@directus/api 21.0.0 → 22.1.0

package/dist/utils/get-accountability-for-token.js

@@ -1,41 +1,40 @@
 import { InvalidCredentialsError } from '@directus/errors';
 import getDatabase from '../database/index.js';
+import { fetchRolesTree } from '../permissions/lib/fetch-roles-tree.js';
+import { fetchGlobalAccess } from '../permissions/modules/fetch-global-access/fetch-global-access.js';
+import { createDefaultAccountability } from '../permissions/utils/create-default-accountability.js';
 import { getSecret } from './get-secret.js';
 import isDirectusJWT from './is-directus-jwt.js';
-import { verifySessionJWT } from './verify-session-jwt.js';
 import { verifyAccessJWT } from './jwt.js';
+import { verifySessionJWT } from './verify-session-jwt.js';
 export async function getAccountabilityForToken(token, accountability) {
     if (!accountability) {
-        accountability = {
-            user: null,
-            role: null,
-            admin: false,
-            app: false,
-        };
+        accountability = createDefaultAccountability();
     }
+    // Try finding the user with the provided token
+    const database = getDatabase();
     if (token) {
         if (isDirectusJWT(token)) {
             const payload = verifyAccessJWT(token, getSecret());
             if ('session' in payload) {
                 await verifySessionJWT(payload);
             }
-            accountability.role = payload.role;
-            accountability.admin = payload.admin_access === true || payload.admin_access == 1;
-            accountability.app = payload.app_access === true || payload.app_access == 1;
             if (payload.share)
                 accountability.share = payload.share;
             if (payload.share_scope)
                 accountability.share_scope = payload.share_scope;
             if (payload.id)
                 accountability.user = payload.id;
+            accountability.role = payload.role;
+            accountability.roles = await fetchRolesTree(payload.role, database);
+            const { admin, app } = await fetchGlobalAccess(accountability, database);
+            accountability.admin = admin;
+            accountability.app = app;
         }
         else {
-            // Try finding the user with the provided token
-            const database = getDatabase();
             const user = await database
-                .select('directus_users.id', 'directus_users.role', 'directus_roles.admin_access', 'directus_roles.app_access')
+                .select('directus_users.id', 'directus_users.role')
                 .from('directus_users')
-                .leftJoin('directus_roles', 'directus_users.role', 'directus_roles.id')
                 .where({
                 'directus_users.token': token,
                 status: 'active',
@@ -46,8 +45,10 @@ export async function getAccountabilityForToken(token, accountability) {
             }
             accountability.user = user.id;
             accountability.role = user.role;
-            accountability.admin = user.admin_access === true || user.admin_access == 1;
-            accountability.app = user.app_access === true || user.app_access == 1;
+            accountability.roles = await fetchRolesTree(user.role, database);
+            const { admin, app } = await fetchGlobalAccess(accountability, database);
+            accountability.admin = admin;
+            accountability.app = app;
         }
     }
     return accountability;

package/dist/utils/get-address.d.ts

@@ -0,0 +1,5 @@
+/// <reference types="node" resolution-mode="require"/>
+/// <reference types="node/http.js" />
+/// <reference types="pino-http" />
+import * as http from 'http';
+export declare function getAddress(server: http.Server): string | undefined;

package/dist/utils/get-address.js

@@ -0,0 +1,13 @@
+import * as http from 'http';
+export function getAddress(server) {
+    const address = server.address();
+    if (address === null) {
+        // Before the 'listening' event has been emitted or after calling server.close()
+        return;
+    }
+    if (typeof address === 'string') {
+        // unix path
+        return address;
+    }
+    return `${address.address}:${address.port}`;
+}

package/dist/utils/get-cache-key.d.ts

@@ -1,3 +1,3 @@
 /// <reference types="cookie-parser" />
 import type { Request } from 'express';
-export declare function getCacheKey(req: Request): string;
+export declare function getCacheKey(req: Request): Promise<string>;

package/dist/utils/get-cache-key.js

@@ -1,15 +1,26 @@
 import hash from 'object-hash';
 import url from 'url';
+import getDatabase from '../database/index.js';
+import { fetchPoliciesIpAccess } from '../permissions/modules/fetch-policies-ip-access/fetch-policies-ip-access.js';
 import { getGraphqlQueryAndVariables } from './get-graphql-query-and-variables.js';
 import { version } from 'directus/version';
-export function getCacheKey(req) {
+import { ipInNetworks } from './ip-in-networks.js';
+export async function getCacheKey(req) {
     const path = url.parse(req.originalUrl).pathname;
     const isGraphQl = path?.startsWith('/graphql');
+    let includeIp = false;
+    if (req.accountability && req.accountability.ip) {
+        // Check if the IP influences the result of the request, that can be the case if some policies have an ip_access
+        // filter and the request IP matches any of those filters
+        const ipFilters = await fetchPoliciesIpAccess(req.accountability, getDatabase());
+        includeIp = ipFilters.length > 0 && ipFilters.some((networks) => ipInNetworks(req.accountability.ip, networks));
+    }
     const info = {
         version,
         user: req.accountability?.user || null,
         path,
         query: isGraphQl ? getGraphqlQueryAndVariables(req) : req.sanitizedQuery,
+        ...(includeIp && { ip: req.accountability.ip }),
     };
     const key = hash(info);
     return key;

package/dist/utils/get-column.d.ts

@@ -1,7 +1,8 @@
-import type { Query, SchemaOverview } from '@directus/types';
+import type { Filter, Query, SchemaOverview } from '@directus/types';
 import type { Knex } from 'knex';
 type GetColumnOptions = {
     query?: Query | undefined;
+    cases?: Filter[];
     originalCollectionName?: string | undefined;
 };
 /**

package/dist/utils/get-column.js

@@ -30,6 +30,7 @@ export function getColumn(knex, table, column, alias = applyFunctionToColumnName
             const result = fn[functionName](table, columnName, {
                 type,
                 query: options?.query,
+                cases: options?.cases,
                 originalCollectionName: options?.originalCollectionName,
             });
             if (alias) {

package/dist/utils/get-service.js

@@ -1,11 +1,13 @@
 import { ForbiddenError } from '@directus/errors';
-import { ActivityService, DashboardsService, FilesService, FlowsService, FoldersService, ItemsService, NotificationsService, OperationsService, PanelsService, PermissionsService, PresetsService, RevisionsService, RolesService, SettingsService, SharesService, TranslationsService, UsersService, VersionsService, WebhooksService, } from '../services/index.js';
+import { AccessService, ActivityService, DashboardsService, FilesService, FlowsService, FoldersService, ItemsService, NotificationsService, OperationsService, PanelsService, PermissionsService, PoliciesService, PresetsService, RevisionsService, RolesService, SettingsService, SharesService, TranslationsService, UsersService, VersionsService, WebhooksService, } from '../services/index.js';
 /**
  * Select the correct service for the given collection. This allows the individual services to run
  * their custom checks (f.e. it allows `UsersService` to prevent updating TFA secret from outside).
  */
 export function getService(collection, opts) {
     switch (collection) {
+        case 'directus_access':
+            return new AccessService(opts);
         case 'directus_activity':
             return new ActivityService(opts);
         case 'directus_dashboards':
@@ -26,6 +28,8 @@ export function getService(collection, opts) {
             return new PermissionsService(opts);
         case 'directus_presets':
             return new PresetsService(opts);
+        case 'directus_policies':
+            return new PoliciesService(opts);
         case 'directus_revisions':
             return new RevisionsService(opts);
         case 'directus_roles':

package/dist/utils/reduce-schema.d.ts

@@ -1,9 +1,7 @@
-import type { Permission, PermissionsAction, SchemaOverview } from '@directus/types';
+import type { SchemaOverview } from '@directus/types';
+import type { FieldMap } from '../permissions/modules/fetch-allowed-field-map/fetch-allowed-field-map.js';
 /**
  * Reduces the schema based on the included permissions. The resulting object is the schema structure, but with only
- * the allowed collections/fields/relations included based on the permissions.
- * @param schema The full project schema
- * @param actions Array of permissions actions (crud)
- * @returns Reduced schema
+ * the allowed collections/fields/relations included based on the passed field map.
  */
-export declare function reduceSchema(schema: SchemaOverview, permissions: Permission[] | null, actions?: PermissionsAction[]): SchemaOverview;
+export declare function reduceSchema(schema: SchemaOverview, fieldMap: FieldMap): SchemaOverview;

package/dist/utils/reduce-schema.js

@@ -1,40 +1,24 @@
-import { uniq } from 'lodash-es';
 /**
  * Reduces the schema based on the included permissions. The resulting object is the schema structure, but with only
- * the allowed collections/fields/relations included based on the permissions.
- * @param schema The full project schema
- * @param actions Array of permissions actions (crud)
- * @returns Reduced schema
+ * the allowed collections/fields/relations included based on the passed field map.
  */
-export function reduceSchema(schema, permissions, actions = ['create', 'read', 'update', 'delete']) {
+export function reduceSchema(schema, fieldMap) {
     const reduced = {
         collections: {},
         relations: [],
     };
-    const allowedFieldsInCollection = permissions
-        ?.filter((permission) => actions.includes(permission.action))
-        .reduce((acc, permission) => {
-        if (!acc[permission.collection]) {
-            acc[permission.collection] = [];
-        }
-        if (permission.fields) {
-            acc[permission.collection] = uniq([...acc[permission.collection], ...permission.fields]);
-        }
-        return acc;
-    }, {}) ?? {};
     for (const [collectionName, collection] of Object.entries(schema.collections)) {
-        if (!permissions?.some((permission) => permission.collection === collectionName && actions.includes(permission.action))) {
+        if (!fieldMap[collectionName]) {
+            // Collection is not allowed at all
             continue;
         }
         const fields = {};
         for (const [fieldName, field] of Object.entries(schema.collections[collectionName].fields)) {
-            if (!allowedFieldsInCollection[collectionName]?.includes('*') &&
-                !allowedFieldsInCollection[collectionName]?.includes(fieldName)) {
+            if (!fieldMap[collectionName]?.includes('*') && !fieldMap[collectionName]?.includes(fieldName)) {
                 continue;
             }
             const o2mRelation = schema.relations.find((relation) => relation.related_collection === collectionName && relation.meta?.one_field === fieldName);
-            if (o2mRelation &&
-                !permissions?.some((permission) => permission.collection === o2mRelation.collection && actions.includes(permission.action))) {
+            if (o2mRelation && !fieldMap[collectionName]) {
                 continue;
             }
             fields[fieldName] = field;
@@ -47,29 +31,29 @@ export function reduceSchema(schema, permissions, actions = ['create', 'read', '
     reduced.relations = schema.relations.filter((relation) => {
         let collectionsAllowed = true;
         let fieldsAllowed = true;
-        if (Object.keys(allowedFieldsInCollection).includes(relation.collection) === false) {
+        if (Object.keys(fieldMap).includes(relation.collection) === false) {
             collectionsAllowed = false;
         }
         if (relation.related_collection &&
-            (Object.keys(allowedFieldsInCollection).includes(relation.related_collection) === false ||
+            (Object.keys(fieldMap).includes(relation.related_collection) === false ||
                 // Ignore legacy permissions with an empty fields array
-                allowedFieldsInCollection[relation.related_collection]?.length === 0)) {
+                fieldMap[relation.related_collection]?.length === 0)) {
             collectionsAllowed = false;
         }
         if (relation.meta?.one_allowed_collections &&
-            relation.meta.one_allowed_collections.every((collection) => Object.keys(allowedFieldsInCollection).includes(collection)) === false) {
+            relation.meta.one_allowed_collections.every((collection) => Object.keys(fieldMap).includes(collection)) === false) {
             collectionsAllowed = false;
         }
-        if (!allowedFieldsInCollection[relation.collection] ||
-            (allowedFieldsInCollection[relation.collection]?.includes('*') === false &&
-                allowedFieldsInCollection[relation.collection]?.includes(relation.field) === false)) {
+        if (!fieldMap[relation.collection] ||
+            (fieldMap[relation.collection]?.includes('*') === false &&
+                fieldMap[relation.collection]?.includes(relation.field) === false)) {
             fieldsAllowed = false;
         }
         if (relation.related_collection &&
             relation.meta?.one_field &&
-            (!allowedFieldsInCollection[relation.related_collection] ||
-                (allowedFieldsInCollection[relation.related_collection]?.includes('*') === false &&
-                    allowedFieldsInCollection[relation.related_collection]?.includes(relation.meta?.one_field) === false))) {
+            (!fieldMap[relation.related_collection] ||
+                (fieldMap[relation.related_collection]?.includes('*') === false &&
+                    fieldMap[relation.related_collection]?.includes(relation.meta?.one_field) === false))) {
             fieldsAllowed = false;
         }
         return collectionsAllowed && fieldsAllowed;

package/dist/utils/sanitize-schema.d.ts

@@ -16,7 +16,7 @@ export declare function sanitizeCollection(collection: Collection | undefined):
  * @returns sanitized field
  */
 export declare function sanitizeField(field: Field | undefined, sanitizeAllSchema?: boolean): Partial<Field> | undefined;
-export declare function sanitizeColumn(column: Column): Pick<Column, "name" | "table" | "numeric_precision" | "numeric_scale" | "data_type" | "default_value" | "max_length" | "is_nullable" | "is_unique" | "is_primary_key" | "is_generated" | "generation_expression" | "has_auto_increment" | "foreign_key_table" | "foreign_key_column">;
+export declare function sanitizeColumn(column: Column): Pick<Column, "table" | "name" | "numeric_precision" | "numeric_scale" | "data_type" | "default_value" | "max_length" | "is_nullable" | "is_unique" | "is_primary_key" | "is_generated" | "generation_expression" | "has_auto_increment" | "foreign_key_table" | "foreign_key_column">;
 /**
  * Pick certain database vendor specific relation properties that should be compared when performing diff
  *

package/dist/utils/transaction.js

@@ -1,3 +1,4 @@
+import { isObject } from '@directus/utils';
 import {} from 'knex';
 import { getDatabaseClient } from '../database/index.js';
 import { useLogger } from '../logger/index.js';
@@ -18,16 +19,7 @@ export const transaction = async (knex, handler) => {
         }
         catch (error) {
             const client = getDatabaseClient(knex);
-            /**
-             * This error code indicates that the transaction failed due to another
-             * concurrent or recent transaction attempting to write to the same data.
-             * This can usually be solved by restarting the transaction on client-side
-             * after a short delay, so that it is executed against the latest state.
-             *
-             * @link https://www.cockroachlabs.com/docs/stable/transaction-retry-error-reference
-             */
-            const COCKROACH_RETRY_ERROR_CODE = '40001';
-            if (client !== 'cockroachdb' || error?.code !== COCKROACH_RETRY_ERROR_CODE)
+            if (!shouldRetryTransaction(client, error))
                 throw error;
             const MAX_ATTEMPTS = 3;
             const BASE_DELAY = 100;
@@ -40,7 +32,7 @@ export const transaction = async (knex, handler) => {
                     return await knex.transaction((trx) => handler(trx));
                 }
                 catch (error) {
-                    if (error?.code !== COCKROACH_RETRY_ERROR_CODE)
+                    if (!shouldRetryTransaction(client, error))
                         throw error;
                 }
             }
@@ -50,3 +42,28 @@ export const transaction = async (knex, handler) => {
         }
     }
 };
+function shouldRetryTransaction(client, error) {
+    /**
+     * This error code indicates that the transaction failed due to another
+     * concurrent or recent transaction attempting to write to the same data.
+     * This can usually be solved by restarting the transaction on client-side
+     * after a short delay, so that it is executed against the latest state.
+     *
+     * @link https://www.cockroachlabs.com/docs/stable/transaction-retry-error-reference
+     */
+    const COCKROACH_RETRY_ERROR_CODE = '40001';
+    /**
+     * SQLITE_BUSY is an error code returned by SQLite when an operation can't be
+     * performed due to a locked database file. This often arises due to multiple
+     * processes trying to simultaneously access the database, causing potential
+     * data inconsistencies. There are a few mechanisms to handle this case,
+     * one of which is to retry the complete transaction again
+     * on client-side after a short delay.
+     *
+     * @link https://www.sqlite.org/rescode.html#busy
+     */
+    const SQLITE_BUSY_ERROR_CODE = 'SQLITE_BUSY';
+    return (isObject(error) &&
+        ((client === 'cockroachdb' && error['code'] === COCKROACH_RETRY_ERROR_CODE) ||
+            (client === 'sqlite' && error['code'] === SQLITE_BUSY_ERROR_CODE)));
+}

package/dist/utils/validate-user-count-integrity.d.ts

@@ -0,0 +1,13 @@
+import { type FetchUserCountOptions } from './fetch-user-count/fetch-user-count.js';
+export declare enum UserIntegrityCheckFlag {
+    None = 0,
+    /** Check if the number of remaining admin users is greater than 0 */
+    RemainingAdmins = 1,
+    /** Check if the number of users is within the limits */
+    UserLimits = 2,
+    All = 3
+}
+export interface ValidateUserCountIntegrityOptions extends Omit<FetchUserCountOptions, 'adminOnly'> {
+    flags: UserIntegrityCheckFlag;
+}
+export declare function validateUserCountIntegrity(options: ValidateUserCountIntegrityOptions): Promise<void>;

package/dist/utils/validate-user-count-integrity.js

@@ -0,0 +1,29 @@
+import { validateRemainingAdminCount } from '../permissions/modules/validate-remaining-admin/validate-remaining-admin-count.js';
+import { checkUserLimits } from '../telemetry/utils/check-user-limits.js';
+import { shouldCheckUserLimits } from '../telemetry/utils/should-check-user-limits.js';
+import { fetchUserCount } from './fetch-user-count/fetch-user-count.js';
+export var UserIntegrityCheckFlag;
+(function (UserIntegrityCheckFlag) {
+    UserIntegrityCheckFlag[UserIntegrityCheckFlag["None"] = 0] = "None";
+    /** Check if the number of remaining admin users is greater than 0 */
+    UserIntegrityCheckFlag[UserIntegrityCheckFlag["RemainingAdmins"] = 1] = "RemainingAdmins";
+    /** Check if the number of users is within the limits */
+    UserIntegrityCheckFlag[UserIntegrityCheckFlag["UserLimits"] = 2] = "UserLimits";
+    UserIntegrityCheckFlag[UserIntegrityCheckFlag["All"] = 3] = "All";
+})(UserIntegrityCheckFlag || (UserIntegrityCheckFlag = {}));
+export async function validateUserCountIntegrity(options) {
+    const validateUserLimits = (options.flags & UserIntegrityCheckFlag.UserLimits) !== 0;
+    const validateRemainingAdminUsers = (options.flags & UserIntegrityCheckFlag.RemainingAdmins) !== 0;
+    const limitCheck = validateUserLimits && shouldCheckUserLimits();
+    if (!validateRemainingAdminUsers && !limitCheck) {
+        return;
+    }
+    const adminOnly = validateRemainingAdminUsers && !limitCheck;
+    const userCounts = await fetchUserCount({ ...options, adminOnly });
+    if (limitCheck) {
+        await checkUserLimits(userCounts);
+    }
+    if (validateRemainingAdminUsers) {
+        validateRemainingAdminCount(userCounts.admin);
+    }
+}

package/dist/websocket/authenticate.d.ts

@@ -1,6 +1,4 @@
-import type { Accountability } from '@directus/types';
 import type { BasicAuthMessage } from './messages.js';
 import type { AuthenticationState } from './types.js';
 export declare function authenticateConnection(message: BasicAuthMessage & Record<string, any>): Promise<AuthenticationState>;
-export declare function refreshAccountability(accountability: Accountability | null | undefined): Promise<Accountability>;
 export declare function authenticationSuccess(uid?: string | number, refresh_token?: string): string;

package/dist/websocket/authenticate.js

@@ -1,7 +1,6 @@
 import { DEFAULT_AUTH_PROVIDER } from '../constants.js';
 import { AuthenticationService } from '../services/index.js';
 import { getAccountabilityForToken } from '../utils/get-accountability-for-token.js';
-import { getPermissions } from '../utils/get-permissions.js';
 import { getSchema } from '../utils/get-schema.js';
 import { WebSocketError } from './errors.js';
 import { getExpiresAtForToken } from './utils/get-expires-at-for-token.js';
@@ -33,17 +32,6 @@ export async function authenticateConnection(message) {
         throw new WebSocketError('auth', 'AUTH_FAILED', 'Authentication failed.', message['uid']);
     }
 }
-export async function refreshAccountability(accountability) {
-    accountability = accountability ?? {
-        role: null,
-        user: null,
-        admin: false,
-        app: false,
-    };
-    const schema = await getSchema();
-    const permissions = await getPermissions(accountability, schema);
-    return { ...accountability, permissions };
-}
 export function authenticationSuccess(uid, refresh_token) {
     const message = {
         type: 'auth',

package/dist/websocket/controllers/graphql.js

@@ -1,10 +1,10 @@
-import { useEnv } from '@directus/env';
 import { CloseCode, MessageType, makeServer } from 'graphql-ws';
 import { useLogger } from '../../logger/index.js';
 import { bindPubSub } from '../../services/graphql/subscription.js';
 import { GraphQLService } from '../../services/index.js';
 import { getSchema } from '../../utils/get-schema.js';
-import { authenticateConnection, refreshAccountability } from '../authenticate.js';
+import { getAddress } from '../../utils/get-address.js';
+import { authenticateConnection } from '../authenticate.js';
 import { handleWebSocketError } from '../errors.js';
 import { ConnectionParams, WebSocketMessage } from '../messages.js';
 import { getMessageType } from '../utils/message.js';
@@ -14,7 +14,6 @@ export class GraphQLSubscriptionController extends SocketController {
     gql;
     constructor(httpServer) {
         super(httpServer, 'WEBSOCKETS_GRAPHQL');
-        const env = useEnv();
         this.server.on('connection', (ws, auth) => {
             this.bindEvents(this.createClient(ws, auth));
         });
@@ -31,7 +30,7 @@ export class GraphQLSubscriptionController extends SocketController {
             },
         });
         bindPubSub();
-        logger.info(`GraphQL Subscriptions started at ws://${env['HOST']}:${env['PORT']}${this.endpoint}`);
+        logger.info(`GraphQL Subscriptions started at ws://${getAddress(httpServer)}${this.endpoint}`);
     }
     bindEvents(client) {
         const closedHandler = this.gql.opened({
@@ -64,9 +63,6 @@ export class GraphQLSubscriptionController extends SocketController {
                             client.close(CloseCode.Forbidden, 'Forbidden');
                             return;
                         }
-                        else {
-                            client.accountability = await refreshAccountability(client.accountability);
-                        }
                         await cb(JSON.stringify(message));
                     }
                     catch (error) {

package/dist/websocket/controllers/hooks.js

@@ -7,19 +7,23 @@ export function registerWebSocketEvents() {
     actionsRegistered = true;
     registerActionHooks([
         'items',
+        'access',
         'activity',
         'collections',
         'dashboards',
+        'flows',
         'folders',
         'notifications',
         'operations',
         'panels',
         'permissions',
+        'policies',
         'presets',
         'revisions',
         'roles',
         'settings',
         'shares',
+        'translations',
         'users',
         'versions',
         'webhooks',

package/dist/websocket/controllers/rest.js

@@ -1,8 +1,7 @@
-import { useEnv } from '@directus/env';
 import { parseJSON } from '@directus/utils';
 import emitter from '../../emitter.js';
 import { useLogger } from '../../logger/index.js';
-import { refreshAccountability } from '../authenticate.js';
+import { getAddress } from '../../utils/get-address.js';
 import { WebSocketError, handleWebSocketError } from '../errors.js';
 import { WebSocketMessage } from '../messages.js';
 import SocketController from './base.js';
@@ -10,17 +9,15 @@ const logger = useLogger();
 export class WebSocketController extends SocketController {
     constructor(httpServer) {
         super(httpServer, 'WEBSOCKETS_REST');
-        const env = useEnv();
         this.server.on('connection', (ws, auth) => {
             this.bindEvents(this.createClient(ws, auth));
         });
-        logger.info(`WebSocket Server started at ws://${env['HOST']}:${env['PORT']}${this.endpoint}`);
+        logger.info(`WebSocket Server started at ws://${getAddress(httpServer)}${this.endpoint}`);
     }
     bindEvents(client) {
         client.on('parsed-message', async (message) => {
             try {
                 message = WebSocketMessage.parse(await emitter.emitFilter('websocket.message', message, { client }));
-                client.accountability = await refreshAccountability(client.accountability);
                 emitter.emitAction('websocket.message', { message, client });
             }
             catch (error) {

package/dist/websocket/handlers/subscribe.js

@@ -4,7 +4,6 @@ import { useBus } from '../../bus/index.js';
 import emitter from '../../emitter.js';
 import { getSchema } from '../../utils/get-schema.js';
 import { sanitizeQuery } from '../../utils/sanitize-query.js';
-import { refreshAccountability } from '../authenticate.js';
 import { WebSocketError, handleWebSocketError } from '../errors.js';
 import { WebSocketSubscribeMessage } from '../messages.js';
 import { getPayload } from '../utils/items.js';
@@ -112,7 +111,6 @@ export class SubscribeHandler {
                     continue;
             }
             try {
-                client.accountability = await refreshAccountability(client.accountability);
                 const result = await getPayload(subscription, client.accountability, schema, event);
                 if (Array.isArray(result?.['data']) && result?.['data']?.length === 0)
                     continue;

package/dist/websocket/utils/items.d.ts

@@ -39,5 +39,5 @@ export declare function getFieldsPayload(subscription: PSubscription, accountabi
  * @param event Event data
  * @returns the fetched data
  */
-export declare function getItemsPayload(subscription: PSubscription, accountability: Accountability | null, schema: SchemaOverview, event?: WebSocketEvent): Promise<string | number | import("@directus/types").Item | (string | number)[] | import("@directus/types").Item[]>;
+export declare function getItemsPayload(subscription: PSubscription, accountability: Accountability | null, schema: SchemaOverview, event?: WebSocketEvent): Promise<string | number | (string | number)[] | import("@directus/types").Item | import("@directus/types").Item[]>;
 export {};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@directus/api",
-  "version": "21.0.0",
+  "version": "22.1.0",
   "description": "Directus is a real-time API and App dashboard for managing SQL database content",
   "keywords": [
     "directus",
@@ -148,30 +148,30 @@
     "wellknown": "0.5.0",
     "ws": "8.18.0",
     "zod": "3.23.8",
-    "zod-validation-error": "3.3.0",
-    "@directus/app": "12.2.2",
-    "@directus/errors": "0.4.0",
-    "@directus/constants": "11.0.4",
-    "@directus/env": "1.3.1",
-    "@directus/extensions": "1.0.10",
-    "@directus/extensions-registry": "1.0.10",
-    "@directus/extensions-sdk": "11.0.10",
-    "@directus/format-title": "10.1.2",
-    "@directus/memory": "1.0.11",
-    "@directus/pressure": "1.0.22",
-    "@directus/schema": "11.0.4",
-    "@directus/specs": "10.2.11",
-    "@directus/storage": "10.1.0",
-    "@directus/storage-driver-cloudinary": "10.0.24",
-    "@directus/storage-driver-azure": "10.0.24",
-    "@directus/storage-driver-gcs": "10.0.25",
-    "@directus/storage-driver-local": "10.1.0",
-    "@directus/storage-driver-supabase": "1.0.16",
-    "@directus/storage-driver-s3": "10.1.1",
-    "@directus/utils": "11.0.11",
-    "@directus/validation": "0.0.19",
-    "@directus/system-data": "1.1.1",
-    "directus": "10.13.2"
+    "zod-validation-error": "3.3.1",
+    "@directus/app": "13.0.1",
+    "@directus/constants": "12.0.0",
+    "@directus/env": "3.0.0",
+    "@directus/errors": "1.0.0",
+    "@directus/extensions": "2.0.0",
+    "@directus/extensions-registry": "2.0.0",
+    "@directus/format-title": "11.0.0",
+    "@directus/memory": "2.0.0",
+    "@directus/pressure": "2.0.0",
+    "@directus/schema": "12.0.0",
+    "@directus/extensions-sdk": "12.0.0",
+    "@directus/specs": "11.0.0",
+    "@directus/storage-driver-azure": "11.0.0",
+    "@directus/storage": "11.0.0",
+    "@directus/storage-driver-cloudinary": "11.0.0",
+    "@directus/storage-driver-gcs": "11.0.0",
+    "@directus/storage-driver-local": "11.0.0",
+    "@directus/storage-driver-supabase": "2.0.0",
+    "@directus/system-data": "2.0.0",
+    "@directus/storage-driver-s3": "11.0.0",
+    "@directus/validation": "1.0.0",
+    "directus": "11.0.1",
+    "@directus/utils": "12.0.0"
   },
   "devDependencies": {
     "@ngneat/falso": "7.2.0",
@@ -212,13 +212,13 @@
     "knex-mock-client": "2.0.1",
     "typescript": "5.4.5",
     "vitest": "1.5.3",
-    "@directus/tsconfig": "1.0.1",
-    "@directus/random": "0.2.8",
-    "@directus/types": "11.2.1"
+    "@directus/random": "1.0.0",
+    "@directus/tsconfig": "2.0.0",
+    "@directus/types": "12.0.0"
   },
   "optionalDependencies": {
     "@keyv/redis": "2.8.5",
-    "mysql": "2.18.1",
+    "mysql2": "3.10.0",
     "nodemailer-mailgun-transport": "2.1.5",
     "nodemailer-sendgrid": "1.0.3",
     "oracledb": "6.5.1",
@@ -233,6 +233,7 @@
     "build": "tsc --project tsconfig.prod.json && copyfiles \"src/**/*.{yaml,liquid}\" -u 1 dist",
     "cli": "NODE_ENV=development SERVE_APP=false tsx src/cli/run.ts",
     "dev": "NODE_ENV=development SERVE_APP=true tsx watch --ignore extensions --clear-screen=false src/start.ts",
-    "test": "vitest --watch=false"
+    "test": "vitest run",
+    "test:watch": "vitest"
   }
 }