@directus/api 22.1.0 → 22.1.1

package/dist/database/get-ast-from-query/get-ast-from-query.js

@@ -2,8 +2,8 @@
  * Generate an AST based on a given collection and query
  */
 import { cloneDeep, uniq } from 'lodash-es';
-import { fetchAllowedFields } from '../../permissions/modules/fetch-allowed-fields/fetch-allowed-fields.js';
 import { parseFields } from './lib/parse-fields.js';
+import { getAllowedSort } from './utils/get-allowed-sort.js';
 export async function getAstFromQuery(options, context) {
     options.query = cloneDeep(options.query);
     const ast = {
@@ -36,36 +36,7 @@ export async function getAstFromQuery(options, context) {
     // Prevent fields/deep from showing up in the query object in further use
     delete options.query.fields;
     delete options.query.deep;
-    if (!options.query.sort) {
-        // We'll default to the primary key for the standard sort output
-        let sortField = context.schema.collections[options.collection].primary;
-        // If a custom manual sort field is configured, use that
-        if (context.schema.collections[options.collection]?.sortField) {
-            sortField = context.schema.collections[options.collection].sortField;
-        }
-        if (options.accountability && options.accountability.admin === false) {
-            // Verify that the user has access to the sort field
-            const allowedFields = await fetchAllowedFields({
-                collection: options.collection,
-                action: 'read',
-                accountability: options.accountability,
-            }, context);
-            if (allowedFields.length === 0) {
-                sortField = null;
-            }
-            else if (allowedFields.includes('*') === false && allowedFields.includes(sortField) === false) {
-                // If the sort field is not allowed, default to the first allowed field
-                sortField = allowedFields[0];
-            }
-        }
-        // When group by is used, default to the first column provided in the group by clause
-        if (options.query.group?.[0]) {
-            sortField = options.query.group[0];
-        }
-        if (sortField) {
-            options.query.sort = [sortField];
-        }
-    }
+    options.query.sort ??= await getAllowedSort(options, context);
     // When no group by is supplied, but an aggregate function is used, only a single row will be
     // returned. In those cases, we'll ignore the sort field altogether
     if (options.query.aggregate && Object.keys(options.query.aggregate).length && !options.query.group?.[0]) {

package/dist/database/get-ast-from-query/lib/parse-fields.d.ts

@@ -1,6 +1,6 @@
 import type { Accountability, Query, SchemaOverview } from '@directus/types';
 import type { Knex } from 'knex';
-import type { FieldNode, FunctionFieldNode, NestedCollectionNode } from '../../../types/index.js';
+import type { FieldNode, FunctionFieldNode, NestedCollectionNode, O2MNode } from '../../../types/index.js';
 export interface ParseFieldsOptions {
     accountability: Accountability | null;
     parentCollection: string;
@@ -13,3 +13,4 @@ export interface ParseFieldsContext {
     knex: Knex;
 }
 export declare function parseFields(options: ParseFieldsOptions, context: ParseFieldsContext): Promise<[] | (NestedCollectionNode | FieldNode | FunctionFieldNode)[]>;
+export declare function isO2MNode(node: NestedCollectionNode | null): node is O2MNode;

package/dist/database/get-ast-from-query/lib/parse-fields.js

@@ -3,6 +3,7 @@ import { isEmpty } from 'lodash-es';
 import { fetchPermissions } from '../../../permissions/lib/fetch-permissions.js';
 import { fetchPolicies } from '../../../permissions/lib/fetch-policies.js';
 import { getRelationType } from '../../../utils/get-relation-type.js';
+import { getAllowedSort } from '../utils/get-allowed-sort.js';
 import { getDeepQuery } from '../utils/get-deep-query.js';
 import { getRelatedCollection } from '../utils/get-related-collection.js';
 import { getRelation } from '../utils/get-relation.js';
@@ -119,7 +120,16 @@ export async function parseFields(options, context) {
             continue;
         let child = null;
         if (relationType === 'a2o') {
-            const allowedCollections = relation.meta.one_allowed_collections;
+            let allowedCollections = relation.meta.one_allowed_collections;
+            if (options.accountability && options.accountability.admin === false && policies) {
+                const permissions = await fetchPermissions({
+                    action: 'read',
+                    collections: allowedCollections,
+                    policies: policies,
+                    accountability: options.accountability,
+                }, context);
+                allowedCollections = allowedCollections.filter((collection) => permissions.some((permission) => permission.collection === collection));
+            }
             child = {
                 type: 'a2o',
                 names: allowedCollections,
@@ -181,8 +191,13 @@ export async function parseFields(options, context) {
                 cases: [],
                 whenCase: [],
             };
-            if (relationType === 'o2m' && !child.query.sort) {
-                child.query.sort = [relation.meta?.sort_field || context.schema.collections[relation.collection].primary];
+            if (isO2MNode(child) && !child.query.sort) {
+                child.query.sort = await getAllowedSort({ collection: relation.collection, relation, accountability: options.accountability }, context);
+            }
+            if (isO2MNode(child) && child.query.group && child.query.group[0] !== relation.field) {
+                // If a group by is used, the result needs to be grouped by the foreign key of the relation first, so results
+                // are correctly grouped under the foreign key when extracting the grouped results from the nested queries.
+                child.query.group.unshift(relation.field);
             }
         }
         if (child) {
@@ -198,3 +213,6 @@ export async function parseFields(options, context) {
         return true;
     });
 }
+export function isO2MNode(node) {
+    return !!node && node.type === 'o2m';
+}

package/dist/database/get-ast-from-query/utils/get-allowed-sort.d.ts

@@ -0,0 +1,9 @@
+import type { Accountability, Query, Relation } from '@directus/types';
+import type { Context } from '../../../permissions/types.js';
+export type GetAllowedSortFieldOptions = {
+    collection: string;
+    accountability: Accountability | null;
+    query?: Query;
+    relation?: Relation;
+};
+export declare function getAllowedSort(options: GetAllowedSortFieldOptions, context: Context): Promise<string[] | null>;

package/dist/database/get-ast-from-query/utils/get-allowed-sort.js

@@ -0,0 +1,35 @@
+import { fetchAllowedFields } from '../../../permissions/modules/fetch-allowed-fields/fetch-allowed-fields.js';
+export async function getAllowedSort(options, context) {
+    // We'll default to the primary key for the standard sort output
+    let sortField = context.schema.collections[options.collection].primary;
+    // If a custom manual sort field is configured, use that
+    if (context.schema.collections[options.collection]?.sortField) {
+        sortField = context.schema.collections[options.collection].sortField;
+    }
+    // If a sort field is defined on the relation, use that
+    if (options.relation?.meta?.sort_field) {
+        sortField = options.relation.meta.sort_field;
+    }
+    if (options.accountability && options.accountability.admin === false) {
+        // Verify that the user has access to the sort field
+        const allowedFields = await fetchAllowedFields({
+            collection: options.collection,
+            action: 'read',
+            accountability: options.accountability,
+        }, context);
+        if (allowedFields.length === 0) {
+            sortField = null;
+        }
+        else if (allowedFields.includes('*') === false && allowedFields.includes(sortField) === false) {
+            // If the sort field is not allowed, default to the first allowed field
+            sortField = allowedFields[0];
+        }
+    }
+    // When group by is used, default to the first column provided in the group by clause
+    if (options.query?.group?.[0]) {
+        sortField = options.query.group[0];
+    }
+    if (sortField)
+        return [sortField];
+    return null;
+}

package/dist/database/helpers/fn/types.d.ts

@@ -1,11 +1,14 @@
-import type { Filter, Query, SchemaOverview } from '@directus/types';
+import type { Filter, Permission, Query, SchemaOverview } from '@directus/types';
 import type { Knex } from 'knex';
 import { DatabaseHelper } from '../types.js';
 export type FnHelperOptions = {
     type: string | undefined;
-    query: Query | undefined;
-    cases: Filter[] | undefined;
     originalCollectionName: string | undefined;
+    relationalCountOptions: {
+        query: Query;
+        cases: Filter[];
+        permissions: Permission[];
+    } | undefined;
 };
 export declare abstract class FnHelper extends DatabaseHelper {
     protected schema: SchemaOverview;

package/dist/database/helpers/fn/types.js

@@ -20,7 +20,7 @@ export class FnHelper extends DatabaseHelper {
             .count('*')
             .from({ [alias]: relation.collection })
             .where(this.knex.raw(`??.??`, [alias, relation.field]), '=', this.knex.raw(`??.??`, [table, currentPrimary]));
-        if (options?.query?.filter) {
+        if (options?.relationalCountOptions?.query.filter) {
             // set the newly aliased collection in the alias map as the default parent collection, indicated by '', for any nested filters
             const aliasMap = {
                 '': {
@@ -28,7 +28,7 @@ export class FnHelper extends DatabaseHelper {
                     collection: relation.collection,
                 },
             };
-            countQuery = applyFilter(this.knex, this.schema, countQuery, options.query.filter, relation.collection, aliasMap, options.cases ?? []).query;
+            countQuery = applyFilter(this.knex, this.schema, countQuery, options.relationalCountOptions.query.filter, relation.collection, aliasMap, options.relationalCountOptions.cases, options.relationalCountOptions.permissions).query;
         }
         return this.knex.raw('(' + countQuery.toQuery() + ')');
     }

package/dist/database/index.d.ts

@@ -3,7 +3,7 @@ import type { Knex } from 'knex';
 import type { DatabaseClient } from '../types/index.js';
 export default getDatabase;
 export declare function getDatabase(): Knex;
-export declare function getSchemaInspector(): SchemaInspector;
+export declare function getSchemaInspector(database?: Knex): SchemaInspector;
 /**
  * Get database version. Value currently exists for MySQL only.
  *

package/dist/database/index.js

@@ -143,11 +143,11 @@ export function getDatabase() {
     });
     return database;
 }
-export function getSchemaInspector() {
+export function getSchemaInspector(database) {
     if (inspector) {
         return inspector;
     }
-    const database = getDatabase();
+    database ??= getDatabase();
     inspector = createInspector(database);
     return inspector;
 }

package/dist/database/migrations/20240806A-permissions-policies.js

@@ -186,10 +186,10 @@ export async function up(knex) {
     /////////////////////////////////////////////////////////////////////////////////////////////////
     // Link permissions to policies instead of roles
     await knex.schema.alterTable('directus_permissions', (table) => {
-        table.uuid('policy').references('directus_policies.id').onDelete('CASCADE');
+        table.uuid('policy');
     });
     try {
-        const inspector = await getSchemaInspector();
+        const inspector = await getSchemaInspector(knex);
         const foreignKeys = await inspector.foreignKeys('directus_permissions');
         const foreignConstraint = foreignKeys.find((foreign) => foreign.foreign_key_table === 'directus_roles' && foreign.column === 'role')
             ?.constraint_name || undefined;
@@ -212,6 +212,7 @@ export async function up(knex) {
     await knex.schema.alterTable('directus_permissions', (table) => {
         table.dropColumns('role');
         table.dropNullable('policy');
+        table.foreign('policy').references('directus_policies.id').onDelete('CASCADE');
     });
     /////////////////////////////////////////////////////////////////////////////////////////////////
     // Setup junction table between roles/users and policies

package/dist/database/run-ast/lib/get-db-query.d.ts

@@ -1,4 +1,4 @@
-import type { Filter, Query, SchemaOverview } from '@directus/types';
+import type { Filter, Permission, Query, SchemaOverview } from '@directus/types';
 import type { Knex } from 'knex';
 import type { FieldNode, FunctionFieldNode, O2MNode } from '../../../types/ast.js';
-export declare function getDBQuery(schema: SchemaOverview, knex: Knex, table: string, fieldNodes: (FieldNode | FunctionFieldNode)[], o2mNodes: O2MNode[], query: Query, cases: Filter[]): Knex.QueryBuilder;
+export declare function getDBQuery(schema: SchemaOverview, knex: Knex, table: string, fieldNodes: (FieldNode | FunctionFieldNode)[], o2mNodes: O2MNode[], query: Query, cases: Filter[], permissions: Permission[]): Knex.QueryBuilder;

package/dist/database/run-ast/lib/get-db-query.js

@@ -9,10 +9,10 @@ import { getColumnPreprocessor } from '../utils/get-column-pre-processor.js';
 import { getNodeAlias } from '../utils/get-field-alias.js';
 import { getInnerQueryColumnPreProcessor } from '../utils/get-inner-query-column-pre-processor.js';
 import { withPreprocessBindings } from '../utils/with-preprocess-bindings.js';
-export function getDBQuery(schema, knex, table, fieldNodes, o2mNodes, query, cases) {
+export function getDBQuery(schema, knex, table, fieldNodes, o2mNodes, query, cases, permissions) {
     const aliasMap = Object.create(null);
     const env = useEnv();
-    const preProcess = getColumnPreprocessor(knex, schema, table, cases, aliasMap);
+    const preProcess = getColumnPreprocessor(knex, schema, table, cases, permissions, aliasMap);
     const queryCopy = cloneDeep(query);
     const helpers = getHelpers(knex);
     const hasCaseWhen = o2mNodes.some((node) => node.whenCase && node.whenCase.length > 0) ||
@@ -25,7 +25,10 @@ export function getDBQuery(schema, knex, table, fieldNodes, o2mNodes, query, cas
         const groupWhenCases = hasCaseWhen
             ? queryCopy.group?.map((field) => fieldNodes.find(({ fieldKey }) => fieldKey === field)?.whenCase ?? [])
             : undefined;
-        const dbQuery = applyQuery(knex, table, flatQuery, queryCopy, schema, cases, { aliasMap, groupWhenCases }).query;
+        const dbQuery = applyQuery(knex, table, flatQuery, queryCopy, schema, cases, permissions, {
+            aliasMap,
+            groupWhenCases,
+        }).query;
         flatQuery.select(fieldNodes.map((node) => preProcess(node)));
         withPreprocessBindings(knex, dbQuery);
         return dbQuery;
@@ -42,7 +45,7 @@ export function getDBQuery(schema, knex, table, fieldNodes, o2mNodes, query, cas
             hasMultiRelationalSort = sortResult.hasMultiRelationalSort;
         }
     }
-    const { hasMultiRelationalFilter } = applyQuery(knex, table, dbQuery, queryCopy, schema, cases, {
+    const { hasMultiRelationalFilter } = applyQuery(knex, table, dbQuery, queryCopy, schema, cases, permissions, {
         aliasMap,
         isInnerQuery: true,
         hasMultiRelationalSort,
@@ -68,6 +71,7 @@ export function getDBQuery(schema, knex, table, fieldNodes, o2mNodes, query, cas
                 cases,
                 table,
                 alias: node.fieldKey,
+                permissions,
             }, { knex, schema });
         }));
     }
@@ -159,7 +163,7 @@ export function getDBQuery(schema, knex, table, fieldNodes, o2mNodes, query, cas
             SELECT ...,
               CASE WHEN `inner`.<random-prefix>_<alias> > 0 THEN <actual-column> END AS <alias>
          */
-        const innerPreprocess = getInnerQueryColumnPreProcessor(knex, schema, table, cases, aliasMap, innerCaseWhenAliasPrefix);
+        const innerPreprocess = getInnerQueryColumnPreProcessor(knex, schema, table, cases, permissions, aliasMap, innerCaseWhenAliasPrefix);
         // To optimize the query we avoid having unnecessary columns in the inner query, that don't have a caseWhen, since
         // they are selected in the outer query directly
         dbQuery.select(fieldNodes.map(innerPreprocess).filter((x) => x !== null));

package/dist/database/run-ast/run-ast.d.ts

@@ -1,7 +1,7 @@
-import type { Item, SchemaOverview } from '@directus/types';
+import type { Accountability, Item, SchemaOverview } from '@directus/types';
 import type { AST, NestedCollectionNode } from '../../types/ast.js';
 import type { RunASTOptions } from './types.js';
 /**
  * Execute a given AST using Knex. Returns array of items based on requested AST.
  */
-export declare function runAst(originalAST: AST | NestedCollectionNode, schema: SchemaOverview, options?: RunASTOptions): Promise<null | Item | Item[]>;
+export declare function runAst(originalAST: AST | NestedCollectionNode, schema: SchemaOverview, accountability: Accountability | null, options?: RunASTOptions): Promise<null | Item | Item[]>;

package/dist/database/run-ast/run-ast.js

@@ -1,5 +1,7 @@
 import { useEnv } from '@directus/env';
 import { cloneDeep, merge } from 'lodash-es';
+import { fetchPermissions } from '../../permissions/lib/fetch-permissions.js';
+import { fetchPolicies } from '../../permissions/lib/fetch-policies.js';
 import { PayloadService } from '../../services/payload.js';
 import getDatabase from '../index.js';
 import { getDBQuery } from './lib/get-db-query.js';
@@ -10,26 +12,31 @@ import { removeTemporaryFields } from './utils/remove-temporary-fields.js';
 /**
  * Execute a given AST using Knex. Returns array of items based on requested AST.
  */
-export async function runAst(originalAST, schema, options) {
+export async function runAst(originalAST, schema, accountability, options) {
     const ast = cloneDeep(originalAST);
     const knex = options?.knex || getDatabase();
     if (ast.type === 'a2o') {
         const results = {};
         for (const collection of ast.names) {
-            results[collection] = await run(collection, ast.children[collection], ast.query[collection], ast.cases[collection] ?? []);
+            results[collection] = await run(collection, ast.children[collection], ast.query[collection], ast.cases[collection] ?? [], accountability);
         }
         return results;
     }
     else {
-        return await run(ast.name, ast.children, options?.query || ast.query, ast.cases);
+        return await run(ast.name, ast.children, options?.query || ast.query, ast.cases, accountability);
     }
-    async function run(collection, children, query, cases) {
+    async function run(collection, children, query, cases, accountability) {
         const env = useEnv();
         // Retrieve the database columns to select in the current AST
         const { fieldNodes, primaryKeyField, nestedCollectionNodes } = await parseCurrentLevel(schema, collection, children, query);
         const o2mNodes = nestedCollectionNodes.filter((node) => node.type === 'o2m');
+        let permissions = [];
+        if (accountability && !accountability.admin) {
+            const policies = await fetchPolicies(accountability, { schema, knex });
+            permissions = await fetchPermissions({ action: 'read', accountability, policies }, { schema, knex });
+        }
         // The actual knex query builder instance. This is a promise that resolves with the raw items from the db
-        const dbQuery = getDBQuery(schema, knex, collection, fieldNodes, o2mNodes, query, cases);
+        const dbQuery = getDBQuery(schema, knex, collection, fieldNodes, o2mNodes, query, cases, permissions);
         const rawItems = await dbQuery;
         if (!rawItems)
             return null;
@@ -72,7 +79,7 @@ export async function runAst(originalAST, schema, options) {
                             page: null,
                         },
                     });
-                    nestedItems = (await runAst(node, schema, { knex, nested: true }));
+                    nestedItems = (await runAst(node, schema, accountability, { knex, nested: true }));
                     if (nestedItems) {
                         items = mergeWithParentItems(schema, nestedItems, items, nestedNode, fieldAllowed);
                     }
@@ -86,7 +93,7 @@ export async function runAst(originalAST, schema, options) {
                 const node = merge({}, nestedNode, {
                     query: { limit: -1 },
                 });
-                nestedItems = (await runAst(node, schema, { knex, nested: true }));
+                nestedItems = (await runAst(node, schema, accountability, { knex, nested: true }));
                 if (nestedItems) {
                     // Merge all fetched nested records with the parent items
                     items = mergeWithParentItems(schema, nestedItems, items, nestedNode, true);

package/dist/database/run-ast/utils/apply-case-when.d.ts

@@ -1,4 +1,4 @@
-import type { Filter, SchemaOverview } from '@directus/types';
+import type { Filter, Permission, SchemaOverview } from '@directus/types';
 import type { Knex } from 'knex';
 import type { AliasMap } from '../../../utils/get-column-path.js';
 export interface ApplyCaseWhenOptions {
@@ -8,9 +8,10 @@ export interface ApplyCaseWhenOptions {
     cases: Filter[];
     aliasMap: AliasMap;
     alias?: string;
+    permissions: Permission[];
 }
 export interface ApplyCaseWhenContext {
     knex: Knex;
     schema: SchemaOverview;
 }
-export declare function applyCaseWhen({ columnCases, table, aliasMap, cases, column, alias }: ApplyCaseWhenOptions, { knex, schema }: ApplyCaseWhenContext): Knex.Raw;
+export declare function applyCaseWhen({ columnCases, table, aliasMap, cases, column, alias, permissions }: ApplyCaseWhenOptions, { knex, schema }: ApplyCaseWhenContext): Knex.Raw;

package/dist/database/run-ast/utils/apply-case-when.js

@@ -1,7 +1,7 @@
 import { applyFilter } from '../../../utils/apply-query.js';
-export function applyCaseWhen({ columnCases, table, aliasMap, cases, column, alias }, { knex, schema }) {
+export function applyCaseWhen({ columnCases, table, aliasMap, cases, column, alias, permissions }, { knex, schema }) {
     const caseQuery = knex.queryBuilder();
-    applyFilter(knex, schema, caseQuery, { _or: columnCases }, table, aliasMap, cases);
+    applyFilter(knex, schema, caseQuery, { _or: columnCases }, table, aliasMap, cases, permissions);
     const compiler = knex.client.queryCompiler(caseQuery);
     const sqlParts = [];
     // Only empty filters, so no where was generated, skip it

package/dist/database/run-ast/utils/get-column-pre-processor.d.ts

@@ -1,4 +1,4 @@
-import type { Filter, SchemaOverview } from '@directus/types';
+import type { Filter, Permission, SchemaOverview } from '@directus/types';
 import type { Knex } from 'knex';
 import type { FieldNode, FunctionFieldNode, M2ONode } from '../../../types/ast.js';
 import type { AliasMap } from '../../../utils/get-column-path.js';
@@ -6,5 +6,5 @@ interface NodePreProcessOptions {
     /** Don't assign an alias to the column but instead return the column as is */
     noAlias?: boolean;
 }
-export declare function getColumnPreprocessor(knex: Knex, schema: SchemaOverview, table: string, cases: Filter[], aliasMap: AliasMap): (fieldNode: FieldNode | FunctionFieldNode | M2ONode, options?: NodePreProcessOptions) => Knex.Raw<string>;
+export declare function getColumnPreprocessor(knex: Knex, schema: SchemaOverview, table: string, cases: Filter[], permissions: Permission[], aliasMap: AliasMap): (fieldNode: FieldNode | FunctionFieldNode | M2ONode, options?: NodePreProcessOptions) => Knex.Raw<string>;
 export {};

package/dist/database/run-ast/utils/get-column-pre-processor.js

@@ -4,7 +4,7 @@ import { parseFilterKey } from '../../../utils/parse-filter-key.js';
 import { getHelpers } from '../../helpers/index.js';
 import { applyCaseWhen } from './apply-case-when.js';
 import { getNodeAlias } from './get-field-alias.js';
-export function getColumnPreprocessor(knex, schema, table, cases, aliasMap) {
+export function getColumnPreprocessor(knex, schema, table, cases, permissions, aliasMap) {
     const helpers = getHelpers(knex);
     return function (fieldNode, options) {
         // Don't assign an alias to the column expression if the field has a whenCase
@@ -32,6 +32,7 @@ export function getColumnPreprocessor(knex, schema, table, cases, aliasMap) {
                     ...fieldNode.query,
                     filter: joinFilterWithCases(fieldNode.query.filter, fieldNode.cases),
                 },
+                permissions,
                 cases: fieldNode.cases,
             });
         }
@@ -50,6 +51,7 @@ export function getColumnPreprocessor(knex, schema, table, cases, aliasMap) {
                 cases,
                 table,
                 alias,
+                permissions,
             }, { knex, schema });
         }
         return column;

package/dist/database/run-ast/utils/get-inner-query-column-pre-processor.d.ts

@@ -1,5 +1,5 @@
-import type { Filter, SchemaOverview } from '@directus/types';
+import type { Filter, Permission, SchemaOverview } from '@directus/types';
 import type { Knex } from 'knex';
 import type { FieldNode, FunctionFieldNode, M2ONode, O2MNode } from '../../../types/index.js';
 import type { AliasMap } from '../../../utils/get-column-path.js';
-export declare function getInnerQueryColumnPreProcessor(knex: Knex, schema: SchemaOverview, table: string, cases: Filter[], aliasMap: AliasMap, aliasPrefix: string): (fieldNode: FieldNode | FunctionFieldNode | M2ONode | O2MNode) => Knex.Raw<string> | null;
+export declare function getInnerQueryColumnPreProcessor(knex: Knex, schema: SchemaOverview, table: string, cases: Filter[], permissions: Permission[], aliasMap: AliasMap, aliasPrefix: string): (fieldNode: FieldNode | FunctionFieldNode | M2ONode | O2MNode) => Knex.Raw<string> | null;

package/dist/database/run-ast/utils/get-inner-query-column-pre-processor.js

@@ -1,6 +1,6 @@
 import { applyCaseWhen } from './apply-case-when.js';
 import { getNodeAlias } from './get-field-alias.js';
-export function getInnerQueryColumnPreProcessor(knex, schema, table, cases, aliasMap, aliasPrefix) {
+export function getInnerQueryColumnPreProcessor(knex, schema, table, cases, permissions, aliasMap, aliasPrefix) {
     return function (fieldNode) {
         const alias = getNodeAlias(fieldNode);
         if (fieldNode.whenCase && fieldNode.whenCase.length > 0) {
@@ -15,6 +15,7 @@ export function getInnerQueryColumnPreProcessor(knex, schema, table, cases, alia
                 aliasMap,
                 cases,
                 table,
+                permissions,
             }, { knex, schema });
             return knex.raw('COUNT(??) AS ??', [caseWhen, `${aliasPrefix}_${alias}`]);
         }

package/dist/permissions/lib/fetch-permissions.d.ts

@@ -1,6 +1,5 @@
-import type { Accountability, Permission, PermissionsAction } from '@directus/types';
+import type { Accountability, PermissionsAction } from '@directus/types';
 import type { Context } from '../types.js';
-export declare const fetchPermissions: typeof _fetchPermissions;
 export interface FetchPermissionsOptions {
     action?: PermissionsAction;
     policies: string[];
@@ -8,4 +7,4 @@ export interface FetchPermissionsOptions {
     accountability?: Pick<Accountability, 'user' | 'role' | 'roles' | 'app'>;
     bypassDynamicVariableProcessing?: boolean;
 }
-export declare function _fetchPermissions(options: FetchPermissionsOptions, context: Context): Promise<Permission[]>;
+export declare function fetchPermissions(options: FetchPermissionsOptions, context: Context): Promise<import("@directus/types").Permission[]>;

package/dist/permissions/lib/fetch-permissions.js

@@ -1,51 +1,17 @@
-import { pick, sortBy } from 'lodash-es';
 import { fetchDynamicVariableContext } from '../utils/fetch-dynamic-variable-context.js';
+import { fetchRawPermissions } from '../utils/fetch-raw-permissions.js';
 import { processPermissions } from '../utils/process-permissions.js';
-import { withCache } from '../utils/with-cache.js';
-import { withAppMinimalPermissions } from './with-app-minimal-permissions.js';
-export const fetchPermissions = withCache('permissions', _fetchPermissions, ({ action, policies, collections, accountability, bypassDynamicVariableProcessing }) => ({
-    policies, // we assume that policies always come from the same source, so they should be in the same order
-    ...(action && { action }),
-    ...(collections && { collections: sortBy(collections) }),
-    ...(accountability && { accountability: pick(accountability, ['user', 'role', 'roles', 'app']) }),
-    ...(bypassDynamicVariableProcessing && { bypassDynamicVariableProcessing }),
-}));
-export async function _fetchPermissions(options, context) {
-    const { PermissionsService } = await import('../../services/permissions.js');
-    const permissionsService = new PermissionsService(context);
-    const filter = {
-        _and: [{ policy: { _in: options.policies } }],
-    };
-    if (options.action) {
-        filter._and.push({ action: { _eq: options.action } });
-    }
-    if (options.collections) {
-        filter._and.push({ collection: { _in: options.collections } });
-    }
-    let permissions = (await permissionsService.readByQuery({
-        filter,
-        limit: -1,
-    }));
-    // Sort permissions by their order in the policies array
-    // This ensures that if a sorted array of policies is passed in the permissions are returned in the same order
-    // which is necessary for correctly applying the presets in order
-    permissions = sortBy(permissions, (permission) => options.policies.indexOf(permission.policy));
+export async function fetchPermissions(options, context) {
+    const permissions = await fetchRawPermissions({ ...options, bypassMinimalAppPermissions: options.bypassDynamicVariableProcessing ?? false }, context);
     if (options.accountability && !options.bypassDynamicVariableProcessing) {
-        // Add app minimal permissions for the request accountability, if applicable.
-        // Normally this is done in the permissions service readByQuery, but it also needs to do it here
-        // since the permissions service is created without accountability.
-        // We call it without the policies filter, since the static minimal app permissions don't have a policy attached.
-        const permissionsWithAppPermissions = withAppMinimalPermissions(options.accountability ?? null, permissions, {
-            _and: filter._and.slice(1),
-        });
         const permissionsContext = await fetchDynamicVariableContext({
             accountability: options.accountability,
             policies: options.policies,
-            permissions: permissionsWithAppPermissions,
+            permissions,
         }, context);
         // Replace dynamic variables with their actual values
         const processedPermissions = processPermissions({
-            permissions: permissionsWithAppPermissions,
+            permissions,
             accountability: options.accountability,
             permissionsContext,
         });

package/dist/permissions/modules/fetch-allowed-collections/fetch-allowed-collections.d.ts

@@ -4,5 +4,4 @@ export interface FetchAllowedCollectionsOptions {
     action: PermissionsAction;
     accountability: Pick<Accountability, 'user' | 'role' | 'roles' | 'ip' | 'admin' | 'app'>;
 }
-export declare const fetchAllowedCollections: typeof _fetchAllowedCollections;
-export declare function _fetchAllowedCollections({ action, accountability }: FetchAllowedCollectionsOptions, { knex, schema }: Context): Promise<string[]>;
+export declare function fetchAllowedCollections({ action, accountability }: FetchAllowedCollectionsOptions, { knex, schema }: Context): Promise<string[]>;

package/dist/permissions/modules/fetch-allowed-collections/fetch-allowed-collections.js

@@ -1,19 +1,7 @@
 import { uniq } from 'lodash-es';
 import { fetchPolicies } from '../../lib/fetch-policies.js';
-import { withCache } from '../../utils/with-cache.js';
 import { fetchPermissions } from '../../lib/fetch-permissions.js';
-export const fetchAllowedCollections = withCache('allowed-collections', _fetchAllowedCollections, ({ action, accountability: { user, role, roles, ip, admin, app } }) => ({
-    action,
-    accountability: {
-        user,
-        role,
-        roles,
-        ip,
-        admin,
-        app,
-    },
-}));
-export async function _fetchAllowedCollections({ action, accountability }, { knex, schema }) {
+export async function fetchAllowedCollections({ action, accountability }, { knex, schema }) {
     if (accountability.admin) {
         return Object.keys(schema.collections);
     }

package/dist/permissions/modules/fetch-allowed-field-map/fetch-allowed-field-map.d.ts

@@ -5,5 +5,4 @@ export interface FetchAllowedFieldMapOptions {
     accountability: Pick<Accountability, 'user' | 'role' | 'roles' | 'ip' | 'admin' | 'app'>;
     action: PermissionsAction;
 }
-export declare const fetchAllowedFieldMap: typeof _fetchAllowedFieldMap;
-export declare function _fetchAllowedFieldMap({ accountability, action }: FetchAllowedFieldMapOptions, { knex, schema }: Context): Promise<FieldMap>;
+export declare function fetchAllowedFieldMap({ accountability, action }: FetchAllowedFieldMapOptions, { knex, schema }: Context): Promise<FieldMap>;

package/dist/permissions/modules/fetch-allowed-field-map/fetch-allowed-field-map.js

@@ -1,12 +1,7 @@
 import { uniq } from 'lodash-es';
 import { fetchPolicies } from '../../lib/fetch-policies.js';
-import { withCache } from '../../utils/with-cache.js';
 import { fetchPermissions } from '../../lib/fetch-permissions.js';
-export const fetchAllowedFieldMap = withCache('allowed-field-map', _fetchAllowedFieldMap, ({ action, accountability: { user, role, roles, ip, admin, app } }) => ({
-    action,
-    accountability: { user, role, roles, ip, admin, app },
-}));
-export async function _fetchAllowedFieldMap({ accountability, action }, { knex, schema }) {
+export async function fetchAllowedFieldMap({ accountability, action }, { knex, schema }) {
     const fieldMap = {};
     if (accountability.admin) {
         for (const [collection, { fields }] of Object.entries(schema.collections)) {

package/dist/permissions/modules/fetch-allowed-fields/fetch-allowed-fields.d.ts

@@ -5,7 +5,6 @@ export interface FetchAllowedFieldsOptions {
     action: PermissionsAction;
     accountability: Pick<Accountability, 'user' | 'role' | 'roles' | 'ip' | 'app'>;
 }
-export declare const fetchAllowedFields: typeof _fetchAllowedFields;
 /**
  * Look up all fields that are allowed to be used for the given collection and action for the given
  * accountability object
@@ -13,4 +12,4 @@ export declare const fetchAllowedFields: typeof _fetchAllowedFields;
  * Done by looking up all available policies for the current accountability object, and reading all
  * permissions that exist for the collection+action+policy combination
  */
-export declare function _fetchAllowedFields({ accountability, action, collection }: FetchAllowedFieldsOptions, { knex, schema }: Context): Promise<string[]>;
+export declare function fetchAllowedFields({ accountability, action, collection }: FetchAllowedFieldsOptions, { knex, schema }: Context): Promise<string[]>;