@directus/api 22.0.0 → 22.1.1

package/dist/cli/commands/init/questions.d.ts

@@ -1,20 +1,21 @@
+import type { Driver } from '../../../types/index.js';
 export declare const databaseQuestions: {
     sqlite3: (({ filepath }: {
         filepath: string;
     }) => Record<string, string>)[];
-    mysql: (({ client }: {
-        client: string;
+    mysql2: (({ client }: {
+        client: Exclude<Driver, 'sqlite3'>;
     }) => Record<string, any>)[];
     pg: (({ client }: {
-        client: string;
+        client: Exclude<Driver, 'sqlite3'>;
     }) => Record<string, any>)[];
     cockroachdb: (({ client }: {
-        client: string;
+        client: Exclude<Driver, 'sqlite3'>;
     }) => Record<string, any>)[];
     oracledb: (({ client }: {
-        client: string;
+        client: Exclude<Driver, 'sqlite3'>;
     }) => Record<string, any>)[];
     mssql: (({ client }: {
-        client: string;
+        client: Exclude<Driver, 'sqlite3'>;
     }) => Record<string, any>)[];
 };

package/dist/cli/commands/init/questions.js

@@ -19,7 +19,7 @@ const port = ({ client }) => ({
         const ports = {
             pg: 5432,
             cockroachdb: 26257,
-            mysql: 3306,
+            mysql2: 3306,
             oracledb: 1521,
             mssql: 1433,
         };
@@ -57,7 +57,7 @@ const ssl = () => ({
 });
 export const databaseQuestions = {
     sqlite3: [filename],
-    mysql: [host, port, database, user, password],
+    mysql2: [host, port, database, user, password],
     pg: [host, port, database, user, password, ssl],
     cockroachdb: [host, port, database, user, password, ssl],
     oracledb: [host, port, database, user, password],

package/dist/cli/utils/create-env/index.d.ts

@@ -1,3 +1,3 @@
+import type { Driver } from '../../../types/index.js';
 import type { Credentials } from '../create-db-connection.js';
-import type { drivers } from '../drivers.js';
-export default function createEnv(client: keyof typeof drivers, credentials: Credentials, directory: string): Promise<void>;
+export default function createEnv(client: Driver, credentials: Credentials, directory: string): Promise<void>;

package/dist/cli/utils/create-env/index.js

@@ -14,12 +14,14 @@ const liquidEngine = new Liquid({
 });
 export default async function createEnv(client, credentials, directory) {
     const { nanoid } = await import('nanoid');
+    // For backwards-compatibility, DB_CLIENT is still 'mysql'
+    const dbClient = client === 'mysql2' ? 'mysql' : client;
     const config = {
         security: {
             SECRET: nanoid(32),
         },
         database: {
-            DB_CLIENT: client,
+            DB_CLIENT: dbClient,
         },
     };
     for (const [key, value] of Object.entries(credentials)) {

package/dist/cli/utils/drivers.js

@@ -1,7 +1,7 @@
 export const drivers = {
     pg: 'PostgreSQL / Redshift',
     cockroachdb: 'CockroachDB (Beta)',
-    mysql: 'MySQL / MariaDB / Aurora',
+    mysql2: 'MySQL / MariaDB / Aurora',
     sqlite3: 'SQLite',
     mssql: 'Microsoft SQL Server',
     oracledb: 'Oracle Database',

package/dist/database/get-ast-from-query/get-ast-from-query.js

@@ -2,8 +2,8 @@
  * Generate an AST based on a given collection and query
  */
 import { cloneDeep, uniq } from 'lodash-es';
-import { fetchAllowedFields } from '../../permissions/modules/fetch-allowed-fields/fetch-allowed-fields.js';
 import { parseFields } from './lib/parse-fields.js';
+import { getAllowedSort } from './utils/get-allowed-sort.js';
 export async function getAstFromQuery(options, context) {
     options.query = cloneDeep(options.query);
     const ast = {
@@ -36,36 +36,7 @@ export async function getAstFromQuery(options, context) {
     // Prevent fields/deep from showing up in the query object in further use
     delete options.query.fields;
     delete options.query.deep;
-    if (!options.query.sort) {
-        // We'll default to the primary key for the standard sort output
-        let sortField = context.schema.collections[options.collection].primary;
-        // If a custom manual sort field is configured, use that
-        if (context.schema.collections[options.collection]?.sortField) {
-            sortField = context.schema.collections[options.collection].sortField;
-        }
-        if (options.accountability && options.accountability.admin === false) {
-            // Verify that the user has access to the sort field
-            const allowedFields = await fetchAllowedFields({
-                collection: options.collection,
-                action: 'read',
-                accountability: options.accountability,
-            }, context);
-            if (allowedFields.length === 0) {
-                sortField = null;
-            }
-            else if (allowedFields.includes('*') === false && allowedFields.includes(sortField) === false) {
-                // If the sort field is not allowed, default to the first allowed field
-                sortField = allowedFields[0];
-            }
-        }
-        // When group by is used, default to the first column provided in the group by clause
-        if (options.query.group?.[0]) {
-            sortField = options.query.group[0];
-        }
-        if (sortField) {
-            options.query.sort = [sortField];
-        }
-    }
+    options.query.sort ??= await getAllowedSort(options, context);
     // When no group by is supplied, but an aggregate function is used, only a single row will be
     // returned. In those cases, we'll ignore the sort field altogether
     if (options.query.aggregate && Object.keys(options.query.aggregate).length && !options.query.group?.[0]) {

package/dist/database/get-ast-from-query/lib/parse-fields.d.ts

@@ -1,6 +1,6 @@
 import type { Accountability, Query, SchemaOverview } from '@directus/types';
 import type { Knex } from 'knex';
-import type { FieldNode, FunctionFieldNode, NestedCollectionNode } from '../../../types/index.js';
+import type { FieldNode, FunctionFieldNode, NestedCollectionNode, O2MNode } from '../../../types/index.js';
 export interface ParseFieldsOptions {
     accountability: Accountability | null;
     parentCollection: string;
@@ -13,3 +13,4 @@ export interface ParseFieldsContext {
     knex: Knex;
 }
 export declare function parseFields(options: ParseFieldsOptions, context: ParseFieldsContext): Promise<[] | (NestedCollectionNode | FieldNode | FunctionFieldNode)[]>;
+export declare function isO2MNode(node: NestedCollectionNode | null): node is O2MNode;

package/dist/database/get-ast-from-query/lib/parse-fields.js

@@ -3,6 +3,7 @@ import { isEmpty } from 'lodash-es';
 import { fetchPermissions } from '../../../permissions/lib/fetch-permissions.js';
 import { fetchPolicies } from '../../../permissions/lib/fetch-policies.js';
 import { getRelationType } from '../../../utils/get-relation-type.js';
+import { getAllowedSort } from '../utils/get-allowed-sort.js';
 import { getDeepQuery } from '../utils/get-deep-query.js';
 import { getRelatedCollection } from '../utils/get-related-collection.js';
 import { getRelation } from '../utils/get-relation.js';
@@ -119,7 +120,16 @@ export async function parseFields(options, context) {
             continue;
         let child = null;
         if (relationType === 'a2o') {
-            const allowedCollections = relation.meta.one_allowed_collections;
+            let allowedCollections = relation.meta.one_allowed_collections;
+            if (options.accountability && options.accountability.admin === false && policies) {
+                const permissions = await fetchPermissions({
+                    action: 'read',
+                    collections: allowedCollections,
+                    policies: policies,
+                    accountability: options.accountability,
+                }, context);
+                allowedCollections = allowedCollections.filter((collection) => permissions.some((permission) => permission.collection === collection));
+            }
             child = {
                 type: 'a2o',
                 names: allowedCollections,
@@ -181,8 +191,13 @@ export async function parseFields(options, context) {
                 cases: [],
                 whenCase: [],
             };
-            if (relationType === 'o2m' && !child.query.sort) {
-                child.query.sort = [relation.meta?.sort_field || context.schema.collections[relation.collection].primary];
+            if (isO2MNode(child) && !child.query.sort) {
+                child.query.sort = await getAllowedSort({ collection: relation.collection, relation, accountability: options.accountability }, context);
+            }
+            if (isO2MNode(child) && child.query.group && child.query.group[0] !== relation.field) {
+                // If a group by is used, the result needs to be grouped by the foreign key of the relation first, so results
+                // are correctly grouped under the foreign key when extracting the grouped results from the nested queries.
+                child.query.group.unshift(relation.field);
             }
         }
         if (child) {
@@ -198,3 +213,6 @@ export async function parseFields(options, context) {
         return true;
     });
 }
+export function isO2MNode(node) {
+    return !!node && node.type === 'o2m';
+}

package/dist/database/get-ast-from-query/utils/get-allowed-sort.d.ts

@@ -0,0 +1,9 @@
+import type { Accountability, Query, Relation } from '@directus/types';
+import type { Context } from '../../../permissions/types.js';
+export type GetAllowedSortFieldOptions = {
+    collection: string;
+    accountability: Accountability | null;
+    query?: Query;
+    relation?: Relation;
+};
+export declare function getAllowedSort(options: GetAllowedSortFieldOptions, context: Context): Promise<string[] | null>;

package/dist/database/get-ast-from-query/utils/get-allowed-sort.js

@@ -0,0 +1,35 @@
+import { fetchAllowedFields } from '../../../permissions/modules/fetch-allowed-fields/fetch-allowed-fields.js';
+export async function getAllowedSort(options, context) {
+    // We'll default to the primary key for the standard sort output
+    let sortField = context.schema.collections[options.collection].primary;
+    // If a custom manual sort field is configured, use that
+    if (context.schema.collections[options.collection]?.sortField) {
+        sortField = context.schema.collections[options.collection].sortField;
+    }
+    // If a sort field is defined on the relation, use that
+    if (options.relation?.meta?.sort_field) {
+        sortField = options.relation.meta.sort_field;
+    }
+    if (options.accountability && options.accountability.admin === false) {
+        // Verify that the user has access to the sort field
+        const allowedFields = await fetchAllowedFields({
+            collection: options.collection,
+            action: 'read',
+            accountability: options.accountability,
+        }, context);
+        if (allowedFields.length === 0) {
+            sortField = null;
+        }
+        else if (allowedFields.includes('*') === false && allowedFields.includes(sortField) === false) {
+            // If the sort field is not allowed, default to the first allowed field
+            sortField = allowedFields[0];
+        }
+    }
+    // When group by is used, default to the first column provided in the group by clause
+    if (options.query?.group?.[0]) {
+        sortField = options.query.group[0];
+    }
+    if (sortField)
+        return [sortField];
+    return null;
+}

package/dist/database/helpers/fn/types.d.ts

@@ -1,11 +1,14 @@
-import type { Filter, Query, SchemaOverview } from '@directus/types';
+import type { Filter, Permission, Query, SchemaOverview } from '@directus/types';
 import type { Knex } from 'knex';
 import { DatabaseHelper } from '../types.js';
 export type FnHelperOptions = {
     type: string | undefined;
-    query: Query | undefined;
-    cases: Filter[] | undefined;
     originalCollectionName: string | undefined;
+    relationalCountOptions: {
+        query: Query;
+        cases: Filter[];
+        permissions: Permission[];
+    } | undefined;
 };
 export declare abstract class FnHelper extends DatabaseHelper {
     protected schema: SchemaOverview;

package/dist/database/helpers/fn/types.js

@@ -20,7 +20,7 @@ export class FnHelper extends DatabaseHelper {
             .count('*')
             .from({ [alias]: relation.collection })
             .where(this.knex.raw(`??.??`, [alias, relation.field]), '=', this.knex.raw(`??.??`, [table, currentPrimary]));
-        if (options?.query?.filter) {
+        if (options?.relationalCountOptions?.query.filter) {
             // set the newly aliased collection in the alias map as the default parent collection, indicated by '', for any nested filters
             const aliasMap = {
                 '': {
@@ -28,7 +28,7 @@ export class FnHelper extends DatabaseHelper {
                     collection: relation.collection,
                 },
             };
-            countQuery = applyFilter(this.knex, this.schema, countQuery, options.query.filter, relation.collection, aliasMap, options.cases ?? []).query;
+            countQuery = applyFilter(this.knex, this.schema, countQuery, options.relationalCountOptions.query.filter, relation.collection, aliasMap, options.relationalCountOptions.cases, options.relationalCountOptions.permissions).query;
         }
         return this.knex.raw('(' + countQuery.toQuery() + ')');
     }

package/dist/database/helpers/index.d.ts

@@ -8,10 +8,10 @@ import * as sequenceHelpers from './sequence/index.js';
 import * as numberHelpers from './number/index.js';
 export declare function getHelpers(database: Knex): {
     date: dateHelpers.postgres | dateHelpers.oracle | dateHelpers.mysql | dateHelpers.mssql | dateHelpers.sqlite;
-    st: geometryHelpers.mysql | geometryHelpers.postgres | geometryHelpers.mssql | geometryHelpers.sqlite | geometryHelpers.oracle | geometryHelpers.redshift;
-    schema: schemaHelpers.mysql | schemaHelpers.cockroachdb | schemaHelpers.mssql | schemaHelpers.postgres | schemaHelpers.sqlite | schemaHelpers.oracle | schemaHelpers.redshift;
+    st: geometryHelpers.postgres | geometryHelpers.mssql | geometryHelpers.mysql | geometryHelpers.sqlite | geometryHelpers.oracle | geometryHelpers.redshift;
+    schema: schemaHelpers.cockroachdb | schemaHelpers.mssql | schemaHelpers.mysql | schemaHelpers.postgres | schemaHelpers.sqlite | schemaHelpers.oracle | schemaHelpers.redshift;
     sequence: sequenceHelpers.mysql | sequenceHelpers.postgres;
     number: numberHelpers.cockroachdb | numberHelpers.mssql | numberHelpers.postgres | numberHelpers.sqlite | numberHelpers.oracle;
 };
-export declare function getFunctions(database: Knex, schema: SchemaOverview): fnHelpers.mysql | fnHelpers.postgres | fnHelpers.mssql | fnHelpers.sqlite | fnHelpers.oracle;
+export declare function getFunctions(database: Knex, schema: SchemaOverview): fnHelpers.postgres | fnHelpers.mssql | fnHelpers.mysql | fnHelpers.sqlite | fnHelpers.oracle;
 export type Helpers = ReturnType<typeof getHelpers>;

package/dist/database/index.d.ts

@@ -3,7 +3,7 @@ import type { Knex } from 'knex';
 import type { DatabaseClient } from '../types/index.js';
 export default getDatabase;
 export declare function getDatabase(): Knex;
-export declare function getSchemaInspector(): SchemaInspector;
+export declare function getSchemaInspector(database?: Knex): SchemaInspector;
 /**
  * Get database version. Value currently exists for MySQL only.
  *

package/dist/database/index.js

@@ -143,11 +143,11 @@ export function getDatabase() {
     });
     return database;
 }
-export function getSchemaInspector() {
+export function getSchemaInspector(database) {
     if (inspector) {
         return inspector;
     }
-    const database = getDatabase();
+    database ??= getDatabase();
     inspector = createInspector(database);
     return inspector;
 }

package/dist/database/migrations/20210519A-add-system-fk-triggers.js

@@ -1,5 +1,6 @@
 import { createInspector } from '@directus/schema';
 import { useLogger } from '../../logger/index.js';
+import { getDatabaseClient } from '../index.js';
 /**
  * Things to keep in mind:
  *
@@ -99,7 +100,7 @@ export async function up(knex) {
              * MySQL won't delete the index when you drop the foreign key constraint. Gotta make
              * sure to clean those up as well
              */
-            if (knex.client.constructor.name === 'Client_MySQL') {
+            if (getDatabaseClient(knex) === 'mysql') {
                 try {
                     await knex.schema.alterTable(update.table, (table) => {
                         // Knex uses a default convention for index names: `table_column_type`
@@ -140,7 +141,7 @@ export async function down(knex) {
              * MySQL won't delete the index when you drop the foreign key constraint. Gotta make
              * sure to clean those up as well
              */
-            if (knex.client.constructor.name === 'Client_MySQL') {
+            if (getDatabaseClient(knex) === 'mysql') {
                 try {
                     await knex.schema.alterTable(update.table, (table) => {
                         // Knex uses a default convention for index names: `table_column_type`

package/dist/database/migrations/20230721A-require-shares-fields.js

@@ -1,9 +1,8 @@
 import { createInspector } from '@directus/schema';
 import { useLogger } from '../../logger/index.js';
-import { getHelpers } from '../helpers/index.js';
+import { getDatabaseClient } from '../index.js';
 export async function up(knex) {
-    const helper = getHelpers(knex).schema;
-    const isMysql = helper.isOneOfClients(['mysql']);
+    const isMysql = getDatabaseClient(knex) === 'mysql';
     if (isMysql) {
         await dropConstraint(knex);
     }
@@ -16,8 +15,7 @@ export async function up(knex) {
     }
 }
 export async function down(knex) {
-    const helper = getHelpers(knex).schema;
-    const isMysql = helper.isOneOfClients(['mysql']);
+    const isMysql = getDatabaseClient(knex) === 'mysql';
     if (isMysql) {
         await dropConstraint(knex);
     }

package/dist/database/migrations/20240716A-update-files-date-fields.js

@@ -1,8 +1,6 @@
-import { getHelpers } from '../helpers/index.js';
+import { getDatabaseClient } from '../index.js';
 export async function up(knex) {
-    const helper = getHelpers(knex).schema;
-    const isMysql = helper.isOneOfClients(['mysql']);
-    if (isMysql) {
+    if (getDatabaseClient(knex) === 'mysql') {
         // Knex creates invalid statement on MySQL, see https://github.com/knex/knex/issues/1888
         await knex.schema.raw('ALTER TABLE `directus_files` CHANGE `uploaded_on` `created_on` TIMESTAMP NOT NULL DEFAULT current_timestamp();');
     }
@@ -20,9 +18,7 @@ export async function down(knex) {
     await knex.schema.alterTable('directus_files', (table) => {
         table.dropColumn('uploaded_on');
     });
-    const helper = getHelpers(knex).schema;
-    const isMysql = helper.isOneOfClients(['mysql']);
-    if (isMysql) {
+    if (getDatabaseClient(knex) === 'mysql') {
         await knex.schema.raw('ALTER TABLE `directus_files` CHANGE `created_on` `uploaded_on` TIMESTAMP NOT NULL DEFAULT current_timestamp();');
     }
     else {

package/dist/database/migrations/20240806A-permissions-policies.js

@@ -1,10 +1,12 @@
 import { processChunk, toBoolean } from '@directus/utils';
 import { flatten, intersection, isEqual, merge, omit, uniq } from 'lodash-es';
 import { randomUUID } from 'node:crypto';
+import { useLogger } from '../../logger/index.js';
 import { fetchPermissions } from '../../permissions/lib/fetch-permissions.js';
 import { fetchPolicies } from '../../permissions/lib/fetch-policies.js';
 import { fetchRolesTree } from '../../permissions/lib/fetch-roles-tree.js';
 import { getSchema } from '../../utils/get-schema.js';
+import { getSchemaInspector } from '../index.js';
 // Adapted from https://github.com/directus/directus/blob/141b8adbf4dd8e06530a7929f34e3fc68a522053/api/src/utils/merge-permissions.ts#L4
 export function mergePermissions(strategy, ...permissions) {
     const allPermissions = flatten(permissions);
@@ -129,6 +131,7 @@ async function fetchRoleAccess(roles, context) {
  */
 const PUBLIC_POLICY_ID = 'abf8a154-5b1c-4a46-ac9c-7300570f4f17';
 export async function up(knex) {
+    const logger = useLogger();
     /////////////////////////////////////////////////////////////////////////////////////////////////
     // If the policies table already exists the migration has already run
     if (await knex.schema.hasTable('directus_policies')) {
@@ -183,10 +186,21 @@ export async function up(knex) {
     /////////////////////////////////////////////////////////////////////////////////////////////////
     // Link permissions to policies instead of roles
     await knex.schema.alterTable('directus_permissions', (table) => {
-        table.uuid('policy').references('directus_policies.id').onDelete('CASCADE');
-        // Drop the foreign key constraint here in order to update `null` role to public policy ID
-        table.dropForeign('role');
+        table.uuid('policy');
     });
+    try {
+        const inspector = await getSchemaInspector(knex);
+        const foreignKeys = await inspector.foreignKeys('directus_permissions');
+        const foreignConstraint = foreignKeys.find((foreign) => foreign.foreign_key_table === 'directus_roles' && foreign.column === 'role')
+            ?.constraint_name || undefined;
+        await knex.schema.alterTable('directus_permissions', (table) => {
+            // Drop the foreign key constraint here in order to update `null` role to public policy ID
+            table.dropForeign('role', foreignConstraint);
+        });
+    }
+    catch (err) {
+        logger.warn('Failed to drop foreign key constraint on `role` column in `directus_permissions` table');
+    }
     await knex('directus_permissions')
         .update({
         role: PUBLIC_POLICY_ID,
@@ -198,6 +212,7 @@ export async function up(knex) {
     await knex.schema.alterTable('directus_permissions', (table) => {
         table.dropColumns('role');
         table.dropNullable('policy');
+        table.foreign('policy').references('directus_policies.id').onDelete('CASCADE');
     });
     /////////////////////////////////////////////////////////////////////////////////////////////////
     // Setup junction table between roles/users and policies

package/dist/database/run-ast/lib/get-db-query.d.ts

@@ -1,4 +1,4 @@
-import type { Filter, Query, SchemaOverview } from '@directus/types';
+import type { Filter, Permission, Query, SchemaOverview } from '@directus/types';
 import type { Knex } from 'knex';
 import type { FieldNode, FunctionFieldNode, O2MNode } from '../../../types/ast.js';
-export declare function getDBQuery(schema: SchemaOverview, knex: Knex, table: string, fieldNodes: (FieldNode | FunctionFieldNode)[], o2mNodes: O2MNode[], query: Query, cases: Filter[]): Knex.QueryBuilder;
+export declare function getDBQuery(schema: SchemaOverview, knex: Knex, table: string, fieldNodes: (FieldNode | FunctionFieldNode)[], o2mNodes: O2MNode[], query: Query, cases: Filter[], permissions: Permission[]): Knex.QueryBuilder;

package/dist/database/run-ast/lib/get-db-query.js

@@ -9,10 +9,10 @@ import { getColumnPreprocessor } from '../utils/get-column-pre-processor.js';
 import { getNodeAlias } from '../utils/get-field-alias.js';
 import { getInnerQueryColumnPreProcessor } from '../utils/get-inner-query-column-pre-processor.js';
 import { withPreprocessBindings } from '../utils/with-preprocess-bindings.js';
-export function getDBQuery(schema, knex, table, fieldNodes, o2mNodes, query, cases) {
+export function getDBQuery(schema, knex, table, fieldNodes, o2mNodes, query, cases, permissions) {
     const aliasMap = Object.create(null);
     const env = useEnv();
-    const preProcess = getColumnPreprocessor(knex, schema, table, cases, aliasMap);
+    const preProcess = getColumnPreprocessor(knex, schema, table, cases, permissions, aliasMap);
     const queryCopy = cloneDeep(query);
     const helpers = getHelpers(knex);
     const hasCaseWhen = o2mNodes.some((node) => node.whenCase && node.whenCase.length > 0) ||
@@ -25,7 +25,10 @@ export function getDBQuery(schema, knex, table, fieldNodes, o2mNodes, query, cas
         const groupWhenCases = hasCaseWhen
             ? queryCopy.group?.map((field) => fieldNodes.find(({ fieldKey }) => fieldKey === field)?.whenCase ?? [])
             : undefined;
-        const dbQuery = applyQuery(knex, table, flatQuery, queryCopy, schema, cases, { aliasMap, groupWhenCases }).query;
+        const dbQuery = applyQuery(knex, table, flatQuery, queryCopy, schema, cases, permissions, {
+            aliasMap,
+            groupWhenCases,
+        }).query;
         flatQuery.select(fieldNodes.map((node) => preProcess(node)));
         withPreprocessBindings(knex, dbQuery);
         return dbQuery;
@@ -42,7 +45,7 @@ export function getDBQuery(schema, knex, table, fieldNodes, o2mNodes, query, cas
             hasMultiRelationalSort = sortResult.hasMultiRelationalSort;
         }
     }
-    const { hasMultiRelationalFilter } = applyQuery(knex, table, dbQuery, queryCopy, schema, cases, {
+    const { hasMultiRelationalFilter } = applyQuery(knex, table, dbQuery, queryCopy, schema, cases, permissions, {
         aliasMap,
         isInnerQuery: true,
         hasMultiRelationalSort,
@@ -68,6 +71,7 @@ export function getDBQuery(schema, knex, table, fieldNodes, o2mNodes, query, cas
                 cases,
                 table,
                 alias: node.fieldKey,
+                permissions,
             }, { knex, schema });
         }));
     }
@@ -159,7 +163,7 @@ export function getDBQuery(schema, knex, table, fieldNodes, o2mNodes, query, cas
             SELECT ...,
               CASE WHEN `inner`.<random-prefix>_<alias> > 0 THEN <actual-column> END AS <alias>
          */
-        const innerPreprocess = getInnerQueryColumnPreProcessor(knex, schema, table, cases, aliasMap, innerCaseWhenAliasPrefix);
+        const innerPreprocess = getInnerQueryColumnPreProcessor(knex, schema, table, cases, permissions, aliasMap, innerCaseWhenAliasPrefix);
         // To optimize the query we avoid having unnecessary columns in the inner query, that don't have a caseWhen, since
         // they are selected in the outer query directly
         dbQuery.select(fieldNodes.map(innerPreprocess).filter((x) => x !== null));

package/dist/database/run-ast/run-ast.d.ts

@@ -1,7 +1,7 @@
-import type { Item, SchemaOverview } from '@directus/types';
+import type { Accountability, Item, SchemaOverview } from '@directus/types';
 import type { AST, NestedCollectionNode } from '../../types/ast.js';
 import type { RunASTOptions } from './types.js';
 /**
  * Execute a given AST using Knex. Returns array of items based on requested AST.
  */
-export declare function runAst(originalAST: AST | NestedCollectionNode, schema: SchemaOverview, options?: RunASTOptions): Promise<null | Item | Item[]>;
+export declare function runAst(originalAST: AST | NestedCollectionNode, schema: SchemaOverview, accountability: Accountability | null, options?: RunASTOptions): Promise<null | Item | Item[]>;

package/dist/database/run-ast/run-ast.js

@@ -1,5 +1,7 @@
 import { useEnv } from '@directus/env';
 import { cloneDeep, merge } from 'lodash-es';
+import { fetchPermissions } from '../../permissions/lib/fetch-permissions.js';
+import { fetchPolicies } from '../../permissions/lib/fetch-policies.js';
 import { PayloadService } from '../../services/payload.js';
 import getDatabase from '../index.js';
 import { getDBQuery } from './lib/get-db-query.js';
@@ -10,26 +12,31 @@ import { removeTemporaryFields } from './utils/remove-temporary-fields.js';
 /**
  * Execute a given AST using Knex. Returns array of items based on requested AST.
  */
-export async function runAst(originalAST, schema, options) {
+export async function runAst(originalAST, schema, accountability, options) {
     const ast = cloneDeep(originalAST);
     const knex = options?.knex || getDatabase();
     if (ast.type === 'a2o') {
         const results = {};
         for (const collection of ast.names) {
-            results[collection] = await run(collection, ast.children[collection], ast.query[collection], ast.cases[collection] ?? []);
+            results[collection] = await run(collection, ast.children[collection], ast.query[collection], ast.cases[collection] ?? [], accountability);
         }
         return results;
     }
     else {
-        return await run(ast.name, ast.children, options?.query || ast.query, ast.cases);
+        return await run(ast.name, ast.children, options?.query || ast.query, ast.cases, accountability);
     }
-    async function run(collection, children, query, cases) {
+    async function run(collection, children, query, cases, accountability) {
         const env = useEnv();
         // Retrieve the database columns to select in the current AST
         const { fieldNodes, primaryKeyField, nestedCollectionNodes } = await parseCurrentLevel(schema, collection, children, query);
         const o2mNodes = nestedCollectionNodes.filter((node) => node.type === 'o2m');
+        let permissions = [];
+        if (accountability && !accountability.admin) {
+            const policies = await fetchPolicies(accountability, { schema, knex });
+            permissions = await fetchPermissions({ action: 'read', accountability, policies }, { schema, knex });
+        }
         // The actual knex query builder instance. This is a promise that resolves with the raw items from the db
-        const dbQuery = getDBQuery(schema, knex, collection, fieldNodes, o2mNodes, query, cases);
+        const dbQuery = getDBQuery(schema, knex, collection, fieldNodes, o2mNodes, query, cases, permissions);
         const rawItems = await dbQuery;
         if (!rawItems)
             return null;
@@ -72,7 +79,7 @@ export async function runAst(originalAST, schema, options) {
                             page: null,
                         },
                     });
-                    nestedItems = (await runAst(node, schema, { knex, nested: true }));
+                    nestedItems = (await runAst(node, schema, accountability, { knex, nested: true }));
                     if (nestedItems) {
                         items = mergeWithParentItems(schema, nestedItems, items, nestedNode, fieldAllowed);
                     }
@@ -86,7 +93,7 @@ export async function runAst(originalAST, schema, options) {
                 const node = merge({}, nestedNode, {
                     query: { limit: -1 },
                 });
-                nestedItems = (await runAst(node, schema, { knex, nested: true }));
+                nestedItems = (await runAst(node, schema, accountability, { knex, nested: true }));
                 if (nestedItems) {
                     // Merge all fetched nested records with the parent items
                     items = mergeWithParentItems(schema, nestedItems, items, nestedNode, true);

package/dist/database/run-ast/utils/apply-case-when.d.ts

@@ -1,4 +1,4 @@
-import type { Filter, SchemaOverview } from '@directus/types';
+import type { Filter, Permission, SchemaOverview } from '@directus/types';
 import type { Knex } from 'knex';
 import type { AliasMap } from '../../../utils/get-column-path.js';
 export interface ApplyCaseWhenOptions {
@@ -8,9 +8,10 @@ export interface ApplyCaseWhenOptions {
     cases: Filter[];
     aliasMap: AliasMap;
     alias?: string;
+    permissions: Permission[];
 }
 export interface ApplyCaseWhenContext {
     knex: Knex;
     schema: SchemaOverview;
 }
-export declare function applyCaseWhen({ columnCases, table, aliasMap, cases, column, alias }: ApplyCaseWhenOptions, { knex, schema }: ApplyCaseWhenContext): Knex.Raw;
+export declare function applyCaseWhen({ columnCases, table, aliasMap, cases, column, alias, permissions }: ApplyCaseWhenOptions, { knex, schema }: ApplyCaseWhenContext): Knex.Raw;

package/dist/database/run-ast/utils/apply-case-when.js

@@ -1,7 +1,7 @@
 import { applyFilter } from '../../../utils/apply-query.js';
-export function applyCaseWhen({ columnCases, table, aliasMap, cases, column, alias }, { knex, schema }) {
+export function applyCaseWhen({ columnCases, table, aliasMap, cases, column, alias, permissions }, { knex, schema }) {
     const caseQuery = knex.queryBuilder();
-    applyFilter(knex, schema, caseQuery, { _or: columnCases }, table, aliasMap, cases);
+    applyFilter(knex, schema, caseQuery, { _or: columnCases }, table, aliasMap, cases, permissions);
     const compiler = knex.client.queryCompiler(caseQuery);
     const sqlParts = [];
     // Only empty filters, so no where was generated, skip it

package/dist/database/run-ast/utils/get-column-pre-processor.d.ts

@@ -1,4 +1,4 @@
-import type { Filter, SchemaOverview } from '@directus/types';
+import type { Filter, Permission, SchemaOverview } from '@directus/types';
 import type { Knex } from 'knex';
 import type { FieldNode, FunctionFieldNode, M2ONode } from '../../../types/ast.js';
 import type { AliasMap } from '../../../utils/get-column-path.js';
@@ -6,5 +6,5 @@ interface NodePreProcessOptions {
     /** Don't assign an alias to the column but instead return the column as is */
     noAlias?: boolean;
 }
-export declare function getColumnPreprocessor(knex: Knex, schema: SchemaOverview, table: string, cases: Filter[], aliasMap: AliasMap): (fieldNode: FieldNode | FunctionFieldNode | M2ONode, options?: NodePreProcessOptions) => Knex.Raw<string>;
+export declare function getColumnPreprocessor(knex: Knex, schema: SchemaOverview, table: string, cases: Filter[], permissions: Permission[], aliasMap: AliasMap): (fieldNode: FieldNode | FunctionFieldNode | M2ONode, options?: NodePreProcessOptions) => Knex.Raw<string>;
 export {};