npm - @directus/api - Versions diffs - 21.0.0 → 22.1.0 - Mend

@directus/api 21.0.0 → 22.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (299) hide show

package/dist/telemetry/utils/check-user-limits.js ADDED Viewed

@@ -0,0 +1,19 @@
+import { useEnv } from '@directus/env';
+import { LimitExceededError } from '@directus/errors';
+import {} from '../../utils/fetch-user-count/fetch-user-count.js';
+const env = useEnv();
+/**
+ * Ensure that user limits are not reached
+ */
+export async function checkUserLimits(userCounts) {
+    if (userCounts.admin > Number(env['USERS_ADMIN_ACCESS_LIMIT'])) {
+        throw new LimitExceededError({ category: 'Active Admin users' });
+    }
+    // Both app and admin users count against the app access limit
+    if (userCounts.app + userCounts.admin > Number(env['USERS_APP_ACCESS_LIMIT'])) {
+        throw new LimitExceededError({ category: 'Active App users' });
+    }
+    if (userCounts.api > Number(env['USERS_API_ACCESS_LIMIT'])) {
+        throw new LimitExceededError({ category: 'Active API users' });
+    }
+}

package/dist/types/ast.d.ts CHANGED Viewed

@@ -1,4 +1,4 @@
-import type { Query, Relation } from '@directus/types';
+import type { Filter, Query, Relation } from '@directus/types';
 export type M2ONode = {
     type: 'm2o';
     name: string;
@@ -8,6 +8,14 @@ export type M2ONode = {
     relation: Relation;
     parentKey: string;
     relatedKey: string;
+    /**
+     * Which permission cases have to be met on the current item for this field to return a value
+     */
+    whenCase: number[];
+    /**
+     * Permissions rules for the item access of the children of this item.
+     */
+    cases: Filter[];
 };
 export type A2MNode = {
     type: 'a2o';
@@ -24,6 +32,16 @@ export type A2MNode = {
     fieldKey: string;
     relation: Relation;
     parentKey: string;
+    /**
+     * Which permission cases have to be met on the current item for this field to return a value
+     */
+    whenCase: number[];
+    /**
+     * Permissions rules for the item access of the children of this item.
+     */
+    cases: {
+        [collection: string]: Filter[];
+    };
 };
 export type O2MNode = {
     type: 'o2m';
@@ -34,12 +52,24 @@ export type O2MNode = {
     relation: Relation;
     parentKey: string;
     relatedKey: string;
+    /**
+     * Which permission cases have to be met on the current item for this field to return a value
+     */
+    whenCase: number[];
+    /**
+     * Permissions rules for the item access of the children of this item.
+     */
+    cases: Filter[];
 };
 export type NestedCollectionNode = M2ONode | O2MNode | A2MNode;
 export type FieldNode = {
     type: 'field';
     name: string;
     fieldKey: string;
+    /**
+     * Which permission cases have to be met on the current item for this field to return a value
+     */
+    whenCase: number[];
 };
 export type FunctionFieldNode = {
     type: 'functionField';
@@ -47,10 +77,22 @@ export type FunctionFieldNode = {
     fieldKey: string;
     query: Query;
     relatedCollection: string;
+    /**
+     * Which permission cases have to be met on the current item for this field to return a value
+     */
+    whenCase: number[];
+    /**
+     * Permissions rules for the item access of the related collection of this item.
+     */
+    cases: Filter[];
 };
 export type AST = {
     type: 'root';
     name: string;
     children: (NestedCollectionNode | FieldNode | FunctionFieldNode)[];
     query: Query;
+    /**
+     * Permissions rules for the item access of the children of this item.
+     */
+    cases: Filter[];
 };

package/dist/types/database.d.ts CHANGED Viewed

@@ -1,3 +1,3 @@
-export type Driver = 'mysql' | 'pg' | 'cockroachdb' | 'sqlite3' | 'oracledb' | 'mssql';
+export type Driver = 'mysql2' | 'pg' | 'cockroachdb' | 'sqlite3' | 'oracledb' | 'mssql';
 export declare const DatabaseClients: readonly ["mysql", "postgres", "cockroachdb", "sqlite", "oracle", "mssql", "redshift"];
 export type DatabaseClient = (typeof DatabaseClients)[number];

package/dist/types/items.d.ts CHANGED Viewed

@@ -1,6 +1,7 @@
 import type { DirectusError } from '@directus/errors';
 import type { EventContext, PrimaryKey } from '@directus/types';
 import type { MutationTracker } from '../services/items.js';
+import type { UserIntegrityCheckFlag } from '../utils/validate-user-count-integrity.js';
 export type MutationOptions = {
     /**
      * Callback function that's fired whenever a revision is made in the mutation
@@ -33,6 +34,16 @@ export type MutationOptions = {
     mutationTracker?: MutationTracker | undefined;
     preMutationError?: DirectusError | undefined;
     bypassAutoIncrementSequenceReset?: boolean;
+    /**
+     * Indicate that the top level mutation needs to perform a user integrity check before commiting the transaction
+     * This is a combination of flags
+     * @see UserIntegrityCheckFlag
+     */
+    userIntegrityCheckFlags?: UserIntegrityCheckFlag;
+    /**
+     * Callback function that is called whenever a mutation requires a user integrity check to be made
+     */
+    onRequireUserIntegrityCheck?: ((flags: UserIntegrityCheckFlag) => void) | undefined;
 };
 export type ActionEventParams = {
     event: string | string[];

package/dist/utils/apply-query.d.ts CHANGED Viewed

@@ -2,14 +2,16 @@ import type { Aggregate, Filter, Query, SchemaOverview } from '@directus/types';
 import type { Knex } from 'knex';
 import type { AliasMap } from './get-column-path.js';
 export declare const generateAlias: (size?: number | undefined) => string;
-/**
- * Apply the Query to a given Knex query builder instance
- */
-export default function applyQuery(knex: Knex, collection: string, dbQuery: Knex.QueryBuilder, query: Query, schema: SchemaOverview, options?: {
+type ApplyQueryOptions = {
     aliasMap?: AliasMap;
     isInnerQuery?: boolean;
     hasMultiRelationalSort?: boolean | undefined;
-}): {
+    groupWhenCases?: number[][] | undefined;
+};
+/**
+ * Apply the Query to a given Knex query builder instance
+ */
+export default function applyQuery(knex: Knex, collection: string, dbQuery: Knex.QueryBuilder, query: Query, schema: SchemaOverview, cases: Filter[], options?: ApplyQueryOptions): {
     query: Knex.QueryBuilder<any, any>;
     hasJoins: boolean;
     hasMultiRelationalFilter: boolean;
@@ -32,10 +34,12 @@ export declare function applySort(knex: Knex, schema: SchemaOverview, rootQuery:
 };
 export declare function applyLimit(knex: Knex, rootQuery: Knex.QueryBuilder, limit: any): void;
 export declare function applyOffset(knex: Knex, rootQuery: Knex.QueryBuilder, offset: any): void;
-export declare function applyFilter(knex: Knex, schema: SchemaOverview, rootQuery: Knex.QueryBuilder, rootFilter: Filter, collection: string, aliasMap: AliasMap): {
+export declare function applyFilter(knex: Knex, schema: SchemaOverview, rootQuery: Knex.QueryBuilder, rootFilter: Filter, collection: string, aliasMap: AliasMap, cases: Filter[]): {
     query: Knex.QueryBuilder<any, any>;
     hasJoins: boolean;
     hasMultiRelationalFilter: boolean;
 };
-export declare function applySearch(knex: Knex, schema: SchemaOverview, dbQuery: Knex.QueryBuilder, searchQuery: string, collection: string): Promise<void>;
+export declare function applySearch(knex: Knex, schema: SchemaOverview, dbQuery: Knex.QueryBuilder, searchQuery: string, collection: string): void;
 export declare function applyAggregate(schema: SchemaOverview, dbQuery: Knex.QueryBuilder, aggregate: Aggregate, collection: string, hasJoins: boolean): void;
+export declare function joinFilterWithCases(filter: Filter | null | undefined, cases: Filter[]): Filter | null;
+export {};

package/dist/utils/apply-query.js CHANGED Viewed

@@ -4,6 +4,7 @@ import { getFilterOperatorsForType, getFunctionsForType, getOutputTypeForFunctio
 import { clone, isPlainObject } from 'lodash-es';
 import { customAlphabet } from 'nanoid/non-secure';
 import { getHelpers } from '../database/helpers/index.js';
+import { applyCaseWhen } from '../database/run-ast/utils/apply-case-when.js';
 import { getColumnPath } from './get-column-path.js';
 import { getColumn } from './get-column.js';
 import { getRelationInfo } from './get-relation-info.js';
@@ -14,7 +15,7 @@ export const generateAlias = customAlphabet('abcdefghijklmnopqrstuvwxyz', 5);
 /**
  * Apply the Query to a given Knex query builder instance
  */
-export default function applyQuery(knex, collection, dbQuery, query, schema, options) {
+export default function applyQuery(knex, collection, dbQuery, query, schema, cases, options) {
     const aliasMap = options?.aliasMap ?? Object.create(null);
     let hasJoins = false;
     let hasMultiRelationalFilter = false;
@@ -34,16 +35,50 @@ export default function applyQuery(knex, collection, dbQuery, query, schema, opt
     if (query.search) {
         applySearch(knex, schema, dbQuery, query.search, collection);
     }
-    if (query.group) {
-        dbQuery.groupBy(query.group.map((column) => getColumn(knex, collection, column, false, schema)));
-    }
-    if (query.filter) {
-        const filterResult = applyFilter(knex, schema, dbQuery, query.filter, collection, aliasMap);
+    // `cases` are the permissions cases that are required for the current data set. We're
+    // dynamically adding those into the filters that the user provided to enforce the permission
+    // rules. You should be able to read an item if one or more of the cases matches. The actual case
+    // is reused in the column selection case/when to dynamically return or nullify the field values
+    // you're actually allowed to read
+    const filter = joinFilterWithCases(query.filter, cases);
+    if (filter) {
+        const filterResult = applyFilter(knex, schema, dbQuery, filter, collection, aliasMap, cases);
         if (!hasJoins) {
             hasJoins = filterResult.hasJoins;
         }
         hasMultiRelationalFilter = filterResult.hasMultiRelationalFilter;
     }
+    if (query.group) {
+        const rawColumns = query.group.map((column) => getColumn(knex, collection, column, false, schema));
+        let columns;
+        if (options?.groupWhenCases) {
+            columns = rawColumns.map((column, index) => applyCaseWhen({
+                columnCases: options.groupWhenCases[index].map((caseIndex) => cases[caseIndex]),
+                column,
+                aliasMap,
+                cases,
+                table: collection,
+            }, {
+                knex,
+                schema,
+            }));
+            if (query.sort && query.sort.length === 1 && query.sort[0] === query.group[0]) {
+                // Special case, where the sort query is injected by the group by operation
+                dbQuery.clear('order');
+                let order = 'asc';
+                if (query.sort[0].startsWith('-')) {
+                    order = 'desc';
+                }
+                // @ts-expect-error (orderBy does not accept Knex.Raw for some reason, even though it is handled correctly)
+                // https://github.com/knex/knex/issues/5711
+                dbQuery.orderBy([{ column: columns[0], order }]);
+            }
+        }
+        else {
+            columns = rawColumns;
+        }
+        dbQuery.groupBy(columns);
+    }
     if (query.aggregate) {
         applyAggregate(schema, dbQuery, query.aggregate, collection, hasJoins);
     }
@@ -226,7 +261,7 @@ export function applyOffset(knex, rootQuery, offset) {
         getHelpers(knex).schema.applyOffset(rootQuery, offset);
     }
 }
-export function applyFilter(knex, schema, rootQuery, rootFilter, collection, aliasMap) {
+export function applyFilter(knex, schema, rootQuery, rootFilter, collection, aliasMap, cases) {
     const helpers = getHelpers(knex);
     const relations = schema.relations;
     let hasJoins = false;
@@ -235,12 +270,23 @@ export function applyFilter(knex, schema, rootQuery, rootFilter, collection, ali
     addWhereClauses(knex, rootQuery, rootFilter, collection);
     return { query: rootQuery, hasJoins, hasMultiRelationalFilter };
     function addJoins(dbQuery, filter, collection) {
-        for (const [key, value] of Object.entries(filter)) {
+        // eslint-disable-next-line prefer-const
+        for (let [key, value] of Object.entries(filter)) {
             if (key === '_or' || key === '_and') {
                 // If the _or array contains an empty object (full permissions), we should short-circuit and ignore all other
                 // permission checks, as {} already matches full permissions.
                 if (key === '_or' && value.some((subFilter) => Object.keys(subFilter).length === 0)) {
-                    continue;
+                    // But only do so, if the value is not equal to `cases` (since then this is not permission related at all)
+                    // or the length of value is 1, ie. only the empty filter.
+                    // If the length is more than one it means that some items (and fields) might now be available, so
+                    // the joins are required for the case/when construction.
+                    if (value !== cases || value.length === 1) {
+                        continue;
+                    }
+                    else {
+                        // Otherwise we can at least filter out all empty filters that would not add joins anyway
+                        value = value.filter((subFilter) => Object.keys(subFilter).length > 0);
+                    }
                 }
                 value.forEach((subFilter) => {
                     addJoins(dbQuery, subFilter, collection);
@@ -311,7 +357,7 @@ export function applyFilter(knex, schema, rootQuery, rootFilter, collection, ali
                             .select({ [field]: column })
                             .from(collection)
                             .whereNotNull(column);
-                        applyQuery(knex, relation.collection, subQueryKnex, { filter }, schema);
+                        applyQuery(knex, relation.collection, subQueryKnex, { filter }, schema, cases);
                     };
                     const childKey = Object.keys(value)?.[0];
                     if (childKey === '_none') {
@@ -557,7 +603,7 @@ export function applyFilter(knex, schema, rootQuery, rootFilter, collection, ali
         }
     }
 }
-export async function applySearch(knex, schema, dbQuery, searchQuery, collection) {
+export function applySearch(knex, schema, dbQuery, searchQuery, collection) {
     const { number: numberHelper } = getHelpers(knex);
     const fields = Object.entries(schema.collections[collection].fields);
     dbQuery.andWhere(function () {
@@ -633,6 +679,18 @@ export function applyAggregate(schema, dbQuery, aggregate, collection, hasJoins)
         }
     }
 }
+export function joinFilterWithCases(filter, cases) {
+    if (cases.length > 0 && !filter) {
+        return { _or: cases };
+    }
+    else if (filter && cases.length === 0) {
+        return filter ?? null;
+    }
+    else if (filter && cases.length > 0) {
+        return { _and: [filter, { _or: cases }] };
+    }
+    return null;
+}
 function getFilterPath(key, value) {
     const path = [key];
     const childKey = Object.keys(value)[0];

package/dist/utils/fetch-user-count/fetch-access-lookup.d.ts ADDED Viewed

@@ -0,0 +1,19 @@
+import type { PrimaryKey } from '@directus/types';
+import type { Knex } from 'knex';
+export interface AccessLookup {
+    role: string | null;
+    user: string | null;
+    app_access: boolean | number;
+    admin_access: boolean | number;
+    user_status: 'active' | string;
+    user_role: string | null;
+}
+export interface FetchAccessLookupOptions {
+    excludeAccessRows?: PrimaryKey[];
+    excludePolicies?: PrimaryKey[];
+    excludeUsers?: PrimaryKey[];
+    excludeRoles?: PrimaryKey[];
+    adminOnly?: boolean;
+    knex: Knex;
+}
+export declare function fetchAccessLookup(options: FetchAccessLookupOptions): Promise<AccessLookup[]>;

package/dist/utils/fetch-user-count/fetch-access-lookup.js ADDED Viewed

@@ -0,0 +1,23 @@
+export async function fetchAccessLookup(options) {
+    let query = options.knex
+        .select('directus_access.role', 'directus_access.user', 'directus_policies.app_access', 'directus_policies.admin_access', 'directus_users.status as user_status', 'directus_users.role as user_role')
+        .from('directus_access')
+        .leftJoin('directus_policies', 'directus_access.policy', 'directus_policies.id')
+        .leftJoin('directus_users', 'directus_access.user', 'directus_users.id');
+    if (options.excludeAccessRows && options.excludeAccessRows.length > 0) {
+        query = query.whereNotIn('directus_access.id', options.excludeAccessRows);
+    }
+    if (options.excludePolicies && options.excludePolicies.length > 0) {
+        query = query.whereNotIn('directus_access.policy', options.excludePolicies);
+    }
+    if (options.excludeUsers && options.excludeUsers.length > 0) {
+        query = query.where((q) => q.whereNotIn('directus_access.user', options.excludeUsers).orWhereNull('directus_access.user'));
+    }
+    if (options.excludeRoles && options.excludeRoles.length > 0) {
+        query = query.where((q) => q.whereNotIn('directus_access.role', options.excludeRoles).orWhereNull('directus_access.role'));
+    }
+    if (options.adminOnly) {
+        query = query.where('directus_policies.admin_access', 1);
+    }
+    return query;
+}

package/dist/utils/fetch-user-count/fetch-access-roles.d.ts ADDED Viewed

@@ -0,0 +1,16 @@
+import type { PrimaryKey } from '@directus/types';
+import type { Knex } from 'knex';
+export interface FetchAccessRolesOptions {
+    adminRoles: Set<string>;
+    appRoles: Set<string>;
+    excludeRoles?: PrimaryKey[];
+}
+/**
+ * Return a set of roles that allow app or admin access, if itself or any of its parents do
+ */
+export declare function fetchAccessRoles(options: FetchAccessRolesOptions, context: {
+    knex: Knex;
+}): Promise<{
+    adminRoles: Set<string>;
+    appRoles: Set<string>;
+}>;

package/dist/utils/fetch-user-count/fetch-access-roles.js ADDED Viewed

@@ -0,0 +1,37 @@
+/**
+ * Return a set of roles that allow app or admin access, if itself or any of its parents do
+ */
+export async function fetchAccessRoles(options, context) {
+    // Only fetch the roles that have a parent, as otherwise those roles should already be included in at least one of the input set
+    const allChildRoles = await context.knex
+        .select('id', 'parent')
+        .from('directus_roles')
+        .whereNotNull('parent')
+        .whereNotIn('id', options.excludeRoles ?? []);
+    const adminRoles = new Set(options.adminRoles);
+    const appRoles = new Set(options.appRoles);
+    const remainingRoles = new Set(allChildRoles);
+    let hasChanged = remainingRoles.size > 0;
+    // This loop accounts for the undefined order in which the roles are returned, as there is the possibility
+    // of a role parent not being in the set of roles yet, so we need to iterate over the roles multiple times
+    // until no further roles are added to the sets
+    while (hasChanged) {
+        hasChanged = false;
+        for (const role of remainingRoles) {
+            if (adminRoles.has(role.parent)) {
+                adminRoles.add(role.id);
+                remainingRoles.delete(role);
+                hasChanged = true;
+            }
+            if (appRoles.has(role.parent)) {
+                appRoles.add(role.id);
+                remainingRoles.delete(role);
+                hasChanged = true;
+            }
+        }
+    }
+    return {
+        adminRoles,
+        appRoles,
+    };
+}

package/dist/utils/fetch-user-count/fetch-active-users.d.ts ADDED Viewed

@@ -0,0 +1,6 @@
+import type { Knex } from 'knex';
+export interface ActiveUser {
+    id: string;
+    role: string | null;
+}
+export declare function fetchActiveUsers(knex: Knex): Promise<ActiveUser[]>;

package/dist/utils/fetch-user-count/fetch-active-users.js ADDED Viewed

@@ -0,0 +1,3 @@
+export async function fetchActiveUsers(knex) {
+    return await knex.select('id', 'role').from('directus_users').where('status', 'active');
+}

package/dist/utils/fetch-user-count/fetch-user-count.d.ts ADDED Viewed

@@ -0,0 +1,12 @@
+import { type FetchAccessLookupOptions } from './fetch-access-lookup.js';
+export interface FetchUserCountOptions extends FetchAccessLookupOptions {
+}
+export interface UserCount {
+    admin: number;
+    app: number;
+    api: number;
+}
+/**
+ * Returns counts of all active users in the system grouped by admin, app, and api access
+ */
+export declare function fetchUserCount(options: FetchUserCountOptions): Promise<UserCount>;

package/dist/utils/fetch-user-count/fetch-user-count.js ADDED Viewed

@@ -0,0 +1,64 @@
+import { toBoolean } from '@directus/utils';
+import { fetchAccessLookup } from './fetch-access-lookup.js';
+import { fetchAccessRoles } from './fetch-access-roles.js';
+import { getUserCountQuery } from './get-user-count-query.js';
+/**
+ * Returns counts of all active users in the system grouped by admin, app, and api access
+ */
+export async function fetchUserCount(options) {
+    const accessRows = await fetchAccessLookup(options);
+    const adminRoles = new Set(accessRows.filter((row) => toBoolean(row.admin_access) && row.role !== null).map((row) => row.role));
+    const appRoles = new Set(accessRows
+        .filter((row) => !toBoolean(row.admin_access) && toBoolean(row.app_access) && row.role !== null)
+        .map((row) => row.role));
+    // All users that are directly granted rights through a connected policy
+    const adminUsers = new Set(accessRows
+        .filter((row) => toBoolean(row.admin_access) && row.user !== null && row.user_status === 'active')
+        .map((row) => row.user));
+    // Some roles might be granted access rights through nesting, so determine all roles that grant admin or app access,
+    // including nested roles
+    const { adminRoles: allAdminRoles, appRoles: allAppRoles } = await fetchAccessRoles({
+        adminRoles,
+        appRoles,
+        ...options,
+    }, { knex: options.knex });
+    // All users that are granted admin rights through a role, but not directly
+    const adminCountQuery = getUserCountQuery(options.knex, {
+        includeRoles: Array.from(allAdminRoles),
+        excludeIds: [...adminUsers, ...(options.excludeUsers ?? [])],
+    });
+    if (options.adminOnly) {
+        // Shortcut for only counting admin users
+        const adminResult = await adminCountQuery;
+        return {
+            admin: Number(adminResult?.['count'] ?? 0) + adminUsers.size,
+            app: 0,
+            api: 0,
+        };
+    }
+    const appUsers = new Set(accessRows
+        .filter((row) => !toBoolean(row.admin_access) &&
+        toBoolean(row.app_access) &&
+        row.user !== null &&
+        row.user_status === 'active' &&
+        adminUsers.has(row.user) === false &&
+        adminRoles.has(row.user_role) === false)
+        .map((row) => row.user));
+    // All users that are granted app rights through a role, but not directly, and that aren't admin users
+    const appCountQuery = getUserCountQuery(options.knex, {
+        includeRoles: Array.from(allAppRoles),
+        excludeRoles: Array.from(allAdminRoles),
+        excludeIds: [...appUsers, ...adminUsers, ...(options.excludeUsers ?? [])],
+    });
+    const allCountQuery = getUserCountQuery(options.knex, {
+        excludeIds: options.excludeUsers ?? [],
+    });
+    const [adminResult, appResult, allResult] = await Promise.all([adminCountQuery, appCountQuery, allCountQuery]);
+    const adminCount = Number(adminResult?.['count'] ?? 0) + adminUsers.size;
+    const appCount = Number(appResult?.['count'] ?? 0) + appUsers.size;
+    return {
+        admin: adminCount,
+        app: appCount,
+        api: Math.max(0, Number(allResult?.['count'] ?? 0) - adminCount - appCount),
+    };
+}

package/dist/utils/fetch-user-count/get-user-count-query.d.ts ADDED Viewed

@@ -0,0 +1,20 @@
+import type { PrimaryKey } from '@directus/types';
+import type { Knex } from 'knex';
+export interface GetUserCountOptions {
+    excludeIds?: PrimaryKey[];
+    excludeRoles?: PrimaryKey[];
+    includeRoles?: PrimaryKey[];
+}
+export declare function getUserCountQuery(knex: Knex, options: GetUserCountOptions): Promise<{
+    count: number;
+}> | Knex.QueryBuilder<any, {
+    _base: {};
+    _hasSelection: true;
+    _keys: never;
+    _aliases: {};
+    _single: false;
+    _intersectProps: {
+        count?: string | number;
+    };
+    _unionProps: undefined;
+}>;

package/dist/utils/fetch-user-count/get-user-count-query.js ADDED Viewed

@@ -0,0 +1,17 @@
+export function getUserCountQuery(knex, options) {
+    // Safety check for an empty list of includeRoles, which would otherwise return all users
+    if (options.includeRoles && options.includeRoles.length === 0) {
+        return Promise.resolve({ count: 0 });
+    }
+    let query = knex('directus_users').count({ count: '*' }).as('count').where('status', '=', 'active');
+    if (options.excludeIds && options.excludeIds.length > 0) {
+        query = query.whereNotIn('id', options.excludeIds);
+    }
+    if (options.excludeRoles && options.excludeRoles.length > 0) {
+        query = query.whereNotIn('role', options.excludeRoles);
+    }
+    if (options.includeRoles && options.includeRoles.length > 0) {
+        query = query.whereIn('role', options.includeRoles);
+    }
+    return query.first();
+}

package/dist/utils/get-accountability-for-role.js CHANGED Viewed

@@ -1,40 +1,31 @@
-import { getPermissions } from './get-permissions.js';
+import { fetchRolesTree } from '../permissions/lib/fetch-roles-tree.js';
+import { fetchGlobalAccess } from '../permissions/modules/fetch-global-access/fetch-global-access.js';
+import { createDefaultAccountability } from '../permissions/utils/create-default-accountability.js';
 export async function getAccountabilityForRole(role, context) {
-    let generatedAccountability = context.accountability;
+    let generatedAccountability;
     if (role === null) {
-        generatedAccountability = {
-            role: null,
-            user: null,
-            admin: false,
-            app: false,
-        };
-        generatedAccountability.permissions = await getPermissions(generatedAccountability, context.schema);
+        generatedAccountability = createDefaultAccountability();
     }
     else if (role === 'system') {
-        generatedAccountability = {
-            user: null,
-            role: null,
+        generatedAccountability = createDefaultAccountability({
             admin: true,
             app: true,
-            permissions: [],
-        };
+        });
     }
     else {
-        const roleInfo = await context.database
-            .select(['app_access', 'admin_access'])
-            .from('directus_roles')
-            .where({ id: role })
-            .first();
-        if (!roleInfo) {
+        const roles = await fetchRolesTree(role, context.database);
+        // The roles tree should always include the passed role. If it doesn't, it's because it
+        // couldn't be read from the database and therefore doesn't exist
+        if (roles.length === 0) {
             throw new Error(`Configured role "${role}" isn't a valid role ID or doesn't exist.`);
         }
-        generatedAccountability = {
+        const globalAccess = await fetchGlobalAccess({ user: null, roles, ip: context.accountability?.ip ?? null }, context.database);
+        generatedAccountability = createDefaultAccountability({
             role,
+            roles,
             user: null,
-            admin: roleInfo.admin_access === 1 || roleInfo.admin_access === '1' || roleInfo.admin_access === true,
-            app: roleInfo.app_access === 1 || roleInfo.app_access === '1' || roleInfo.app_access === true,
-        };
-        generatedAccountability.permissions = await getPermissions(generatedAccountability, context.schema);
+            ...globalAccess,
+        });
     }
     return generatedAccountability;
 }