npm - @directus/api - Versions diffs - 21.0.0 → 22.1.0 - Mend

@directus/api 21.0.0 → 22.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (299) hide show

package/dist/permissions/modules/fetch-policies-ip-access/fetch-policies-ip-access.js ADDED Viewed

@@ -0,0 +1,29 @@
+import { toArray } from '@directus/utils';
+import { withCache } from '../../utils/with-cache.js';
+export const fetchPoliciesIpAccess = withCache('policies-ip-access', _fetchPoliciesIpAccess, ({ user, roles }) => ({
+    user,
+    roles,
+}));
+export async function _fetchPoliciesIpAccess(accountability, knex) {
+    const query = knex('directus_access')
+        .select({ ip_access: 'directus_policies.ip_access' })
+        .leftJoin('directus_policies', 'directus_access.policy', 'directus_policies.id')
+        .whereNotNull('directus_policies.ip_access');
+    // No roles and no user means unauthenticated request
+    if (accountability.roles.length === 0 && !accountability.user) {
+        query.where({
+            role: null,
+            user: null,
+        });
+    }
+    else {
+        query.where(function () {
+            if (accountability.user) {
+                this.orWhere('directus_access.user', accountability.user);
+            }
+            this.orWhereIn('directus_access.role', accountability.roles);
+        });
+    }
+    const rows = await query;
+    return rows.filter(({ ip_access }) => ip_access).map(({ ip_access }) => toArray(ip_access));
+}

package/dist/permissions/modules/process-ast/lib/extract-fields-from-children.d.ts ADDED Viewed

@@ -0,0 +1,4 @@
+import type { SchemaOverview } from '@directus/types';
+import type { FieldNode, FunctionFieldNode, NestedCollectionNode } from '../../../../types/ast.js';
+import type { FieldMap, QueryPath } from '../types.js';
+export declare function extractFieldsFromChildren(collection: string, children: (NestedCollectionNode | FieldNode | FunctionFieldNode)[], fieldMap: FieldMap, schema: SchemaOverview, path?: QueryPath): void;

package/dist/permissions/modules/process-ast/lib/extract-fields-from-children.js ADDED Viewed

@@ -0,0 +1,49 @@
+import { getUnaliasedFieldKey } from '../../../utils/get-unaliased-field-key.js';
+import { formatA2oKey } from '../utils/format-a2o-key.js';
+import { getInfoForPath } from '../utils/get-info-for-path.js';
+import { extractFieldsFromQuery } from './extract-fields-from-query.js';
+export function extractFieldsFromChildren(collection, children, fieldMap, schema, path = []) {
+    const info = getInfoForPath(fieldMap, 'other', path, collection);
+    for (const child of children) {
+        info.fields.add(getUnaliasedFieldKey(child));
+        if (child.type === 'a2o') {
+            for (const [collection, children] of Object.entries(child.children)) {
+                extractFieldsFromChildren(collection, children, fieldMap, schema, [
+                    ...path,
+                    formatA2oKey(child.fieldKey, collection),
+                ]);
+            }
+            if (child.query) {
+                for (const [collection, query] of Object.entries(child.query)) {
+                    extractFieldsFromQuery(collection, query, fieldMap, schema, [
+                        ...path,
+                        formatA2oKey(child.fieldKey, collection),
+                    ]);
+                }
+            }
+        }
+        else if (child.type === 'm2o') {
+            extractFieldsFromChildren(child.relation.related_collection, child.children, fieldMap, schema, [
+                ...path,
+                child.fieldKey,
+            ]);
+            extractFieldsFromQuery(child.relation.related_collection, child.query, fieldMap, schema, [
+                ...path,
+                child.fieldKey,
+            ]);
+        }
+        else if (child.type === 'o2m') {
+            extractFieldsFromChildren(child.relation.collection, child.children, fieldMap, schema, [
+                ...path,
+                child.fieldKey,
+            ]);
+            extractFieldsFromQuery(child.relation.collection, child.query, fieldMap, schema, [...path, child.fieldKey]);
+        }
+        else if (child.type === 'functionField') {
+            // functionFields operate on a related o2m collection, we have to make sure we include a
+            // no-field read check to the related collection
+            extractFieldsFromChildren(child.relatedCollection, [], fieldMap, schema, [...path, child.fieldKey]);
+            extractFieldsFromQuery(child.relatedCollection, child.query, fieldMap, schema, [...path, child.fieldKey]);
+        }
+    }
+}

package/dist/permissions/modules/process-ast/lib/extract-fields-from-query.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+import type { Query, SchemaOverview } from '@directus/types';
+import type { CollectionKey, FieldKey, FieldMap } from '../types.js';
+export declare function extractFieldsFromQuery(collection: CollectionKey, query: Query, fieldMap: FieldMap, schema: SchemaOverview, pathPrefix?: FieldKey[]): void;

package/dist/permissions/modules/process-ast/lib/extract-fields-from-query.js ADDED Viewed

@@ -0,0 +1,56 @@
+import { parseFilterKey } from '../../../../utils/parse-filter-key.js';
+import { extractPathsFromQuery } from '../utils/extract-paths-from-query.js';
+import { findRelatedCollection } from '../utils/find-related-collection.js';
+import { getInfoForPath } from '../utils/get-info-for-path.js';
+export function extractFieldsFromQuery(collection, query, fieldMap, schema, pathPrefix = []) {
+    if (!query)
+        return;
+    const { paths: otherPaths, readOnlyPaths } = extractPathsFromQuery(query);
+    const groupedPaths = {
+        other: otherPaths,
+        read: readOnlyPaths,
+    };
+    for (const [group, paths] of Object.entries(groupedPaths)) {
+        for (const path of paths) {
+            /**
+             * Current path stack. For each iteration of the path loop this will be appended with the
+             * current part we're operating on. So when looping over ['category', 'created_by', 'name']
+             * the first iteration it'll be `['category']`, and then `['category', 'created_by']` etc.
+             */
+            const stack = [];
+            /**
+             * Current collection the path part we're operating on lives in. Once we hit a relational
+             * field, this will be updated to the related collection, so we can follow the relational path
+             * left to right.
+             */
+            let collectionContext = collection;
+            for (const part of path) {
+                const info = getInfoForPath(fieldMap, group, [...pathPrefix, ...stack], collectionContext);
+                // A2o specifier field fetch
+                if (part.includes(':')) {
+                    const [fieldKey, collection] = part.split(':');
+                    info.fields.add(fieldKey);
+                    collectionContext = collection;
+                    stack.push(part);
+                    continue;
+                }
+                if (part.startsWith('$FOLLOW(') && part.endsWith(')')) {
+                    // Don't add this implicit relation field to fields, as it will be accounted for in the reverse direction
+                }
+                else {
+                    const { fieldName } = parseFilterKey(part);
+                    info.fields.add(fieldName);
+                }
+                /**
+                 * Related collection for the current part. Is null when the current field isn't a
+                 * relational field.
+                 */
+                const relatedCollection = findRelatedCollection(collectionContext, part, schema);
+                if (relatedCollection) {
+                    collectionContext = relatedCollection;
+                    stack.push(part);
+                }
+            }
+        }
+    }
+}

package/dist/permissions/modules/process-ast/lib/field-map-from-ast.d.ts ADDED Viewed

@@ -0,0 +1,4 @@
+import type { SchemaOverview } from '@directus/types';
+import type { AST } from '../../../../types/ast.js';
+import type { FieldMap } from '../types.js';
+export declare function fieldMapFromAst(ast: AST, schema: SchemaOverview): FieldMap;

package/dist/permissions/modules/process-ast/lib/field-map-from-ast.js ADDED Viewed

@@ -0,0 +1,8 @@
+import { extractFieldsFromChildren } from './extract-fields-from-children.js';
+import { extractFieldsFromQuery } from './extract-fields-from-query.js';
+export function fieldMapFromAst(ast, schema) {
+    const fieldMap = { read: new Map(), other: new Map() };
+    extractFieldsFromChildren(ast.name, ast.children, fieldMap, schema);
+    extractFieldsFromQuery(ast.name, ast.query, fieldMap, schema);
+    return fieldMap;
+}

package/dist/permissions/modules/process-ast/lib/inject-cases.d.ts ADDED Viewed

@@ -0,0 +1,9 @@
+import type { Permission } from '@directus/types';
+import type { AST } from '../../../../types/ast.js';
+/**
+ * Mutates passed AST
+ *
+ * @param ast - Read query AST
+ * @param permissions - Expected to be filtered down for the policies and action already
+ */
+export declare function injectCases(ast: AST, permissions: Permission[]): void;

package/dist/permissions/modules/process-ast/lib/inject-cases.js ADDED Viewed

@@ -0,0 +1,93 @@
+import { getUnaliasedFieldKey } from '../../../utils/get-unaliased-field-key.js';
+import { dedupeAccess } from '../utils/dedupe-access.js';
+import { hasItemPermissions } from '../utils/has-item-permissions.js';
+import { uniq } from 'lodash-es';
+/**
+ * Mutates passed AST
+ *
+ * @param ast - Read query AST
+ * @param permissions - Expected to be filtered down for the policies and action already
+ */
+export function injectCases(ast, permissions) {
+    ast.cases = processChildren(ast.name, ast.children, permissions);
+}
+function processChildren(collection, children, permissions) {
+    // Use uniq here, since there might be multiple duplications due to aliases or functions
+    const requestedKeys = uniq(children.map(getUnaliasedFieldKey));
+    const { cases, caseMap, allowedFields } = getCases(collection, permissions, requestedKeys);
+    // TODO this can be optimized if there is only one rule to skip the whole case/where system,
+    //  since fields that are not allowed at all are already filtered out
+    // TODO this can be optimized if all cases are the same for all requested keys, as those should be
+    //
+    for (const child of children) {
+        const fieldKey = getUnaliasedFieldKey(child);
+        const globalWhenCase = caseMap['*'];
+        const fieldWhenCase = caseMap[fieldKey];
+        // Validation should catch any fields that are attempted to be read that don't have any access control configured.
+        // When there are no access rules for this field, and no rules for "all" fields `*`, we missed something in the validation
+        // and should abort.
+        if (!globalWhenCase && !fieldWhenCase) {
+            throw new Error(`Cannot extract access permissions for field "${fieldKey}" in collection "${collection}"`);
+        }
+        // The case/when system only needs to take place if no full access is given on this field,
+        // otherwise we can skip and thus safe some query perf overhead
+        if (!allowedFields.has('*') && !allowedFields.has(fieldKey)) {
+            // Global and field can't both be undefined as per the error check prior
+            child.whenCase = [...(globalWhenCase ?? []), ...(fieldWhenCase ?? [])];
+        }
+        if (child.type === 'm2o') {
+            child.cases = processChildren(child.relation.related_collection, child.children, permissions);
+        }
+        if (child.type === 'o2m') {
+            child.cases = processChildren(child.relation.collection, child.children, permissions);
+        }
+        if (child.type === 'a2o') {
+            for (const collection of child.names) {
+                child.cases[collection] = processChildren(collection, child.children[collection] ?? [], permissions);
+            }
+        }
+        if (child.type === 'functionField') {
+            const { cases } = getCases(child.relatedCollection, permissions, []);
+            child.cases = cases;
+        }
+    }
+    return cases;
+}
+function getCases(collection, permissions, requestedKeys) {
+    const permissionsForCollection = permissions.filter((permission) => permission.collection === collection);
+    const rules = dedupeAccess(permissionsForCollection);
+    const cases = [];
+    const caseMap = {};
+    // TODO this can be optimized if there is only one rule to skip the whole case/where system,
+    //  since fields that are not allowed at all are already filtered out
+    // TODO this can be optimized if all cases are the same for all requested keys, as those should be
+    //
+    let index = 0;
+    for (const { rule, fields } of rules) {
+        // If none of the fields in the current permissions rule overlap with the actually requested
+        // fields in the AST, we can ignore this case altogether
+        if (requestedKeys.length > 0 &&
+            fields.has('*') === false &&
+            Array.from(fields).every((field) => requestedKeys.includes(field) === false)) {
+            continue;
+        }
+        if (rule === null)
+            continue;
+        cases.push(rule);
+        for (const field of fields) {
+            caseMap[field] = [...(caseMap[field] ?? []), index];
+        }
+        index++;
+    }
+    // Field that are allowed no matter what conditions exist for the item. These come from
+    // permissions where the item read access is "everything"
+    const allowedFields = new Set(permissionsForCollection
+        .filter((permission) => hasItemPermissions(permission) === false)
+        .map((permission) => permission.fields ?? [])
+        .flat());
+    return {
+        cases,
+        caseMap,
+        allowedFields,
+    };
+}

package/dist/permissions/modules/process-ast/process-ast.d.ts ADDED Viewed

@@ -0,0 +1,9 @@
+import type { Accountability, PermissionsAction } from '@directus/types';
+import type { AST } from '../../../types/ast.js';
+import type { Context } from '../../types.js';
+export interface ProcessAstOptions {
+    ast: AST;
+    action: PermissionsAction;
+    accountability: Accountability | null;
+}
+export declare function processAst(options: ProcessAstOptions, context: Context): Promise<AST>;

package/dist/permissions/modules/process-ast/process-ast.js ADDED Viewed

@@ -0,0 +1,39 @@
+import { fetchPermissions } from '../../lib/fetch-permissions.js';
+import { fetchPolicies } from '../../lib/fetch-policies.js';
+import { fieldMapFromAst } from './lib/field-map-from-ast.js';
+import { injectCases } from './lib/inject-cases.js';
+import { collectionsInFieldMap } from './utils/collections-in-field-map.js';
+import { validatePathPermissions } from './utils/validate-path/validate-path-permissions.js';
+import { validatePathExistence } from './utils/validate-path/validate-path-existence.js';
+export async function processAst(options, context) {
+    // FieldMap is a Map of paths in the AST, with each path containing the collection and fields in
+    // that collection that the AST path tries to access
+    const fieldMap = fieldMapFromAst(options.ast, context.schema);
+    const collections = collectionsInFieldMap(fieldMap);
+    if (!options.accountability || options.accountability.admin) {
+        // Validate the field existence, even if no permissions apply to the current accountability
+        for (const [path, { collection, fields }] of [...fieldMap.read.entries(), ...fieldMap.other.entries()]) {
+            validatePathExistence(path, collection, fields, context.schema);
+        }
+        return options.ast;
+    }
+    const policies = await fetchPolicies(options.accountability, context);
+    const permissions = await fetchPermissions({ action: options.action, policies, collections, accountability: options.accountability }, context);
+    const readPermissions = options.action === 'read'
+        ? permissions
+        : await fetchPermissions({ action: 'read', policies, collections, accountability: options.accountability }, context);
+    // Validate field existence first
+    for (const [path, { collection, fields }] of [...fieldMap.read.entries(), ...fieldMap.other.entries()]) {
+        validatePathExistence(path, collection, fields, context.schema);
+    }
+    // Validate permissions for the fields
+    for (const [path, { collection, fields }] of fieldMap.other.entries()) {
+        validatePathPermissions(path, permissions, collection, fields);
+    }
+    // Validate permission for read only fields
+    for (const [path, { collection, fields }] of fieldMap.read.entries()) {
+        validatePathPermissions(path, readPermissions, collection, fields);
+    }
+    injectCases(options.ast, permissions);
+    return options.ast;
+}

package/dist/permissions/modules/process-ast/types.d.ts ADDED Viewed

@@ -0,0 +1,18 @@
+export type CollectionKey = string;
+export type FieldKey = string;
+export type QueryPath = string[];
+/**
+ * Key is dot-notation QueryPath, f.e. `category.created_by`.
+ * Value contains collection context for that path, and fields fetched within
+ */
+export type FieldMapEntries = Map<string, {
+    collection: CollectionKey;
+    fields: Set<FieldKey>;
+}>;
+/**
+ * FieldMapEntries that require only read permissions and those that require action specific permissions
+ */
+export type FieldMap = {
+    read: FieldMapEntries;
+    other: FieldMapEntries;
+};

package/dist/permissions/modules/process-ast/types.js ADDED Viewed

	@@ -0,0 +1 @@
1	+ export {};

package/dist/permissions/modules/process-ast/utils/collections-in-field-map.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ import type { CollectionKey, FieldMap } from '../types.js';
2	+ export declare function collectionsInFieldMap(fieldMap: FieldMap): CollectionKey[];

package/dist/permissions/modules/process-ast/utils/collections-in-field-map.js ADDED Viewed

@@ -0,0 +1,7 @@
+export function collectionsInFieldMap(fieldMap) {
+    const collections = new Set();
+    for (const { collection } of [...fieldMap.other.values(), ...fieldMap.read.values()]) {
+        collections.add(collection);
+    }
+    return Array.from(collections);
+}

package/dist/permissions/modules/process-ast/utils/dedupe-access.d.ts ADDED Viewed

@@ -0,0 +1,12 @@
+import type { Filter, Permission } from '@directus/types';
+/**
+ * Deduplicate the permissions sets by merging the field sets based on the access control rules
+ * (`permissions` in Permission rows)
+ *
+ * This allows the cases injection to be more efficient by not having to generate duplicate
+ * case/when clauses for permission sets where the rule access is identical
+ */
+export declare function dedupeAccess(permissions: Permission[]): {
+    rule: Filter;
+    fields: Set<string>;
+}[];

package/dist/permissions/modules/process-ast/utils/dedupe-access.js ADDED Viewed

@@ -0,0 +1,30 @@
+import hash from 'object-hash';
+/**
+ * Deduplicate the permissions sets by merging the field sets based on the access control rules
+ * (`permissions` in Permission rows)
+ *
+ * This allows the cases injection to be more efficient by not having to generate duplicate
+ * case/when clauses for permission sets where the rule access is identical
+ */
+export function dedupeAccess(permissions) {
+    // Map of `ruleHash: fields[]`
+    const map = new Map();
+    for (const permission of permissions) {
+        const rule = permission.permissions ?? {};
+        // Two JS objects can't be equality checked. Object-hash will resort any nested arrays
+        // deterministically meaning that this can be used to compare two rule sets where the array
+        // order does not matter
+        const ruleHash = hash(rule, {
+            algorithm: 'passthrough',
+            unorderedArrays: true,
+        });
+        if (map.has(ruleHash) === false) {
+            map.set(ruleHash, { rule, fields: new Set() });
+        }
+        const info = map.get(ruleHash);
+        for (const field of permission.fields ?? []) {
+            info.fields.add(field);
+        }
+    }
+    return Array.from(map.values());
+}

package/dist/permissions/modules/process-ast/utils/extract-paths-from-query.d.ts ADDED Viewed

@@ -0,0 +1,15 @@
+import type { Query } from '@directus/types';
+/**
+ * Converts the passed Query object into a unique list of path arrays, for example:
+ *
+ * ```
+ * [
+ * 	['author', 'age'],
+ * 	['category']
+ * ]
+ * ```
+ */
+export declare function extractPathsFromQuery(query: Query): {
+    paths: string[][];
+    readOnlyPaths: string[][];
+};

package/dist/permissions/modules/process-ast/utils/extract-paths-from-query.js ADDED Viewed

@@ -0,0 +1,60 @@
+import { isEqual, uniqWith } from 'lodash-es';
+import { flattenFilter } from './flatten-filter.js';
+/**
+ * Converts the passed Query object into a unique list of path arrays, for example:
+ *
+ * ```
+ * [
+ * 	['author', 'age'],
+ * 	['category']
+ * ]
+ * ```
+ */
+export function extractPathsFromQuery(query) {
+    /**
+     * All nested paths used in the current query scope.
+     * This is generated by flattening the filters and adding in the used sort/aggregate fields.
+     */
+    const paths = [];
+    const readOnlyPaths = [];
+    if (query.filter) {
+        flattenFilter(readOnlyPaths, query.filter);
+    }
+    if (query.sort) {
+        for (const field of query.sort) {
+            // Sort can have dot notation fields for sorting on m2o values Sort fields can start with
+            // `-` to indicate descending order, which should be dropped for permissions checks
+            const parts = field.split('.').map((field) => (field.startsWith('-') ? field.substring(1) : field));
+            if (query.aggregate && parts.length > 0 && parts[0] in query.aggregate) {
+                // If query is an aggregate query and the first part is a requested aggregate operation, ignore the whole field.
+                // The correct field is extracted into the field map when processing the `query.aggregate` fields.
+                continue;
+            }
+            readOnlyPaths.push(parts);
+        }
+    }
+    if (query.aggregate) {
+        for (const fields of Object.values(query.aggregate)) {
+            for (const field of fields) {
+                if (field === '*') {
+                    // Don't add wildcard field to the paths
+                    continue;
+                }
+                // Aggregate doesn't currently support aggregating on nested fields, but it doesn't hurt
+                // to standardize it in the validation layer
+                paths.push(field.split('.'));
+            }
+        }
+    }
+    if (query.group) {
+        for (const field of query.group) {
+            // Grouping doesn't currently support grouping on nested fields, but it doesn't hurt to
+            // standardize it in the validation layer
+            paths.push(field.split('.'));
+        }
+    }
+    return {
+        paths: uniqWith(paths, isEqual),
+        readOnlyPaths: uniqWith(readOnlyPaths, isEqual),
+    };
+}

package/dist/permissions/modules/process-ast/utils/find-related-collection.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+import type { SchemaOverview } from '@directus/types';
+import type { CollectionKey, FieldKey } from '../types.js';
+export declare function findRelatedCollection(collection: CollectionKey, field: FieldKey, schema: SchemaOverview): CollectionKey | null;

package/dist/permissions/modules/process-ast/utils/find-related-collection.js ADDED Viewed

@@ -0,0 +1,9 @@
+import { getRelationInfo } from '../../../../utils/get-relation-info.js';
+export function findRelatedCollection(collection, field, schema) {
+    const { relation } = getRelationInfo(schema.relations, collection, field);
+    if (!relation)
+        return null;
+    const isO2m = relation.related_collection === collection;
+    const relatedCollectionName = isO2m ? relation.collection : relation.related_collection;
+    return relatedCollectionName;
+}

package/dist/permissions/modules/process-ast/utils/flatten-filter.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+import type { Query } from '@directus/types';
+import type { FieldKey } from '../types.js';
+export declare function flattenFilter(paths: FieldKey[][], filter: Query['filter']): void;

package/dist/permissions/modules/process-ast/utils/flatten-filter.js ADDED Viewed

@@ -0,0 +1,34 @@
+export function flattenFilter(paths, filter) {
+    if (!filter)
+        return;
+    const stack = [{ current: filter, path: [] }];
+    while (stack.length > 0) {
+        const { current, path } = stack.pop();
+        if (typeof current === 'object' && current !== null) {
+            // If the current nested value is an array, we ignore the array order and flatten all
+            // nested objects
+            const isArray = Array.isArray(current);
+            for (const key in current) {
+                if (!key.startsWith('_') || key === '_and' || key === '_or' || key === '_some' || key === '_none') {
+                    // Only deepen the path if the current value can contain more keys
+                    stack.push({
+                        current: current[key],
+                        path: isArray ? path : [...path, key],
+                    });
+                }
+                else {
+                    // Ignore all operators and logical grouping in the field paths
+                    const parts = path.filter((part) => part.startsWith('_') === false);
+                    if (parts.length > 0)
+                        paths.push(parts);
+                }
+            }
+        }
+        else {
+            // Ignore all operators and logical grouping in the field paths
+            const parts = path.filter((part) => part.startsWith('_') === false);
+            if (parts.length > 0)
+                paths.push(parts);
+        }
+    }
+}

package/dist/permissions/modules/process-ast/utils/format-a2o-key.d.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export declare function formatA2oKey(fieldKey: string, collection: string): string;

package/dist/permissions/modules/process-ast/utils/format-a2o-key.js ADDED Viewed

@@ -0,0 +1,3 @@
+export function formatA2oKey(fieldKey, collection) {
+    return `${fieldKey}:${collection}`;
+}

package/dist/permissions/modules/process-ast/utils/get-info-for-path.d.ts ADDED Viewed

@@ -0,0 +1,5 @@
+import type { CollectionKey, FieldMap, QueryPath } from '../types.js';
+export declare function getInfoForPath(fieldMap: FieldMap, group: keyof FieldMap, path: QueryPath, collection: CollectionKey): {
+    collection: string;
+    fields: Set<string>;
+};

package/dist/permissions/modules/process-ast/utils/get-info-for-path.js ADDED Viewed

@@ -0,0 +1,7 @@
+export function getInfoForPath(fieldMap, group, path, collection) {
+    const pathStr = path.join('.');
+    if (fieldMap[group].has(pathStr) === false) {
+        fieldMap[group].set(pathStr, { collection, fields: new Set() });
+    }
+    return fieldMap[group].get(pathStr);
+}

package/dist/permissions/modules/process-ast/utils/has-item-permissions.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ import type { Permission } from '@directus/types';
2	+ export declare function hasItemPermissions(permission: Permission): boolean;

package/dist/permissions/modules/process-ast/utils/has-item-permissions.js ADDED Viewed

@@ -0,0 +1,3 @@
+export function hasItemPermissions(permission) {
+    return permission.permissions !== null && Object.keys(permission.permissions).length > 0;
+}

package/dist/permissions/modules/process-ast/utils/stringify-query-path.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ import type { QueryPath } from '../types.js';
2	+ export declare function stringifyQueryPath(queryPath: QueryPath): string;

package/dist/permissions/modules/process-ast/utils/stringify-query-path.js ADDED Viewed

@@ -0,0 +1,3 @@
+export function stringifyQueryPath(queryPath) {
+    return queryPath.join('.');
+}

package/dist/permissions/modules/process-ast/utils/validate-path/create-error.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+import { type DirectusError } from '@directus/errors';
+export declare function createCollectionForbiddenError(path: string, collection: string): DirectusError<any>;
+export declare function createFieldsForbiddenError(path: string, collection: string, fields: string[]): DirectusError<any>;

package/dist/permissions/modules/process-ast/utils/validate-path/create-error.js ADDED Viewed

@@ -0,0 +1,16 @@
+import { ForbiddenError } from '@directus/errors';
+export function createCollectionForbiddenError(path, collection) {
+    const pathSuffix = path === '' ? 'root' : `"${path}"`;
+    return new ForbiddenError({
+        reason: `You don't have permission to access collection "${collection}" or it does not exist. Queried in ${pathSuffix}.`,
+    });
+}
+export function createFieldsForbiddenError(path, collection, fields) {
+    const pathSuffix = path === '' ? 'root' : `"${path}"`;
+    const fieldStr = fields.map((field) => `"${field}"`).join(', ');
+    return new ForbiddenError({
+        reason: fields.length === 1
+            ? `You don't have permission to access field ${fieldStr} in collection "${collection}" or it does not exist. Queried in ${pathSuffix}.`
+            : `You don't have permission to access fields ${fieldStr} in collection "${collection}" or they do not exist. Queried in ${pathSuffix}.`,
+    });
+}

package/dist/permissions/modules/process-ast/utils/validate-path/validate-path-existence.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ import type { SchemaOverview } from '@directus/types';
2	+ export declare function validatePathExistence(path: string, collection: string, fields: Set<string>, schema: SchemaOverview): void;

package/dist/permissions/modules/process-ast/utils/validate-path/validate-path-existence.js ADDED Viewed

@@ -0,0 +1,12 @@
+import { createCollectionForbiddenError, createFieldsForbiddenError } from './create-error.js';
+export function validatePathExistence(path, collection, fields, schema) {
+    const collectionInfo = schema.collections[collection];
+    if (collectionInfo === undefined) {
+        throw createCollectionForbiddenError(path, collection);
+    }
+    const requestedFields = Array.from(fields);
+    const nonExistentFields = requestedFields.filter((field) => collectionInfo.fields[field] === undefined);
+    if (nonExistentFields.length > 0) {
+        throw createFieldsForbiddenError(path, collection, nonExistentFields);
+    }
+}

package/dist/permissions/modules/process-ast/utils/validate-path/validate-path-permissions.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ import type { Permission } from '@directus/types';
2	+ export declare function validatePathPermissions(path: string, permissions: Permission[], collection: string, fields: Set<string>): void;