npm - @directus/api - Versions diffs - 21.0.0 → 22.1.0 - Mend

@directus/api 21.0.0 → 22.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (299) hide show

package/dist/services/activity.js CHANGED Viewed

@@ -3,11 +3,13 @@ import { useEnv } from '@directus/env';
 import { ErrorCode, isDirectusError } from '@directus/errors';
 import { uniq } from 'lodash-es';
 import { useLogger } from '../logger/index.js';
-import { getPermissions } from '../utils/get-permissions.js';
+import { fetchRolesTree } from '../permissions/lib/fetch-roles-tree.js';
+import { fetchGlobalAccess } from '../permissions/modules/fetch-global-access/fetch-global-access.js';
+import { validateAccess } from '../permissions/modules/validate-access/validate-access.js';
+import { createDefaultAccountability } from '../permissions/utils/create-default-accountability.js';
 import { isValidUuid } from '../utils/is-valid-uuid.js';
 import { Url } from '../utils/url.js';
 import { userName } from '../utils/user-name.js';
-import { AuthorizationService } from './authorization.js';
 import { ItemsService } from './items.js';
 import { NotificationsService } from './notifications.js';
 import { UsersService } from './users.js';
@@ -31,19 +33,29 @@ export class ActivityService extends ItemsService {
             for (const mention of mentions) {
                 const userID = mention.substring(1);
                 const user = await this.usersService.readOne(userID, {
-                    fields: ['id', 'first_name', 'last_name', 'email', 'role.id', 'role.admin_access', 'role.app_access'],
+                    fields: ['id', 'first_name', 'last_name', 'email', 'role'],
                 });
-                const accountability = {
+                const roles = await fetchRolesTree(user['role'], this.knex);
+                const globalAccess = await fetchGlobalAccess({ user: user['id'], roles, ip: null }, this.knex);
+                const accountability = createDefaultAccountability({
                     user: userID,
                     role: user['role']?.id ?? null,
-                    admin: user['role']?.admin_access ?? null,
-                    app: user['role']?.app_access ?? null,
-                };
-                accountability.permissions = await getPermissions(accountability, this.schema);
-                const authorizationService = new AuthorizationService({ schema: this.schema, accountability });
+                    roles,
+                    ...globalAccess,
+                });
                 const usersService = new UsersService({ schema: this.schema, accountability });
                 try {
-                    await authorizationService.checkAccess('read', data['collection'], data['item']);
+                    if (this.accountability) {
+                        await validateAccess({
+                            accountability: this.accountability,
+                            action: 'read',
+                            collection: data['collection'],
+                            primaryKeys: [data['item']],
+                        }, {
+                            knex: this.knex,
+                            schema: this.schema,
+                        });
+                    }
                     const templateData = await usersService.readByQuery({
                         fields: ['id', 'first_name', 'last_name', 'email'],
                         filter: { id: { _in: mentions.map((mention) => mention.substring(1)) } },

package/dist/services/assets.d.ts CHANGED Viewed

@@ -1,15 +1,14 @@
 /// <reference types="node" resolution-mode="require"/>
 import type { Range, Stat } from '@directus/storage';
-import type { Accountability } from '@directus/types';
+import type { Accountability, SchemaOverview } from '@directus/types';
 import type { Knex } from 'knex';
 import type { Readable } from 'node:stream';
 import type { AbstractServiceOptions, TransformationSet } from '../types/index.js';
-import { AuthorizationService } from './authorization.js';
 import { FilesService } from './files.js';
 export declare class AssetsService {
     knex: Knex;
     accountability: Accountability | null;
-    authorizationService: AuthorizationService;
+    schema: SchemaOverview;
     filesService: FilesService;
     constructor(options: AbstractServiceOptions);
     getAsset(id: string, transformation?: TransformationSet, range?: Range): Promise<{

package/dist/services/assets.js CHANGED Viewed

@@ -8,11 +8,11 @@ import sharp from 'sharp';
 import { SUPPORTED_IMAGE_TRANSFORM_FORMATS } from '../constants.js';
 import getDatabase from '../database/index.js';
 import { useLogger } from '../logger/index.js';
+import { validateAccess } from '../permissions/modules/validate-access/validate-access.js';
 import { getStorage } from '../storage/index.js';
 import { getMilliseconds } from '../utils/get-milliseconds.js';
 import { isValidUuid } from '../utils/is-valid-uuid.js';
 import * as TransformationUtils from '../utils/transformations.js';
-import { AuthorizationService } from './authorization.js';
 import { FilesService } from './files.js';
 import { getSharpInstance } from './files/lib/get-sharp-instance.js';
 const env = useEnv();
@@ -20,13 +20,13 @@ const logger = useLogger();
 export class AssetsService {
     knex;
     accountability;
-    authorizationService;
+    schema;
     filesService;
     constructor(options) {
         this.knex = options.knex || getDatabase();
         this.accountability = options.accountability || null;
+        this.schema = options.schema;
         this.filesService = new FilesService({ ...options, accountability: null });
-        this.authorizationService = new AuthorizationService(options);
     }
     async getAsset(id, transformation, range) {
         const storage = await getStorage();
@@ -42,8 +42,13 @@ export class AssetsService {
          */
         if (!isValidUuid(id))
             throw new ForbiddenError();
-        if (systemPublicKeys.includes(id) === false && this.accountability?.admin !== true) {
-            await this.authorizationService.checkAccess('read', 'directus_files', id);
+        if (systemPublicKeys.includes(id) === false && this.accountability) {
+            await validateAccess({
+                accountability: this.accountability,
+                action: 'read',
+                collection: 'directus_files',
+                primaryKeys: [id],
+            }, { knex: this.knex, schema: this.schema });
         }
         const file = (await this.filesService.readOne(id, { limit: 1 }));
         const exists = await storage.location(file.storage).exists(file.filename_disk);

package/dist/services/authentication.js CHANGED Viewed

@@ -1,3 +1,5 @@
+import { fetchRolesTree } from '../permissions/lib/fetch-roles-tree.js';
+import { fetchGlobalAccess } from '../permissions/modules/fetch-global-access/fetch-global-access.js';
 import { Action } from '@directus/constants';
 import { useEnv } from '@directus/env';
 import { InvalidCredentialsError, InvalidOtpError, ServiceUnavailableError, UserSuspendedError, } from '@directus/errors';
@@ -48,10 +50,9 @@ export class AuthenticationService {
             throw err;
         }
         const user = await this.knex
-            .select('u.id', 'u.first_name', 'u.last_name', 'u.email', 'u.password', 'u.status', 'u.role', 'r.admin_access', 'r.app_access', 'u.tfa_secret', 'u.provider', 'u.external_identifier', 'u.auth_data')
-            .from('directus_users as u')
-            .leftJoin('directus_roles as r', 'u.role', 'r.id')
-            .where('u.id', userId)
+            .select('id', 'first_name', 'last_name', 'email', 'password', 'status', 'role', 'tfa_secret', 'provider', 'external_identifier', 'auth_data')
+            .from('directus_users')
+            .where('id', userId)
             .first();
         const updatedPayload = await emitter.emitFilter('auth.login', payload, {
             status: 'pending',
@@ -128,11 +129,13 @@ export class AuthenticationService {
                 throw new InvalidOtpError();
             }
         }
+        const roles = await fetchRolesTree(user.role, this.knex);
+        const globalAccess = await fetchGlobalAccess({ roles, user: user.id, ip: this.accountability?.ip ?? null }, this.knex);
         const tokenPayload = {
             id: user.id,
             role: user.role,
-            app_access: user.app_access,
-            admin_access: user.admin_access,
+            app_access: globalAccess.app,
+            admin_access: globalAccess.admin,
         };
         const refreshToken = nanoid(64);
         const refreshTokenExpiration = new Date(Date.now() + getMilliseconds(env['REFRESH_TOKEN_TTL'], 0));
@@ -207,9 +210,7 @@ export class AuthenticationService {
             user_provider: 'u.provider',
             user_external_identifier: 'u.external_identifier',
             user_auth_data: 'u.auth_data',
-            role_id: 'r.id',
-            role_admin_access: 'r.admin_access',
-            role_app_access: 'r.app_access',
+            user_role: 'u.role',
             share_id: 'd.id',
             share_item: 'd.item',
             share_role: 'd.role',
@@ -222,9 +223,6 @@ export class AuthenticationService {
             .from('directus_sessions AS s')
             .leftJoin('directus_users AS u', 's.user', 'u.id')
             .leftJoin('directus_shares AS d', 's.share', 'd.id')
-            .leftJoin('directus_roles AS r', (join) => {
-            join.onIn('r.id', [this.knex.ref('u.role'), this.knex.ref('d.role')]);
-        })
             .where('s.token', refreshToken)
             .andWhere('s.expires', '>=', new Date())
             .andWhere((subQuery) => {
@@ -248,6 +246,8 @@ export class AuthenticationService {
                 throw new InvalidCredentialsError();
             }
         }
+        const roles = await fetchRolesTree(record.user_role, this.knex);
+        const globalAccess = await fetchGlobalAccess({ user: record.user_id, roles, ip: this.accountability?.ip ?? null }, this.knex);
         if (record.user_id) {
             const provider = getAuthProvider(record.user_provider);
             await provider.refresh({
@@ -260,9 +260,9 @@ export class AuthenticationService {
                 provider: record.user_provider,
                 external_identifier: record.user_external_identifier,
                 auth_data: record.user_auth_data,
-                role: record.role_id,
-                app_access: record.role_app_access,
-                admin_access: record.role_admin_access,
+                role: record.user_role,
+                app_access: globalAccess.app,
+                admin_access: globalAccess.admin,
             });
         }
         let newRefreshToken = record.session_next_token ?? nanoid(64);
@@ -270,9 +270,9 @@ export class AuthenticationService {
         const refreshTokenExpiration = new Date(Date.now() + getMilliseconds(sessionDuration, 0));
         const tokenPayload = {
             id: record.user_id,
-            role: record.role_id,
-            app_access: record.role_app_access,
-            admin_access: record.role_admin_access,
+            role: record.user_role,
+            app_access: globalAccess.app,
+            admin_access: globalAccess.admin,
         };
         if (options?.session) {
             newRefreshToken = await this.updateStatefulSession(record, refreshToken, newRefreshToken, refreshTokenExpiration);

package/dist/services/collections.js CHANGED Viewed

@@ -9,6 +9,8 @@ import { ALIAS_TYPES } from '../constants.js';
 import { getHelpers } from '../database/helpers/index.js';
 import getDatabase, { getSchemaInspector } from '../database/index.js';
 import emitter from '../emitter.js';
+import { fetchAllowedCollections } from '../permissions/modules/fetch-allowed-collections/fetch-allowed-collections.js';
+import { validateAccess } from '../permissions/modules/validate-access/validate-access.js';
 import { getSchema } from '../utils/get-schema.js';
 import { shouldClearCache } from '../utils/should-clear-cache.js';
 import { transaction } from '../utils/transaction.js';
@@ -223,11 +225,13 @@ export class CollectionsService {
                 ...meta,
                 [item.collection]: item.group,
             }), {});
-            let collectionsYouHavePermissionToRead = this.accountability
-                .permissions.filter((permission) => {
-                return permission.action === 'read';
-            })
-                .map(({ collection }) => collection);
+            let collectionsYouHavePermissionToRead = await fetchAllowedCollections({
+                accountability: this.accountability,
+                action: 'read',
+            }, {
+                knex: this.knex,
+                schema: this.schema,
+            });
             for (const collection of collectionsYouHavePermissionToRead) {
                 const group = collectionsGroups[collection];
                 if (group)
@@ -279,18 +283,15 @@ export class CollectionsService {
      * Read many collections by name
      */
     async readMany(collectionKeys) {
-        if (this.accountability && this.accountability.admin !== true) {
-            const permissions = this.accountability.permissions.filter((permission) => {
-                return permission.action === 'read' && collectionKeys.includes(permission.collection);
-            });
-            if (collectionKeys.length !== permissions.length) {
-                const collectionsYouHavePermissionToRead = permissions.map(({ collection }) => collection);
-                for (const collectionKey of collectionKeys) {
-                    if (collectionsYouHavePermissionToRead.includes(collectionKey) === false) {
-                        throw new ForbiddenError();
-                    }
-                }
-            }
+        if (this.accountability) {
+            await Promise.all(collectionKeys.map((collection) => validateAccess({
+                accountability: this.accountability,
+                action: 'read',
+                collection,
+            }, {
+                schema: this.schema,
+                knex: this.knex,
+            })));
         }
         const collections = await this.readByQuery();
         return collections.filter(({ collection }) => collectionKeys.includes(collection));

package/dist/services/fields.d.ts CHANGED Viewed

@@ -18,7 +18,6 @@ export declare class FieldsService {
     systemCache: Keyv<any>;
     schemaCache: Keyv<any>;
     constructor(options: AbstractServiceOptions);
-    private get hasReadAccess();
     columnInfo(collection?: string): Promise<Column[]>;
     columnInfo(collection: string, field: string): Promise<Column>;
     readAll(collection?: string): Promise<Field[]>;

package/dist/services/fields.js CHANGED Viewed

@@ -1,4 +1,5 @@
-import { KNEX_TYPES, REGEX_BETWEEN_PARENS, DEFAULT_NUMERIC_PRECISION, DEFAULT_NUMERIC_SCALE, } from '@directus/constants';
+import { DEFAULT_NUMERIC_PRECISION, DEFAULT_NUMERIC_SCALE, KNEX_TYPES, REGEX_BETWEEN_PARENS, } from '@directus/constants';
+import { useEnv } from '@directus/env';
 import { ForbiddenError, InvalidPayloadError } from '@directus/errors';
 import { createInspector } from '@directus/schema';
 import { addFieldFlag, toArray } from '@directus/utils';
@@ -9,6 +10,9 @@ import { translateDatabaseError } from '../database/errors/translate.js';
 import { getHelpers } from '../database/helpers/index.js';
 import getDatabase, { getSchemaInspector } from '../database/index.js';
 import emitter from '../emitter.js';
+import { fetchPermissions } from '../permissions/lib/fetch-permissions.js';
+import { fetchPolicies } from '../permissions/lib/fetch-policies.js';
+import { validateAccess } from '../permissions/modules/validate-access/validate-access.js';
 import getDefaultValue from '../utils/get-default-value.js';
 import { getSystemFieldRowsWithAuthProviders } from '../utils/get-field-system-rows.js';
 import getLocalType from '../utils/get-local-type.js';
@@ -19,7 +23,6 @@ import { transaction } from '../utils/transaction.js';
 import { ItemsService } from './items.js';
 import { PayloadService } from './payload.js';
 import { RelationsService } from './relations.js';
-import { useEnv } from '@directus/env';
 const systemFieldRows = getSystemFieldRowsWithAuthProviders();
 const env = useEnv();
 export class FieldsService {
@@ -46,11 +49,6 @@ export class FieldsService {
         this.systemCache = systemCache;
         this.schemaCache = localSchemaCache;
     }
-    get hasReadAccess() {
-        return !!this.accountability?.permissions?.find((permission) => {
-            return permission.collection === 'directus_fields' && permission.action === 'read';
-        });
-    }
     async columnInfo(collection, field) {
         const schemaCacheIsEnabled = Boolean(env['CACHE_SCHEMA']);
         let columnInfo = null;
@@ -73,8 +71,15 @@ export class FieldsService {
     }
     async readAll(collection) {
         let fields;
-        if (this.accountability && this.accountability.admin !== true && this.hasReadAccess === false) {
-            throw new ForbiddenError();
+        if (this.accountability) {
+            await validateAccess({
+                accountability: this.accountability,
+                action: 'read',
+                collection: 'directus_fields',
+            }, {
+                schema: this.schema,
+                knex: this.knex,
+            });
         }
         const nonAuthorizedItemsService = new ItemsService('directus_fields', {
             knex: this.knex,
@@ -143,12 +148,27 @@ export class FieldsService {
         const result = [...columnsWithSystem, ...aliasFieldsAsField].filter((field) => knownCollections.includes(field.collection));
         // Filter the result so we only return the fields you have read access to
         if (this.accountability && this.accountability.admin !== true) {
-            const permissions = this.accountability.permissions.filter((permission) => {
-                return permission.action === 'read';
-            });
+            const policies = await fetchPolicies(this.accountability, { knex: this.knex, schema: this.schema });
+            const permissions = await fetchPermissions(collection
+                ? {
+                    action: 'read',
+                    policies,
+                    collections: [collection],
+                    accountability: this.accountability,
+                }
+                : {
+                    action: 'read',
+                    policies,
+                    accountability: this.accountability,
+                }, { knex: this.knex, schema: this.schema });
             const allowedFieldsInCollection = {};
             permissions.forEach((permission) => {
-                allowedFieldsInCollection[permission.collection] = permission.fields ?? [];
+                if (!allowedFieldsInCollection[permission.collection]) {
+                    allowedFieldsInCollection[permission.collection] = new Set();
+                }
+                for (const field of permission.fields ?? []) {
+                    allowedFieldsInCollection[permission.collection].add(field);
+                }
             });
             if (collection && collection in allowedFieldsInCollection === false) {
                 throw new ForbiddenError();
@@ -157,9 +177,9 @@ export class FieldsService {
                 if (field.collection in allowedFieldsInCollection === false)
                     return false;
                 const allowedFields = allowedFieldsInCollection[field.collection];
-                if (allowedFields[0] === '*')
+                if (allowedFields.has('*'))
                     return true;
-                return allowedFields.includes(field.field);
+                return allowedFields.has(field.field);
             });
         }
         // Update specific database type overrides
@@ -176,18 +196,27 @@ export class FieldsService {
     }
     async readOne(collection, field) {
         if (this.accountability && this.accountability.admin !== true) {
-            if (this.hasReadAccess === false) {
-                throw new ForbiddenError();
-            }
-            const permissions = this.accountability.permissions.find((permission) => {
-                return permission.action === 'read' && permission.collection === collection;
+            await validateAccess({
+                accountability: this.accountability,
+                action: 'read',
+                collection,
+            }, {
+                schema: this.schema,
+                knex: this.knex,
             });
-            if (!permissions || !permissions.fields)
+            const policies = await fetchPolicies(this.accountability, { knex: this.knex, schema: this.schema });
+            const permissions = await fetchPermissions({ action: 'read', policies, collections: [collection], accountability: this.accountability }, { knex: this.knex, schema: this.schema });
+            let hasAccess = false;
+            for (const permission of permissions) {
+                if (permission.fields) {
+                    if (permission.fields.includes('*') || permission.fields.includes(field)) {
+                        hasAccess = true;
+                        break;
+                    }
+                }
+            }
+            if (!hasAccess) {
                 throw new ForbiddenError();
-            if (permissions.fields.includes('*') === false) {
-                const allowedFields = permissions.fields;
-                if (allowedFields.includes(field) === false)
-                    throw new ForbiddenError();
             }
         }
         let column = undefined;

package/dist/services/files.js CHANGED Viewed

@@ -12,6 +12,7 @@ import url from 'url';
 import { RESUMABLE_UPLOADS } from '../constants.js';
 import emitter from '../emitter.js';
 import { useLogger } from '../logger/index.js';
+import { validateAccess } from '../permissions/modules/validate-access/validate-access.js';
 import { getAxios } from '../request/index.js';
 import { getStorage } from '../storage/index.js';
 import { extractMetadata } from './files/lib/extract-metadata.js';
@@ -157,9 +158,15 @@ export class FilesService extends ItemsService {
      * Import a single file from an external URL
      */
     async importOne(importURL, body) {
-        const fileCreatePermissions = this.accountability?.permissions?.find((permission) => permission.collection === 'directus_files' && permission.action === 'create');
-        if (this.accountability && this.accountability?.admin !== true && !fileCreatePermissions) {
-            throw new ForbiddenError();
+        if (this.accountability) {
+            await validateAccess({
+                accountability: this.accountability,
+                action: 'create',
+                collection: 'directus_files',
+            }, {
+                knex: this.knex,
+                schema: this.schema,
+            });
         }
         let fileResponse;
         try {

package/dist/services/graphql/index.d.ts CHANGED Viewed

@@ -20,9 +20,9 @@ export declare class GraphQLService {
     /**
      * Generate the GraphQL schema. Pulls from the schema information generated by the get-schema util.
      */
-    getSchema(): GraphQLSchema;
-    getSchema(type: 'schema'): GraphQLSchema;
-    getSchema(type: 'sdl'): GraphQLSchema | string;
+    getSchema(): Promise<GraphQLSchema>;
+    getSchema(type: 'schema'): Promise<GraphQLSchema>;
+    getSchema(type: 'sdl'): Promise<GraphQLSchema | string>;
     /**
      * Generic resolver that's used for every "regular" items/system query. Converts the incoming GraphQL AST / fragments into
      * Directus' query structure which is then executed by the services.