabase from '../database/index.js';
 import emitter from '../emitter.js';
+import { fetchAllowedFields } from '../permissions/modules/fetch-allowed-fields/fetch-allowed-fields.js';
+import { validateAccess } from '../permissions/modules/validate-access/validate-access.js';
 import { shouldClearCache } from '../utils/should-clear-cache.js';
 export class UtilsService {
     knex;
@@ -20,14 +22,16 @@ export class UtilsService {
         if (!sortField) {
             throw new InvalidPayloadError({ reason: `Collection "${collection}" doesn't have a sort field` });
         }
-        if (this.accountability?.admin !== true) {
-            const permissions = this.accountability?.permissions?.find((permission) => {
-                return permission.collection === collection && permission.action === 'update';
+        if (this.accountability && this.accountability.admin !== true) {
+            await validateAccess({
+                accountability: this.accountability,
+                action: 'update',
+                collection,
+            }, {
+                schema: this.schema,
+                knex: this.knex,
             });
-            if (!permissions) {
-                throw new ForbiddenError();
-            }
-            const allowedFields = permissions.fields ?? [];
+            const allowedFields = await fetchAllowedFields({ collection, action: 'update', accountability: this.accountability }, { schema: this.schema, knex: this.knex });
             if (allowedFields[0] !== '*' && allowedFields.includes(sortField) === false) {
                 throw new ForbiddenError();
             }

package/dist/services/versions.d.ts

@@ -1,9 +1,7 @@
 import type { Item, PrimaryKey, Query } from '@directus/types';
 import type { AbstractServiceOptions, MutationOptions } from '../types/index.js';
-import { AuthorizationService } from './authorization.js';
 import { ItemsService } from './items.js';
 export declare class VersionsService extends ItemsService {
-    authorizationService: AuthorizationService;
     constructor(options: AbstractServiceOptions);
     private validateCreateData;
     getMainItem(collection: string, item: PrimaryKey, query?: Query): Promise<Item>;

package/dist/services/versions.js

@@ -6,21 +6,15 @@ import objectHash from 'object-hash';
 import { getCache } from '../cache.js';
 import getDatabase from '../database/index.js';
 import emitter from '../emitter.js';
+import { validateAccess } from '../permissions/modules/validate-access/validate-access.js';
 import { shouldClearCache } from '../utils/should-clear-cache.js';
 import { ActivityService } from './activity.js';
-import { AuthorizationService } from './authorization.js';
 import { ItemsService } from './items.js';
 import { PayloadService } from './payload.js';
 import { RevisionsService } from './revisions.js';
 export class VersionsService extends ItemsService {
-    authorizationService;
     constructor(options) {
         super('directus_versions', options);
-        this.authorizationService = new AuthorizationService({
-            accountability: this.accountability,
-            knex: this.knex,
-            schema: this.schema,
-        });
     }
     async validateCreateData(data) {
         if (!data['key'])
@@ -55,11 +49,31 @@ export class VersionsService extends ItemsService {
             });
         }
         // will throw an error if the accountability does not have permission to read the item
-        await this.authorizationService.checkAccess('read', data['collection'], data['item']);
+        if (this.accountability) {
+            await validateAccess({
+                accountability: this.accountability,
+                action: 'read',
+                collection: data['collection'],
+                primaryKeys: [data['item']],
+            }, {
+                schema: this.schema,
+                knex: this.knex,
+            });
+        }
     }
     async getMainItem(collection, item, query) {
         // will throw an error if the accountability does not have permission to read the item
-        await this.authorizationService.checkAccess('read', collection, item);
+        if (this.accountability) {
+            await validateAccess({
+                accountability: this.accountability,
+                action: 'read',
+                collection,
+                primaryKeys: [item],
+            }, {
+                schema: this.schema,
+                knex: this.knex,
+            });
+        }
         const itemsService = new ItemsService(collection, {
             knex: this.knex,
             accountability: this.accountability,
@@ -200,7 +214,17 @@ export class VersionsService extends ItemsService {
     async promote(version, mainHash, fields) {
         const { id, collection, item } = (await this.readOne(version));
         // will throw an error if the accountability does not have permission to update the item
-        await this.authorizationService.checkAccess('update', collection, item);
+        if (this.accountability) {
+            await validateAccess({
+                accountability: this.accountability,
+                action: 'update',
+                collection,
+                primaryKeys: [item],
+            }, {
+                schema: this.schema,
+                knex: this.knex,
+            });
+        }
         const { outdated } = await this.verifyHash(collection, item, mainHash);
         if (outdated) {
             throw new UnprocessableContentError({

package/dist/telemetry/lib/get-report.js

@@ -2,11 +2,11 @@ import { useEnv } from '@directus/env';
 import { version } from 'directus/version';
 import { getHelpers } from '../../database/helpers/index.js';
 import { getDatabase, getDatabaseClient } from '../../database/index.js';
+import { fetchUserCount } from '../../utils/fetch-user-count/fetch-user-count.js';
 import { getExtensionCount } from '../utils/get-extension-count.js';
 import { getFieldCount } from '../utils/get-field-count.js';
 import { getFilesizeSum } from '../utils/get-filesize-sum.js';
 import { getItemCount } from '../utils/get-item-count.js';
-import { getUserCount } from '../utils/get-user-count.js';
 import { getUserItemCount } from '../utils/get-user-item-count.js';
 const basicCountTasks = [
     { collection: 'directus_dashboards' },
@@ -27,7 +27,7 @@ export const getReport = async () => {
     const helpers = getHelpers(db);
     const [basicCounts, userCounts, userItemCount, fieldsCounts, extensionsCounts, databaseSize, filesizes] = await Promise.all([
         getItemCount(db, basicCountTasks),
-        getUserCount(db),
+        fetchUserCount({ knex: db }),
         getUserItemCount(db),
         getFieldCount(db),
         getExtensionCount(db),

package/dist/telemetry/utils/check-user-limits.d.ts

@@ -0,0 +1,5 @@
+import { type UserCount } from '../../utils/fetch-user-count/fetch-user-count.js';
+/**
+ * Ensure that user limits are not reached
+ */
+export declare function checkUserLimits(userCounts: UserCount): Promise<void>;