npm - @directus/api - Versions diffs - 21.0.0 → 22.1.0 - Mend

@directus/api 21.0.0 → 22.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (299) hide show

package/dist/middleware/cache.js CHANGED Viewed

@@ -20,7 +20,7 @@ const checkCacheMiddleware = asyncHandler(async (req, res, next) => {
             res.setHeader(`${env['CACHE_STATUS_HEADER']}`, 'MISS');
         return next();
     }
-    const key = getCacheKey(req);
+    const key = await getCacheKey(req);
     let cachedData;
     try {
         cachedData = await getCacheValue(cache, key);

package/dist/middleware/respond.js CHANGED Viewed

@@ -25,7 +25,7 @@ export const respond = asyncHandler(async (req, res) => {
         !req.sanitizedQuery.export &&
         res.locals['cache'] !== false &&
         exceedsMaxSize === false) {
-        const key = getCacheKey(req);
+        const key = await getCacheKey(req);
         try {
             await setCacheValue(cache, key, res.locals['payload'], getMilliseconds(env['CACHE_TTL']));
             await setCacheValue(cache, `${key}__expires_at`, { exp: Date.now() + getMilliseconds(env['CACHE_TTL'], 0) });

package/dist/permissions/cache.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ export declare const useCache: () => import("@directus/memory").Cache;
2	+ export declare function clearCache(): Promise<void>;

package/dist/permissions/cache.js ADDED Viewed

@@ -0,0 +1,23 @@
+import { defineCache } from '@directus/memory';
+import { redisConfigAvailable, useRedis } from '../redis/index.js';
+const localOnly = redisConfigAvailable() === false;
+const config = localOnly
+    ? {
+        type: 'local',
+        maxKeys: 500,
+    }
+    : {
+        type: 'multi',
+        redis: {
+            namespace: 'permissions',
+            redis: useRedis(),
+        },
+        local: {
+            maxKeys: 100,
+        },
+    };
+export const useCache = defineCache(config);
+export function clearCache() {
+    const cache = useCache();
+    return cache.clear();
+}

package/dist/permissions/lib/fetch-permissions.d.ts ADDED Viewed

@@ -0,0 +1,11 @@
+import type { Accountability, Permission, PermissionsAction } from '@directus/types';
+import type { Context } from '../types.js';
+export declare const fetchPermissions: typeof _fetchPermissions;
+export interface FetchPermissionsOptions {
+    action?: PermissionsAction;
+    policies: string[];
+    collections?: string[];
+    accountability?: Pick<Accountability, 'user' | 'role' | 'roles' | 'app'>;
+    bypassDynamicVariableProcessing?: boolean;
+}
+export declare function _fetchPermissions(options: FetchPermissionsOptions, context: Context): Promise<Permission[]>;

package/dist/permissions/lib/fetch-permissions.js ADDED Viewed

@@ -0,0 +1,56 @@
+import { pick, sortBy } from 'lodash-es';
+import { fetchDynamicVariableContext } from '../utils/fetch-dynamic-variable-context.js';
+import { processPermissions } from '../utils/process-permissions.js';
+import { withCache } from '../utils/with-cache.js';
+import { withAppMinimalPermissions } from './with-app-minimal-permissions.js';
+export const fetchPermissions = withCache('permissions', _fetchPermissions, ({ action, policies, collections, accountability, bypassDynamicVariableProcessing }) => ({
+    policies, // we assume that policies always come from the same source, so they should be in the same order
+    ...(action && { action }),
+    ...(collections && { collections: sortBy(collections) }),
+    ...(accountability && { accountability: pick(accountability, ['user', 'role', 'roles', 'app']) }),
+    ...(bypassDynamicVariableProcessing && { bypassDynamicVariableProcessing }),
+}));
+export async function _fetchPermissions(options, context) {
+    const { PermissionsService } = await import('../../services/permissions.js');
+    const permissionsService = new PermissionsService(context);
+    const filter = {
+        _and: [{ policy: { _in: options.policies } }],
+    };
+    if (options.action) {
+        filter._and.push({ action: { _eq: options.action } });
+    }
+    if (options.collections) {
+        filter._and.push({ collection: { _in: options.collections } });
+    }
+    let permissions = (await permissionsService.readByQuery({
+        filter,
+        limit: -1,
+    }));
+    // Sort permissions by their order in the policies array
+    // This ensures that if a sorted array of policies is passed in the permissions are returned in the same order
+    // which is necessary for correctly applying the presets in order
+    permissions = sortBy(permissions, (permission) => options.policies.indexOf(permission.policy));
+    if (options.accountability && !options.bypassDynamicVariableProcessing) {
+        // Add app minimal permissions for the request accountability, if applicable.
+        // Normally this is done in the permissions service readByQuery, but it also needs to do it here
+        // since the permissions service is created without accountability.
+        // We call it without the policies filter, since the static minimal app permissions don't have a policy attached.
+        const permissionsWithAppPermissions = withAppMinimalPermissions(options.accountability ?? null, permissions, {
+            _and: filter._and.slice(1),
+        });
+        const permissionsContext = await fetchDynamicVariableContext({
+            accountability: options.accountability,
+            policies: options.policies,
+            permissions: permissionsWithAppPermissions,
+        }, context);
+        // Replace dynamic variables with their actual values
+        const processedPermissions = processPermissions({
+            permissions: permissionsWithAppPermissions,
+            accountability: options.accountability,
+            permissionsContext,
+        });
+        // TODO merge in permissions coming from the share scope
+        return processedPermissions;
+    }
+    return permissions;
+}

package/dist/permissions/lib/fetch-policies.d.ts ADDED Viewed

@@ -0,0 +1,14 @@
+import type { Accountability } from '@directus/types';
+import type { Context } from '../types.js';
+export interface AccessRow {
+    policy: {
+        id: string;
+        ip_access: string[] | null;
+    };
+    role: string | null;
+}
+export declare const fetchPolicies: typeof _fetchPolicies;
+/**
+ * Fetch the policies associated with the current user accountability
+ */
+export declare function _fetchPolicies({ roles, user, ip }: Pick<Accountability, 'user' | 'roles' | 'ip'>, context: Context): Promise<string[]>;

package/dist/permissions/lib/fetch-policies.js ADDED Viewed

@@ -0,0 +1,43 @@
+import { filterPoliciesByIp } from '../utils/filter-policies-by-ip.js';
+import { withCache } from '../utils/with-cache.js';
+export const fetchPolicies = withCache('policies', _fetchPolicies, ({ roles, user, ip }) => ({ roles, user, ip }));
+/**
+ * Fetch the policies associated with the current user accountability
+ */
+export async function _fetchPolicies({ roles, user, ip }, context) {
+    const { AccessService } = await import('../../services/access.js');
+    const accessService = new AccessService(context);
+    let roleFilter;
+    if (roles.length === 0) {
+        // Users without role assumes the Public role permissions along with their attached policies
+        roleFilter = { _and: [{ role: { _null: true } }, { user: { _null: true } }] };
+    }
+    else {
+        roleFilter = { role: { _in: roles } };
+    }
+    // If the user is not null, we also want to include the policies attached to the user
+    const filter = user ? { _or: [{ user: { _eq: user } }, roleFilter] } : roleFilter;
+    const accessRows = (await accessService.readByQuery({
+        filter,
+        fields: ['policy.id', 'policy.ip_access', 'role'],
+        limit: -1,
+    }));
+    const filteredAccessRows = filterPoliciesByIp(accessRows, ip);
+    /*
+     * Sort rows by priority (goes bottom up):
+     * - Parent role policies
+     * - Child role policies
+     * - User policies
+     */
+    filteredAccessRows.sort((a, b) => {
+        if (!a.role && !b.role)
+            return 0;
+        if (!a.role)
+            return 1;
+        if (!b.role)
+            return -1;
+        return roles.indexOf(a.role) - roles.indexOf(b.role);
+    });
+    const ids = filteredAccessRows.map(({ policy }) => policy.id);
+    return ids;
+}

package/dist/permissions/lib/fetch-roles-tree.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+import type { Knex } from 'knex';
+export declare const fetchRolesTree: typeof _fetchRolesTree;
+export declare function _fetchRolesTree(start: string | null, knex: Knex): Promise<string[]>;

package/dist/permissions/lib/fetch-roles-tree.js ADDED Viewed

@@ -0,0 +1,28 @@
+import { withCache } from '../utils/with-cache.js';
+export const fetchRolesTree = withCache('roles-tree', _fetchRolesTree);
+export async function _fetchRolesTree(start, knex) {
+    if (!start)
+        return [];
+    let parent = start;
+    const roles = [];
+    while (parent) {
+        const role = await knex
+            .select('id', 'parent')
+            .from('directus_roles')
+            .where({ id: parent })
+            .first();
+        if (!role) {
+            break;
+        }
+        roles.push(role.id);
+        // Prevent infinite recursion loops
+        if (role.parent && roles.includes(role.parent) === true) {
+            roles.reverse();
+            const rolesStr = roles.map((role) => `"${role}"`).join('->');
+            throw new Error(`Recursion encountered: role "${role.id}" already exists in tree path ${rolesStr}`);
+        }
+        parent = role.parent;
+    }
+    roles.reverse();
+    return roles;
+}

package/dist/{services/permissions → permissions}/lib/with-app-minimal-permissions.d.ts RENAMED Viewed

@@ -1,2 +1,2 @@
 import type { Accountability, Permission, Query } from '@directus/types';
-export declare function withAppMinimalPermissions(accountability: Accountability | null, permissions: Permission[], filter: Query['filter']): Permission[];
+export declare function withAppMinimalPermissions(accountability: Pick<Accountability, 'app'> | null, permissions: Permission[], filter: Query['filter']): Permission[];

package/dist/permissions/lib/with-app-minimal-permissions.js ADDED Viewed

@@ -0,0 +1,10 @@
+import { appAccessMinimalPermissions } from '@directus/system-data';
+import { cloneDeep } from 'lodash-es';
+import { filterItems } from '../../utils/filter-items.js';
+export function withAppMinimalPermissions(accountability, permissions, filter) {
+    if (accountability?.app === true) {
+        const filteredAppMinimalPermissions = cloneDeep(filterItems(appAccessMinimalPermissions, filter));
+        return [...permissions, ...filteredAppMinimalPermissions];
+    }
+    return permissions;
+}

package/dist/permissions/modules/fetch-accountability-collection-access/fetch-accountability-collection-access.d.ts ADDED Viewed

@@ -0,0 +1,7 @@
+import type { Accountability, CollectionAccess } from '@directus/types';
+import type { Context } from '../../types.js';
+/**
+ * Get all permissions + minimal app permissions (if applicable) for the user + role in the current accountability.
+ * The permissions will be filtered by IP access.
+ */
+export declare function fetchAccountabilityCollectionAccess(accountability: Pick<Accountability, 'user' | 'roles' | 'role' | 'ip' | 'admin' | 'app'>, context: Context): Promise<CollectionAccess>;

package/dist/permissions/modules/fetch-accountability-collection-access/fetch-accountability-collection-access.js ADDED Viewed

@@ -0,0 +1,56 @@
+import { PERMISSION_ACTIONS } from '@directus/constants';
+import { mapValues, uniq } from 'lodash-es';
+import { fetchPermissions } from '../../lib/fetch-permissions.js';
+import { fetchPolicies } from '../../lib/fetch-policies.js';
+/**
+ * Get all permissions + minimal app permissions (if applicable) for the user + role in the current accountability.
+ * The permissions will be filtered by IP access.
+ */
+export async function fetchAccountabilityCollectionAccess(accountability, context) {
+    if (accountability.admin) {
+        return mapValues(context.schema.collections, () => Object.fromEntries(PERMISSION_ACTIONS.map((action) => [
+            action,
+            {
+                access: 'full',
+                fields: ['*'],
+            },
+        ])));
+    }
+    const policies = await fetchPolicies(accountability, context);
+    const permissions = await fetchPermissions({ policies, accountability }, context);
+    const infos = {};
+    for (const perm of permissions) {
+        // Ensure that collection is in infos
+        if (!infos[perm.collection]) {
+            infos[perm.collection] = {
+                read: { access: 'none' },
+                create: { access: 'none' },
+                update: { access: 'none' },
+                delete: { access: 'none' },
+                share: { access: 'none' },
+            };
+        }
+        // Ensure that action with default values is in collection infos
+        if (infos[perm.collection][perm.action]?.access === 'none') {
+            // If a permissions is iterated over it means that the user has access to it, so set access to 'full'
+            // Set access to 'full' initially and refine that whenever a permission with filters is encountered
+            infos[perm.collection][perm.action].access = 'full';
+        }
+        const info = infos[perm.collection][perm.action];
+        // Set access to 'partial' if the permission has filters, which means that the user has conditional access
+        if (info.access === 'full' && perm.permissions && Object.keys(perm.permissions).length > 0) {
+            info.access = 'partial';
+        }
+        if (perm.fields && info.fields?.[0] !== '*') {
+            info.fields = uniq([...(info.fields || []), ...(perm.fields || [])]);
+            if (info.fields.includes('*')) {
+                info.fields = ['*'];
+            }
+        }
+        if (perm.presets) {
+            info.presets = { ...(info.presets ?? {}), ...perm.presets };
+        }
+    }
+    // TODO Should fields by null, undefined or and empty array if no access?
+    return infos;
+}

package/dist/permissions/modules/fetch-accountability-policy-globals/fetch-accountability-policy-globals.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+import type { Accountability, Globals } from '@directus/types';
+import type { Context } from '../../types.js';
+export declare function fetchAccountabilityPolicyGlobals(accountability: Pick<Accountability, 'user' | 'roles' | 'ip' | 'admin' | 'app'>, context: Context): Promise<Globals>;

package/dist/permissions/modules/fetch-accountability-policy-globals/fetch-accountability-policy-globals.js ADDED Viewed

@@ -0,0 +1,16 @@
+import { fetchPolicies } from '../../lib/fetch-policies.js';
+export async function fetchAccountabilityPolicyGlobals(accountability, context) {
+    const policies = await fetchPolicies(accountability, context);
+    // Policies are already filtered down by the accountability IP, so we don't need to check it again
+    const result = await context.knex
+        .select(1)
+        .from('directus_policies')
+        .whereIn('id', policies)
+        .where('enforce_tfa', true)
+        .first();
+    return {
+        app_access: accountability.app,
+        admin_access: accountability.admin,
+        enforce_tfa: !!result,
+    };
+}

package/dist/permissions/modules/fetch-allowed-collections/fetch-allowed-collections.d.ts ADDED Viewed

@@ -0,0 +1,8 @@
+import type { Accountability, PermissionsAction } from '@directus/types';
+import type { Context } from '../../types.js';
+export interface FetchAllowedCollectionsOptions {
+    action: PermissionsAction;
+    accountability: Pick<Accountability, 'user' | 'role' | 'roles' | 'ip' | 'admin' | 'app'>;
+}
+export declare const fetchAllowedCollections: typeof _fetchAllowedCollections;
+export declare function _fetchAllowedCollections({ action, accountability }: FetchAllowedCollectionsOptions, { knex, schema }: Context): Promise<string[]>;

package/dist/permissions/modules/fetch-allowed-collections/fetch-allowed-collections.js ADDED Viewed

@@ -0,0 +1,24 @@
+import { uniq } from 'lodash-es';
+import { fetchPolicies } from '../../lib/fetch-policies.js';
+import { withCache } from '../../utils/with-cache.js';
+import { fetchPermissions } from '../../lib/fetch-permissions.js';
+export const fetchAllowedCollections = withCache('allowed-collections', _fetchAllowedCollections, ({ action, accountability: { user, role, roles, ip, admin, app } }) => ({
+    action,
+    accountability: {
+        user,
+        role,
+        roles,
+        ip,
+        admin,
+        app,
+    },
+}));
+export async function _fetchAllowedCollections({ action, accountability }, { knex, schema }) {
+    if (accountability.admin) {
+        return Object.keys(schema.collections);
+    }
+    const policies = await fetchPolicies(accountability, { knex, schema });
+    const permissions = await fetchPermissions({ action, policies, accountability }, { knex, schema });
+    const collections = permissions.map(({ collection }) => collection);
+    return uniq(collections);
+}

package/dist/permissions/modules/fetch-allowed-field-map/fetch-allowed-field-map.d.ts ADDED Viewed

@@ -0,0 +1,9 @@
+import type { Accountability, PermissionsAction } from '@directus/types';
+import type { Context } from '../../types.js';
+export type FieldMap = Record<string, string[]>;
+export interface FetchAllowedFieldMapOptions {
+    accountability: Pick<Accountability, 'user' | 'role' | 'roles' | 'ip' | 'admin' | 'app'>;
+    action: PermissionsAction;
+}
+export declare const fetchAllowedFieldMap: typeof _fetchAllowedFieldMap;
+export declare function _fetchAllowedFieldMap({ accountability, action }: FetchAllowedFieldMapOptions, { knex, schema }: Context): Promise<FieldMap>;

package/dist/permissions/modules/fetch-allowed-field-map/fetch-allowed-field-map.js ADDED Viewed

@@ -0,0 +1,31 @@
+import { uniq } from 'lodash-es';
+import { fetchPolicies } from '../../lib/fetch-policies.js';
+import { withCache } from '../../utils/with-cache.js';
+import { fetchPermissions } from '../../lib/fetch-permissions.js';
+export const fetchAllowedFieldMap = withCache('allowed-field-map', _fetchAllowedFieldMap, ({ action, accountability: { user, role, roles, ip, admin, app } }) => ({
+    action,
+    accountability: { user, role, roles, ip, admin, app },
+}));
+export async function _fetchAllowedFieldMap({ accountability, action }, { knex, schema }) {
+    const fieldMap = {};
+    if (accountability.admin) {
+        for (const [collection, { fields }] of Object.entries(schema.collections)) {
+            fieldMap[collection] = Object.keys(fields);
+        }
+        return fieldMap;
+    }
+    const policies = await fetchPolicies(accountability, { knex, schema });
+    const permissions = await fetchPermissions({ action, policies, accountability }, { knex, schema });
+    for (const { collection, fields } of permissions) {
+        if (!fieldMap[collection]) {
+            fieldMap[collection] = [];
+        }
+        if (fields) {
+            fieldMap[collection].push(...fields);
+        }
+    }
+    for (const [collection, fields] of Object.entries(fieldMap)) {
+        fieldMap[collection] = uniq(fields);
+    }
+    return fieldMap;
+}

package/dist/permissions/modules/fetch-allowed-fields/fetch-allowed-fields.d.ts ADDED Viewed

@@ -0,0 +1,16 @@
+import type { Accountability, PermissionsAction } from '@directus/types';
+import type { Context } from '../../types.js';
+export interface FetchAllowedFieldsOptions {
+    collection: string;
+    action: PermissionsAction;
+    accountability: Pick<Accountability, 'user' | 'role' | 'roles' | 'ip' | 'app'>;
+}
+export declare const fetchAllowedFields: typeof _fetchAllowedFields;
+/**
+ * Look up all fields that are allowed to be used for the given collection and action for the given
+ * accountability object
+ *
+ * Done by looking up all available policies for the current accountability object, and reading all
+ * permissions that exist for the collection+action+policy combination
+ */
+export declare function _fetchAllowedFields({ accountability, action, collection }: FetchAllowedFieldsOptions, { knex, schema }: Context): Promise<string[]>;

package/dist/permissions/modules/fetch-allowed-fields/fetch-allowed-fields.js ADDED Viewed

@@ -0,0 +1,27 @@
+import { uniq } from 'lodash-es';
+import { fetchPermissions } from '../../lib/fetch-permissions.js';
+import { fetchPolicies } from '../../lib/fetch-policies.js';
+import { withCache } from '../../utils/with-cache.js';
+export const fetchAllowedFields = withCache('allowed-fields', _fetchAllowedFields, ({ action, collection, accountability: { user, role, roles, ip, app } }) => ({
+    action,
+    collection,
+    accountability: { user, role, roles, ip, app },
+}));
+/**
+ * Look up all fields that are allowed to be used for the given collection and action for the given
+ * accountability object
+ *
+ * Done by looking up all available policies for the current accountability object, and reading all
+ * permissions that exist for the collection+action+policy combination
+ */
+export async function _fetchAllowedFields({ accountability, action, collection }, { knex, schema }) {
+    const policies = await fetchPolicies(accountability, { knex, schema });
+    const permissions = await fetchPermissions({ action, collections: [collection], policies, accountability }, { knex, schema });
+    const allowedFields = [];
+    for (const { fields } of permissions) {
+        if (!fields)
+            continue;
+        allowedFields.push(...fields);
+    }
+    return uniq(allowedFields).filter((field) => field === '*' || field in (schema.collections[collection]?.fields ?? {}));
+}

package/dist/permissions/modules/fetch-global-access/fetch-global-access.d.ts ADDED Viewed

@@ -0,0 +1,10 @@
+import type { Accountability } from '@directus/types';
+import type { Knex } from 'knex';
+import type { GlobalAccess } from './types.js';
+export declare const fetchGlobalAccess: typeof _fetchGlobalAccess;
+/**
+ * Fetch the global access (eg admin/app access) rules for the given roles, or roles+user combination
+ *
+ * Will fetch roles and user info separately so they can be cached and reused individually
+ */
+export declare function _fetchGlobalAccess(accountability: Pick<Accountability, 'user' | 'roles' | 'ip'>, knex: Knex): Promise<GlobalAccess>;

package/dist/permissions/modules/fetch-global-access/fetch-global-access.js ADDED Viewed

@@ -0,0 +1,23 @@
+import { withCache } from '../../utils/with-cache.js';
+import { fetchGlobalAccessForRoles } from './lib/fetch-global-access-for-roles.js';
+import { fetchGlobalAccessForUser } from './lib/fetch-global-access-for-user.js';
+export const fetchGlobalAccess = withCache('global-access', _fetchGlobalAccess, ({ user, roles, ip }) => ({
+    user,
+    roles,
+    ip,
+}));
+/**
+ * Fetch the global access (eg admin/app access) rules for the given roles, or roles+user combination
+ *
+ * Will fetch roles and user info separately so they can be cached and reused individually
+ */
+export async function _fetchGlobalAccess(accountability, knex) {
+    const access = await fetchGlobalAccessForRoles(accountability, knex);
+    if (accountability.user !== undefined) {
+        const userAccess = await fetchGlobalAccessForUser(accountability, knex);
+        // If app/admin is already true, keep it true
+        access.app ||= userAccess.app;
+        access.admin ||= userAccess.admin;
+    }
+    return access;
+}

package/dist/permissions/modules/fetch-global-access/lib/fetch-global-access-for-roles.d.ts ADDED Viewed

@@ -0,0 +1,5 @@
+import type { Accountability } from '@directus/types';
+import type { Knex } from 'knex';
+import type { GlobalAccess } from '../types.js';
+export declare const fetchGlobalAccessForRoles: typeof _fetchGlobalAccessForRoles;
+export declare function _fetchGlobalAccessForRoles(accountability: Pick<Accountability, 'roles' | 'ip'>, knex: Knex): Promise<GlobalAccess>;

package/dist/permissions/modules/fetch-global-access/lib/fetch-global-access-for-roles.js ADDED Viewed

@@ -0,0 +1,7 @@
+import { withCache } from '../../../utils/with-cache.js';
+import { fetchGlobalAccessForQuery } from '../utils/fetch-global-access-for-query.js';
+export const fetchGlobalAccessForRoles = withCache('global-access-role', _fetchGlobalAccessForRoles, ({ roles, ip }) => ({ roles, ip }));
+export async function _fetchGlobalAccessForRoles(accountability, knex) {
+    const query = knex.where('role', 'in', accountability.roles);
+    return await fetchGlobalAccessForQuery(query, accountability);
+}

package/dist/permissions/modules/fetch-global-access/lib/fetch-global-access-for-user.d.ts ADDED Viewed

@@ -0,0 +1,5 @@
+import type { Accountability } from '@directus/types';
+import type { Knex } from 'knex';
+import type { GlobalAccess } from '../types.js';
+export declare const fetchGlobalAccessForUser: typeof _fetchGlobalAccessForUser;
+export declare function _fetchGlobalAccessForUser(accountability: Pick<Accountability, 'user' | 'ip'>, knex: Knex): Promise<GlobalAccess>;

package/dist/permissions/modules/fetch-global-access/lib/fetch-global-access-for-user.js ADDED Viewed

@@ -0,0 +1,10 @@
+import { withCache } from '../../../utils/with-cache.js';
+import { fetchGlobalAccessForQuery } from '../utils/fetch-global-access-for-query.js';
+export const fetchGlobalAccessForUser = withCache('global-access-user', _fetchGlobalAccessForUser, ({ user, ip }) => ({
+    user,
+    ip,
+}));
+export async function _fetchGlobalAccessForUser(accountability, knex) {
+    const query = knex.where('user', '=', accountability.user);
+    return await fetchGlobalAccessForQuery(query, accountability);
+}

package/dist/permissions/modules/fetch-global-access/types.d.ts ADDED Viewed

@@ -0,0 +1,4 @@
+export interface GlobalAccess {
+    app: boolean;
+    admin: boolean;
+}

package/dist/permissions/modules/fetch-global-access/types.js ADDED Viewed

	@@ -0,0 +1 @@
1	+ export {};

package/dist/permissions/modules/fetch-global-access/utils/fetch-global-access-for-query.d.ts ADDED Viewed

@@ -0,0 +1,4 @@
+import type { Accountability } from '@directus/types';
+import type { Knex } from 'knex';
+import type { GlobalAccess } from '../types.js';
+export declare function fetchGlobalAccessForQuery(query: Knex.QueryBuilder<any, any[]>, accountability: Pick<Accountability, 'ip'>): Promise<GlobalAccess>;

package/dist/permissions/modules/fetch-global-access/utils/fetch-global-access-for-query.js ADDED Viewed

@@ -0,0 +1,27 @@
+import { toBoolean, toArray } from '@directus/utils';
+import { ipInNetworks } from '../../../../utils/ip-in-networks.js';
+export async function fetchGlobalAccessForQuery(query, accountability) {
+    const globalAccess = {
+        app: false,
+        admin: false,
+    };
+    const accessRows = await query
+        .select('directus_policies.admin_access', 'directus_policies.app_access', 'directus_policies.ip_access')
+        .from('directus_access')
+        // @NOTE: `where` clause comes from the caller
+        .leftJoin('directus_policies', 'directus_policies.id', 'directus_access.policy');
+    // Additively merge access permissions
+    for (const { admin_access, app_access, ip_access } of accessRows) {
+        if (accountability.ip && ip_access) {
+            // Skip row if IP is not in the allowed networks
+            const networks = toArray(ip_access);
+            if (!ipInNetworks(accountability.ip, networks))
+                continue;
+        }
+        globalAccess.admin ||= toBoolean(admin_access);
+        globalAccess.app ||= globalAccess.admin || toBoolean(app_access);
+        if (globalAccess.admin)
+            break;
+    }
+    return globalAccess;
+}

package/dist/permissions/modules/fetch-inconsistent-field-map/fetch-inconsistent-field-map.d.ts ADDED Viewed

@@ -0,0 +1,12 @@
+import type { Accountability, PermissionsAction } from '@directus/types';
+import type { Context } from '../../types.js';
+export type FieldMap = Record<string, string[]>;
+export interface FetchInconsistentFieldMapOptions {
+    accountability: Pick<Accountability, 'user' | 'role' | 'roles' | 'ip' | 'admin' | 'app'> | null;
+    action: PermissionsAction;
+}
+/**
+ * Fetch a field map for fields that may or may not be null based on item-by-item permissions.
+ */
+export declare const fetchInconsistentFieldMap: typeof _fetchInconsistentFieldMap;
+export declare function _fetchInconsistentFieldMap({ accountability, action }: FetchInconsistentFieldMapOptions, { knex, schema }: Context): Promise<FieldMap>;

package/dist/permissions/modules/fetch-inconsistent-field-map/fetch-inconsistent-field-map.js ADDED Viewed

@@ -0,0 +1,32 @@
+import { uniq, intersection, difference, pick } from 'lodash-es';
+import { fetchPolicies } from '../../lib/fetch-policies.js';
+import { withCache } from '../../utils/with-cache.js';
+import { fetchPermissions } from '../../lib/fetch-permissions.js';
+/**
+ * Fetch a field map for fields that may or may not be null based on item-by-item permissions.
+ */
+export const fetchInconsistentFieldMap = withCache('inconsistent-field-map', _fetchInconsistentFieldMap, ({ action, accountability }) => ({
+    action,
+    accountability: accountability ? pick(accountability, ['user', 'role', 'roles', 'ip', 'admin', 'app']) : null,
+}));
+export async function _fetchInconsistentFieldMap({ accountability, action }, { knex, schema }) {
+    const fieldMap = {};
+    if (!accountability || accountability.admin) {
+        for (const collection of Object.keys(schema.collections)) {
+            fieldMap[collection] = [];
+        }
+        return fieldMap;
+    }
+    const policies = await fetchPolicies(accountability, { knex, schema });
+    const permissions = await fetchPermissions({ action, policies, accountability }, { knex, schema });
+    const collections = uniq(permissions.map(({ collection }) => collection));
+    for (const collection of collections) {
+        const fields = permissions
+            .filter((permission) => permission.collection === collection)
+            .map((permission) => permission.fields ?? []);
+        const availableEverywhere = intersection(...fields);
+        const availableSomewhere = difference(uniq(fields.flat()), availableEverywhere);
+        fieldMap[collection] = availableSomewhere;
+    }
+    return fieldMap;
+}

package/dist/permissions/modules/fetch-policies-ip-access/fetch-policies-ip-access.d.ts ADDED Viewed

@@ -0,0 +1,4 @@
+import type { Accountability } from '@directus/types';
+import type { Knex } from 'knex';
+export declare const fetchPoliciesIpAccess: typeof _fetchPoliciesIpAccess;
+export declare function _fetchPoliciesIpAccess(accountability: Pick<Accountability, 'user' | 'roles'>, knex: Knex): Promise<string[][]>;