@directus/api 22.0.0 → 22.1.1

package/dist/database/run-ast/utils/get-column-pre-processor.js

@@ -4,7 +4,7 @@ import { parseFilterKey } from '../../../utils/parse-filter-key.js';
 import { getHelpers } from '../../helpers/index.js';
 import { applyCaseWhen } from './apply-case-when.js';
 import { getNodeAlias } from './get-field-alias.js';
-export function getColumnPreprocessor(knex, schema, table, cases, aliasMap) {
+export function getColumnPreprocessor(knex, schema, table, cases, permissions, aliasMap) {
     const helpers = getHelpers(knex);
     return function (fieldNode, options) {
         // Don't assign an alias to the column expression if the field has a whenCase
@@ -32,6 +32,7 @@ export function getColumnPreprocessor(knex, schema, table, cases, aliasMap) {
                     ...fieldNode.query,
                     filter: joinFilterWithCases(fieldNode.query.filter, fieldNode.cases),
                 },
+                permissions,
                 cases: fieldNode.cases,
             });
         }
@@ -50,6 +51,7 @@ export function getColumnPreprocessor(knex, schema, table, cases, aliasMap) {
                 cases,
                 table,
                 alias,
+                permissions,
             }, { knex, schema });
         }
         return column;

package/dist/database/run-ast/utils/get-inner-query-column-pre-processor.d.ts

@@ -1,5 +1,5 @@
-import type { Filter, SchemaOverview } from '@directus/types';
+import type { Filter, Permission, SchemaOverview } from '@directus/types';
 import type { Knex } from 'knex';
 import type { FieldNode, FunctionFieldNode, M2ONode, O2MNode } from '../../../types/index.js';
 import type { AliasMap } from '../../../utils/get-column-path.js';
-export declare function getInnerQueryColumnPreProcessor(knex: Knex, schema: SchemaOverview, table: string, cases: Filter[], aliasMap: AliasMap, aliasPrefix: string): (fieldNode: FieldNode | FunctionFieldNode | M2ONode | O2MNode) => Knex.Raw<string> | null;
+export declare function getInnerQueryColumnPreProcessor(knex: Knex, schema: SchemaOverview, table: string, cases: Filter[], permissions: Permission[], aliasMap: AliasMap, aliasPrefix: string): (fieldNode: FieldNode | FunctionFieldNode | M2ONode | O2MNode) => Knex.Raw<string> | null;

package/dist/database/run-ast/utils/get-inner-query-column-pre-processor.js

@@ -1,6 +1,6 @@
 import { applyCaseWhen } from './apply-case-when.js';
 import { getNodeAlias } from './get-field-alias.js';
-export function getInnerQueryColumnPreProcessor(knex, schema, table, cases, aliasMap, aliasPrefix) {
+export function getInnerQueryColumnPreProcessor(knex, schema, table, cases, permissions, aliasMap, aliasPrefix) {
     return function (fieldNode) {
         const alias = getNodeAlias(fieldNode);
         if (fieldNode.whenCase && fieldNode.whenCase.length > 0) {
@@ -15,6 +15,7 @@ export function getInnerQueryColumnPreProcessor(knex, schema, table, cases, alia
                 aliasMap,
                 cases,
                 table,
+                permissions,
             }, { knex, schema });
             return knex.raw('COUNT(??) AS ??', [caseWhen, `${aliasPrefix}_${alias}`]);
         }

package/dist/permissions/lib/fetch-permissions.d.ts

@@ -1,6 +1,5 @@
-import type { Accountability, Permission, PermissionsAction } from '@directus/types';
+import type { Accountability, PermissionsAction } from '@directus/types';
 import type { Context } from '../types.js';
-export declare const fetchPermissions: typeof _fetchPermissions;
 export interface FetchPermissionsOptions {
     action?: PermissionsAction;
     policies: string[];
@@ -8,4 +7,4 @@ export interface FetchPermissionsOptions {
     accountability?: Pick<Accountability, 'user' | 'role' | 'roles' | 'app'>;
     bypassDynamicVariableProcessing?: boolean;
 }
-export declare function _fetchPermissions(options: FetchPermissionsOptions, context: Context): Promise<Permission[]>;
+export declare function fetchPermissions(options: FetchPermissionsOptions, context: Context): Promise<import("@directus/types").Permission[]>;

package/dist/permissions/lib/fetch-permissions.js

@@ -1,51 +1,17 @@
-import { pick, sortBy } from 'lodash-es';
 import { fetchDynamicVariableContext } from '../utils/fetch-dynamic-variable-context.js';
+import { fetchRawPermissions } from '../utils/fetch-raw-permissions.js';
 import { processPermissions } from '../utils/process-permissions.js';
-import { withCache } from '../utils/with-cache.js';
-import { withAppMinimalPermissions } from './with-app-minimal-permissions.js';
-export const fetchPermissions = withCache('permissions', _fetchPermissions, ({ action, policies, collections, accountability, bypassDynamicVariableProcessing }) => ({
-    policies, // we assume that policies always come from the same source, so they should be in the same order
-    ...(action && { action }),
-    ...(collections && { collections: sortBy(collections) }),
-    ...(accountability && { accountability: pick(accountability, ['user', 'role', 'roles', 'app']) }),
-    ...(bypassDynamicVariableProcessing && { bypassDynamicVariableProcessing }),
-}));
-export async function _fetchPermissions(options, context) {
-    const { PermissionsService } = await import('../../services/permissions.js');
-    const permissionsService = new PermissionsService(context);
-    const filter = {
-        _and: [{ policy: { _in: options.policies } }],
-    };
-    if (options.action) {
-        filter._and.push({ action: { _eq: options.action } });
-    }
-    if (options.collections) {
-        filter._and.push({ collection: { _in: options.collections } });
-    }
-    let permissions = (await permissionsService.readByQuery({
-        filter,
-        limit: -1,
-    }));
-    // Sort permissions by their order in the policies array
-    // This ensures that if a sorted array of policies is passed in the permissions are returned in the same order
-    // which is necessary for correctly applying the presets in order
-    permissions = sortBy(permissions, (permission) => options.policies.indexOf(permission.policy));
+export async function fetchPermissions(options, context) {
+    const permissions = await fetchRawPermissions({ ...options, bypassMinimalAppPermissions: options.bypassDynamicVariableProcessing ?? false }, context);
     if (options.accountability && !options.bypassDynamicVariableProcessing) {
-        // Add app minimal permissions for the request accountability, if applicable.
-        // Normally this is done in the permissions service readByQuery, but it also needs to do it here
-        // since the permissions service is created without accountability.
-        // We call it without the policies filter, since the static minimal app permissions don't have a policy attached.
-        const permissionsWithAppPermissions = withAppMinimalPermissions(options.accountability ?? null, permissions, {
-            _and: filter._and.slice(1),
-        });
         const permissionsContext = await fetchDynamicVariableContext({
             accountability: options.accountability,
             policies: options.policies,
-            permissions: permissionsWithAppPermissions,
+            permissions,
         }, context);
         // Replace dynamic variables with their actual values
         const processedPermissions = processPermissions({
-            permissions: permissionsWithAppPermissions,
+            permissions,
             accountability: options.accountability,
             permissionsContext,
         });

package/dist/permissions/modules/fetch-allowed-collections/fetch-allowed-collections.d.ts

@@ -4,5 +4,4 @@ export interface FetchAllowedCollectionsOptions {
     action: PermissionsAction;
     accountability: Pick<Accountability, 'user' | 'role' | 'roles' | 'ip' | 'admin' | 'app'>;
 }
-export declare const fetchAllowedCollections: typeof _fetchAllowedCollections;
-export declare function _fetchAllowedCollections({ action, accountability }: FetchAllowedCollectionsOptions, { knex, schema }: Context): Promise<string[]>;
+export declare function fetchAllowedCollections({ action, accountability }: FetchAllowedCollectionsOptions, { knex, schema }: Context): Promise<string[]>;

package/dist/permissions/modules/fetch-allowed-collections/fetch-allowed-collections.js

@@ -1,19 +1,7 @@
 import { uniq } from 'lodash-es';
 import { fetchPolicies } from '../../lib/fetch-policies.js';
-import { withCache } from '../../utils/with-cache.js';
 import { fetchPermissions } from '../../lib/fetch-permissions.js';
-export const fetchAllowedCollections = withCache('allowed-collections', _fetchAllowedCollections, ({ action, accountability: { user, role, roles, ip, admin, app } }) => ({
-    action,
-    accountability: {
-        user,
-        role,
-        roles,
-        ip,
-        admin,
-        app,
-    },
-}));
-export async function _fetchAllowedCollections({ action, accountability }, { knex, schema }) {
+export async function fetchAllowedCollections({ action, accountability }, { knex, schema }) {
     if (accountability.admin) {
         return Object.keys(schema.collections);
     }

package/dist/permissions/modules/fetch-allowed-field-map/fetch-allowed-field-map.d.ts

@@ -5,5 +5,4 @@ export interface FetchAllowedFieldMapOptions {
     accountability: Pick<Accountability, 'user' | 'role' | 'roles' | 'ip' | 'admin' | 'app'>;
     action: PermissionsAction;
 }
-export declare const fetchAllowedFieldMap: typeof _fetchAllowedFieldMap;
-export declare function _fetchAllowedFieldMap({ accountability, action }: FetchAllowedFieldMapOptions, { knex, schema }: Context): Promise<FieldMap>;
+export declare function fetchAllowedFieldMap({ accountability, action }: FetchAllowedFieldMapOptions, { knex, schema }: Context): Promise<FieldMap>;

package/dist/permissions/modules/fetch-allowed-field-map/fetch-allowed-field-map.js

@@ -1,12 +1,7 @@
 import { uniq } from 'lodash-es';
 import { fetchPolicies } from '../../lib/fetch-policies.js';
-import { withCache } from '../../utils/with-cache.js';
 import { fetchPermissions } from '../../lib/fetch-permissions.js';
-export const fetchAllowedFieldMap = withCache('allowed-field-map', _fetchAllowedFieldMap, ({ action, accountability: { user, role, roles, ip, admin, app } }) => ({
-    action,
-    accountability: { user, role, roles, ip, admin, app },
-}));
-export async function _fetchAllowedFieldMap({ accountability, action }, { knex, schema }) {
+export async function fetchAllowedFieldMap({ accountability, action }, { knex, schema }) {
     const fieldMap = {};
     if (accountability.admin) {
         for (const [collection, { fields }] of Object.entries(schema.collections)) {

package/dist/permissions/modules/fetch-allowed-fields/fetch-allowed-fields.d.ts

@@ -5,7 +5,6 @@ export interface FetchAllowedFieldsOptions {
     action: PermissionsAction;
     accountability: Pick<Accountability, 'user' | 'role' | 'roles' | 'ip' | 'app'>;
 }
-export declare const fetchAllowedFields: typeof _fetchAllowedFields;
 /**
  * Look up all fields that are allowed to be used for the given collection and action for the given
  * accountability object
@@ -13,4 +12,4 @@ export declare const fetchAllowedFields: typeof _fetchAllowedFields;
  * Done by looking up all available policies for the current accountability object, and reading all
  * permissions that exist for the collection+action+policy combination
  */
-export declare function _fetchAllowedFields({ accountability, action, collection }: FetchAllowedFieldsOptions, { knex, schema }: Context): Promise<string[]>;
+export declare function fetchAllowedFields({ accountability, action, collection }: FetchAllowedFieldsOptions, { knex, schema }: Context): Promise<string[]>;

package/dist/permissions/modules/fetch-allowed-fields/fetch-allowed-fields.js

@@ -1,12 +1,6 @@
 import { uniq } from 'lodash-es';
 import { fetchPermissions } from '../../lib/fetch-permissions.js';
 import { fetchPolicies } from '../../lib/fetch-policies.js';
-import { withCache } from '../../utils/with-cache.js';
-export const fetchAllowedFields = withCache('allowed-fields', _fetchAllowedFields, ({ action, collection, accountability: { user, role, roles, ip, app } }) => ({
-    action,
-    collection,
-    accountability: { user, role, roles, ip, app },
-}));
 /**
  * Look up all fields that are allowed to be used for the given collection and action for the given
  * accountability object
@@ -14,7 +8,7 @@ export const fetchAllowedFields = withCache('allowed-fields', _fetchAllowedField
  * Done by looking up all available policies for the current accountability object, and reading all
  * permissions that exist for the collection+action+policy combination
  */
-export async function _fetchAllowedFields({ accountability, action, collection }, { knex, schema }) {
+export async function fetchAllowedFields({ accountability, action, collection }, { knex, schema }) {
     const policies = await fetchPolicies(accountability, { knex, schema });
     const permissions = await fetchPermissions({ action, collections: [collection], policies, accountability }, { knex, schema });
     const allowedFields = [];

package/dist/permissions/modules/fetch-inconsistent-field-map/fetch-inconsistent-field-map.d.ts

@@ -8,5 +8,4 @@ export interface FetchInconsistentFieldMapOptions {
 /**
  * Fetch a field map for fields that may or may not be null based on item-by-item permissions.
  */
-export declare const fetchInconsistentFieldMap: typeof _fetchInconsistentFieldMap;
-export declare function _fetchInconsistentFieldMap({ accountability, action }: FetchInconsistentFieldMapOptions, { knex, schema }: Context): Promise<FieldMap>;
+export declare function fetchInconsistentFieldMap({ accountability, action }: FetchInconsistentFieldMapOptions, { knex, schema }: Context): Promise<FieldMap>;

package/dist/permissions/modules/fetch-inconsistent-field-map/fetch-inconsistent-field-map.js

@@ -1,15 +1,10 @@
-import { uniq, intersection, difference, pick } from 'lodash-es';
+import { uniq, intersection, difference } from 'lodash-es';
 import { fetchPolicies } from '../../lib/fetch-policies.js';
-import { withCache } from '../../utils/with-cache.js';
 import { fetchPermissions } from '../../lib/fetch-permissions.js';
 /**
  * Fetch a field map for fields that may or may not be null based on item-by-item permissions.
  */
-export const fetchInconsistentFieldMap = withCache('inconsistent-field-map', _fetchInconsistentFieldMap, ({ action, accountability }) => ({
-    action,
-    accountability: accountability ? pick(accountability, ['user', 'role', 'roles', 'ip', 'admin', 'app']) : null,
-}));
-export async function _fetchInconsistentFieldMap({ accountability, action }, { knex, schema }) {
+export async function fetchInconsistentFieldMap({ accountability, action }, { knex, schema }) {
     const fieldMap = {};
     if (!accountability || accountability.admin) {
         for (const collection of Object.keys(schema.collections)) {

package/dist/permissions/modules/process-ast/lib/get-cases.d.ts

@@ -0,0 +1,6 @@
+import type { Filter, Permission } from '@directus/types';
+export declare function getCases(collection: string, permissions: Permission[], requestedKeys: string[]): {
+    cases: Filter[];
+    caseMap: Record<string, number[]>;
+    allowedFields: Set<string>;
+};

package/dist/permissions/modules/process-ast/lib/get-cases.js

@@ -0,0 +1,40 @@
+import { dedupeAccess } from '../utils/dedupe-access.js';
+import { hasItemPermissions } from '../utils/has-item-permissions.js';
+export function getCases(collection, permissions, requestedKeys) {
+    const permissionsForCollection = permissions.filter((permission) => permission.collection === collection);
+    const rules = dedupeAccess(permissionsForCollection);
+    const cases = [];
+    const caseMap = {};
+    // TODO this can be optimized if there is only one rule to skip the whole case/where system,
+    //  since fields that are not allowed at all are already filtered out
+    // TODO this can be optimized if all cases are the same for all requested keys, as those should be
+    //
+    let index = 0;
+    for (const { rule, fields } of rules) {
+        // If none of the fields in the current permissions rule overlap with the actually requested
+        // fields in the AST, we can ignore this case altogether
+        if (requestedKeys.length > 0 &&
+            fields.has('*') === false &&
+            Array.from(fields).every((field) => requestedKeys.includes(field) === false)) {
+            continue;
+        }
+        if (rule === null)
+            continue;
+        cases.push(rule);
+        for (const field of fields) {
+            caseMap[field] = [...(caseMap[field] ?? []), index];
+        }
+        index++;
+    }
+    // Field that are allowed no matter what conditions exist for the item. These come from
+    // permissions where the item read access is "everything"
+    const allowedFields = new Set(permissionsForCollection
+        .filter((permission) => hasItemPermissions(permission) === false)
+        .map((permission) => permission.fields ?? [])
+        .flat());
+    return {
+        cases,
+        caseMap,
+        allowedFields,
+    };
+}

package/dist/permissions/modules/process-ast/lib/inject-cases.js

@@ -1,7 +1,6 @@
 import { getUnaliasedFieldKey } from '../../../utils/get-unaliased-field-key.js';
-import { dedupeAccess } from '../utils/dedupe-access.js';
-import { hasItemPermissions } from '../utils/has-item-permissions.js';
 import { uniq } from 'lodash-es';
+import { getCases } from './get-cases.js';
 /**
  * Mutates passed AST
  *
@@ -53,41 +52,3 @@ function processChildren(collection, children, permissions) {
     }
     return cases;
 }
-function getCases(collection, permissions, requestedKeys) {
-    const permissionsForCollection = permissions.filter((permission) => permission.collection === collection);
-    const rules = dedupeAccess(permissionsForCollection);
-    const cases = [];
-    const caseMap = {};
-    // TODO this can be optimized if there is only one rule to skip the whole case/where system,
-    //  since fields that are not allowed at all are already filtered out
-    // TODO this can be optimized if all cases are the same for all requested keys, as those should be
-    //
-    let index = 0;
-    for (const { rule, fields } of rules) {
-        // If none of the fields in the current permissions rule overlap with the actually requested
-        // fields in the AST, we can ignore this case altogether
-        if (requestedKeys.length > 0 &&
-            fields.has('*') === false &&
-            Array.from(fields).every((field) => requestedKeys.includes(field) === false)) {
-            continue;
-        }
-        if (rule === null)
-            continue;
-        cases.push(rule);
-        for (const field of fields) {
-            caseMap[field] = [...(caseMap[field] ?? []), index];
-        }
-        index++;
-    }
-    // Field that are allowed no matter what conditions exist for the item. These come from
-    // permissions where the item read access is "everything"
-    const allowedFields = new Set(permissionsForCollection
-        .filter((permission) => hasItemPermissions(permission) === false)
-        .map((permission) => permission.fields ?? [])
-        .flat());
-    return {
-        cases,
-        caseMap,
-        allowedFields,
-    };
-}

package/dist/permissions/modules/process-payload/process-payload.js

@@ -55,6 +55,8 @@ export async function processPayload(options, context) {
         }
         fieldValidationRules.push(field.validation);
     }
+    const presets = (permissions ?? []).map((permission) => permission.presets);
+    const payloadWithPresets = assign({}, ...presets, options.payload);
     const validationRules = [...fieldValidationRules, ...permissionValidationRules].filter((rule) => {
         if (rule === null)
             return false;
@@ -64,14 +66,11 @@ export async function processPayload(options, context) {
     });
     if (validationRules.length > 0) {
         const validationErrors = [];
-        validationErrors.push(...validatePayload({ _and: validationRules }, options.payload)
+        validationErrors.push(...validatePayload({ _and: validationRules }, payloadWithPresets)
             .map((error) => error.details.map((details) => new FailedValidationError(joiValidationErrorItemToErrorExtensions(details))))
             .flat());
         if (validationErrors.length > 0)
             throw validationErrors;
     }
-    if (!permissions)
-        return options.payload;
-    const presets = permissions.map((permission) => permission.presets);
-    return assign({}, ...presets, options.payload);
+    return payloadWithPresets;
 }

package/dist/permissions/modules/validate-access/lib/validate-item-access.js

@@ -13,11 +13,6 @@ export async function validateItemAccess(options, context) {
         // whole or not
         fields: [],
         limit: options.primaryKeys.length,
-        filter: {
-            [primaryKeyField]: {
-                _in: options.primaryKeys,
-            },
-        },
     };
     const ast = await getAstFromQuery({
         accountability: options.accountability,
@@ -25,7 +20,13 @@ export async function validateItemAccess(options, context) {
         collection: options.collection,
     }, context);
     await processAst({ ast, ...options }, context);
-    const items = await runAst(ast, context.schema, { knex: context.knex });
+    // Inject the filter after the permissions have been processed, as to not require access to the primary key
+    ast.query.filter = {
+        [primaryKeyField]: {
+            _in: options.primaryKeys,
+        },
+    };
+    const items = await runAst(ast, context.schema, options.accountability, { knex: context.knex });
     if (items && items.length === options.primaryKeys.length) {
         return true;
     }

package/dist/permissions/utils/fetch-dynamic-variable-context.d.ts

@@ -1,9 +1,8 @@
 import type { Accountability, Permission } from '@directus/types';
 import type { Context } from '../types.js';
-export declare const fetchDynamicVariableContext: typeof _fetchDynamicVariableContext;
 export interface FetchDynamicVariableContext {
     accountability: Pick<Accountability, 'user' | 'role' | 'roles'>;
     policies: string[];
     permissions: Permission[];
 }
-export declare function _fetchDynamicVariableContext(options: FetchDynamicVariableContext, context: Context): Promise<Record<string, any>>;
+export declare function fetchDynamicVariableContext(options: FetchDynamicVariableContext, context: Context): Promise<Record<string, any>>;

package/dist/permissions/utils/fetch-dynamic-variable-context.js

@@ -1,43 +1,63 @@
-import { extractRequiredDynamicVariableContext } from './extract-required-dynamic-variable-context.js';
-import { withCache } from './with-cache.js';
-export const fetchDynamicVariableContext = withCache('permission-dynamic-variables', _fetchDynamicVariableContext, ({ policies, permissions, accountability: { user, role, roles } }) => ({
-    policies,
-    permissions,
-    accountability: {
-        user,
-        role,
-        roles,
-    },
-}));
-export async function _fetchDynamicVariableContext(options, context) {
+import { useEnv } from '@directus/env';
+import { getSimpleHash } from '@directus/utils';
+import { getCache, getCacheValue, setCacheValue } from '../../cache.js';
+import { extractRequiredDynamicVariableContext, } from './extract-required-dynamic-variable-context.js';
+export async function fetchDynamicVariableContext(options, context) {
     const { UsersService } = await import('../../services/users.js');
     const { RolesService } = await import('../../services/roles.js');
     const { PoliciesService } = await import('../../services/policies.js');
     const contextData = {};
     const permissionContext = extractRequiredDynamicVariableContext(options.permissions);
     if (options.accountability.user && (permissionContext.$CURRENT_USER?.size ?? 0) > 0) {
-        const usersService = new UsersService(context);
-        contextData['$CURRENT_USER'] = await usersService.readOne(options.accountability.user, {
-            fields: Array.from(permissionContext.$CURRENT_USER),
+        contextData['$CURRENT_USER'] = await fetchContextData('$CURRENT_USER', permissionContext, { user: options.accountability.user }, async (fields) => {
+            const usersService = new UsersService(context);
+            return await usersService.readOne(options.accountability.user, {
+                fields,
+            });
         });
     }
     if (options.accountability.role && (permissionContext.$CURRENT_ROLE?.size ?? 0) > 0) {
-        const rolesService = new RolesService(context);
-        contextData['$CURRENT_ROLE'] = await rolesService.readOne(options.accountability.role, {
-            fields: Array.from(permissionContext.$CURRENT_ROLE),
+        contextData['$CURRENT_ROLE'] = await fetchContextData('$CURRENT_ROLE', permissionContext, { role: options.accountability.role }, async (fields) => {
+            const usersService = new RolesService(context);
+            return await usersService.readOne(options.accountability.role, {
+                fields,
+            });
         });
     }
     if (options.accountability.roles.length > 0 && (permissionContext.$CURRENT_ROLES?.size ?? 0) > 0) {
-        const rolesService = new RolesService(context);
-        contextData['$CURRENT_ROLES'] = await rolesService.readMany(options.accountability.roles, {
-            fields: Array.from(permissionContext.$CURRENT_ROLES),
+        contextData['$CURRENT_ROLES'] = await fetchContextData('$CURRENT_ROLES', permissionContext, { roles: options.accountability.roles }, async (fields) => {
+            const rolesService = new RolesService(context);
+            return await rolesService.readMany(options.accountability.roles, {
+                fields,
+            });
         });
     }
     if (options.policies.length > 0 && (permissionContext.$CURRENT_POLICIES?.size ?? 0) > 0) {
-        const policiesService = new PoliciesService(context);
-        contextData['$CURRENT_POLICIES'] = await policiesService.readMany(options.policies, {
-            fields: Array.from(permissionContext.$CURRENT_POLICIES),
+        contextData['$CURRENT_POLICIES'] = await fetchContextData('$CURRENT_POLICIES', permissionContext, { policies: options.policies }, async (fields) => {
+            const policiesService = new PoliciesService(context);
+            return await policiesService.readMany(options.policies, {
+                fields,
+            });
         });
     }
     return contextData;
 }
+async function fetchContextData(key, permissionContext, cacheContext, fetch) {
+    const { cache } = getCache();
+    const env = useEnv();
+    const fields = Array.from(permissionContext[key]);
+    const cacheKey = cache
+        ? `filter-context-${key.slice(1)}-${getSimpleHash(JSON.stringify({ ...cacheContext, fields }))}`
+        : '';
+    let data = undefined;
+    if (cache) {
+        data = await getCacheValue(cache, cacheKey);
+    }
+    if (!data) {
+        data = await fetch(fields);
+        if (cache && env['CACHE_ENABLED'] !== false) {
+            await setCacheValue(cache, cacheKey, data);
+        }
+    }
+    return data;
+}

package/dist/permissions/utils/fetch-raw-permissions.d.ts

@@ -0,0 +1,11 @@
+import type { Accountability, Permission, PermissionsAction } from '@directus/types';
+import type { Context } from '../types.js';
+export declare const fetchRawPermissions: typeof _fetchRawPermissions;
+export interface FetchRawPermissionsOptions {
+    action?: PermissionsAction;
+    policies: string[];
+    collections?: string[];
+    accountability?: Pick<Accountability, 'app'>;
+    bypassMinimalAppPermissions?: boolean;
+}
+export declare function _fetchRawPermissions(options: FetchRawPermissionsOptions, context: Context): Promise<Permission[]>;

package/dist/permissions/utils/fetch-raw-permissions.js

@@ -0,0 +1,39 @@
+import { sortBy } from 'lodash-es';
+import { withAppMinimalPermissions } from '../lib/with-app-minimal-permissions.js';
+import { withCache } from './with-cache.js';
+export const fetchRawPermissions = withCache('raw-permissions', _fetchRawPermissions, ({ action, policies, collections, accountability, bypassMinimalAppPermissions }) => ({
+    policies, // we assume that policies always come from the same source, so they should be in the same order
+    ...(action && { action }),
+    ...(collections && { collections: sortBy(collections) }),
+    ...(accountability && { accountability: { app: accountability.app } }),
+    ...(bypassMinimalAppPermissions && { bypassMinimalAppPermissions }),
+}));
+export async function _fetchRawPermissions(options, context) {
+    const { PermissionsService } = await import('../../services/permissions.js');
+    const permissionsService = new PermissionsService(context);
+    const filter = {
+        _and: [{ policy: { _in: options.policies } }],
+    };
+    if (options.action) {
+        filter._and.push({ action: { _eq: options.action } });
+    }
+    if (options.collections) {
+        filter._and.push({ collection: { _in: options.collections } });
+    }
+    let permissions = (await permissionsService.readByQuery({
+        filter,
+        limit: -1,
+    }));
+    // Sort permissions by their order in the policies array
+    // This ensures that if a sorted array of policies is passed in the permissions are returned in the same order
+    // which is necessary for correctly applying the presets in order
+    permissions = sortBy(permissions, (permission) => options.policies.indexOf(permission.policy));
+    if (options.accountability && !options.bypassMinimalAppPermissions) {
+        // Add app minimal permissions for the request accountability, if applicable.
+        // Normally this is done in the permissions service readByQuery, but it also needs to do it here
+        // since the permissions service is created without accountability.
+        // We call it without the policies filter, since the static minimal app permissions don't have a policy attached.
+        return withAppMinimalPermissions(options.accountability ?? null, permissions, { _and: filter._and.slice(1) });
+    }
+    return permissions;
+}

package/dist/server.js

@@ -13,6 +13,7 @@ import emitter from './emitter.js';
 import { useLogger } from './logger/index.js';
 import { getConfigFromEnv } from './utils/get-config-from-env.js';
 import { getIPFromReq } from './utils/get-ip-from-req.js';
+import { getAddress } from './utils/get-address.js';
 import { createSubscriptionController, createWebSocketController, getSubscriptionController, getWebSocketController, } from './websocket/controllers/index.js';
 import { startWebSocketHandlers } from './websocket/handlers/index.js';
 export let SERVER_ONLINE = true;
@@ -116,10 +117,22 @@ export async function createServer() {
 export async function startServer() {
     const server = await createServer();
     const host = env['HOST'];
-    const port = parseInt(env['PORT']);
+    const path = env['UNIX_SOCKET_PATH'];
+    const port = env['PORT'];
+    let listenOptions;
+    if (path) {
+        listenOptions = { path };
+    }
+    else {
+        listenOptions = {
+            host,
+            port: parseInt(port || '8055'),
+        };
+    }
     server
-        .listen(port, host, () => {
-        logger.info(`Server started at http://${host}:${port}`);
+        .listen(listenOptions, () => {
+        const protocol = server instanceof https.Server ? 'https' : 'http';
+        logger.info(`Server started at ${listenOptions.port ? `${protocol}://${getAddress(server)}` : getAddress(server)}`);
         process.send?.('ready');
         emitter.emitAction('server.start', { server }, {
             database: getDatabase(),
@@ -129,7 +142,7 @@ export async function startServer() {
     })
         .once('error', (err) => {
         if (err?.code === 'EADDRINUSE') {
-            logger.error(`Port ${port} is already in use`);
+            logger.error(`${listenOptions.port ? `Port ${listenOptions.port}` : getAddress(server)} is already in use`);
             process.exit(1);
         }
         else {

package/dist/services/fields.d.ts

@@ -30,5 +30,5 @@ export declare class FieldsService {
     updateField(collection: string, field: RawField, opts?: MutationOptions): Promise<string>;
     updateFields(collection: string, fields: RawField[], opts?: MutationOptions): Promise<string[]>;
     deleteField(collection: string, field: string, opts?: MutationOptions): Promise<void>;
-    addColumnToTable(table: Knex.CreateTableBuilder, field: RawField | Field, alter?: Column | null): void;
+    addColumnToTable(table: Knex.CreateTableBuilder, field: RawField | Field, existing?: Column | null): void;
 }