@directus/api 22.1.0 → 22.1.1

package/dist/permissions/modules/fetch-allowed-fields/fetch-allowed-fields.js

@@ -1,12 +1,6 @@
 import { uniq } from 'lodash-es';
 import { fetchPermissions } from '../../lib/fetch-permissions.js';
 import { fetchPolicies } from '../../lib/fetch-policies.js';
-import { withCache } from '../../utils/with-cache.js';
-export const fetchAllowedFields = withCache('allowed-fields', _fetchAllowedFields, ({ action, collection, accountability: { user, role, roles, ip, app } }) => ({
-    action,
-    collection,
-    accountability: { user, role, roles, ip, app },
-}));
 /**
  * Look up all fields that are allowed to be used for the given collection and action for the given
  * accountability object
@@ -14,7 +8,7 @@ export const fetchAllowedFields = withCache('allowed-fields', _fetchAllowedField
  * Done by looking up all available policies for the current accountability object, and reading all
  * permissions that exist for the collection+action+policy combination
  */
-export async function _fetchAllowedFields({ accountability, action, collection }, { knex, schema }) {
+export async function fetchAllowedFields({ accountability, action, collection }, { knex, schema }) {
     const policies = await fetchPolicies(accountability, { knex, schema });
     const permissions = await fetchPermissions({ action, collections: [collection], policies, accountability }, { knex, schema });
     const allowedFields = [];

package/dist/permissions/modules/fetch-inconsistent-field-map/fetch-inconsistent-field-map.d.ts

@@ -8,5 +8,4 @@ export interface FetchInconsistentFieldMapOptions {
 /**
  * Fetch a field map for fields that may or may not be null based on item-by-item permissions.
  */
-export declare const fetchInconsistentFieldMap: typeof _fetchInconsistentFieldMap;
-export declare function _fetchInconsistentFieldMap({ accountability, action }: FetchInconsistentFieldMapOptions, { knex, schema }: Context): Promise<FieldMap>;
+export declare function fetchInconsistentFieldMap({ accountability, action }: FetchInconsistentFieldMapOptions, { knex, schema }: Context): Promise<FieldMap>;

package/dist/permissions/modules/fetch-inconsistent-field-map/fetch-inconsistent-field-map.js

@@ -1,15 +1,10 @@
-import { uniq, intersection, difference, pick } from 'lodash-es';
+import { uniq, intersection, difference } from 'lodash-es';
 import { fetchPolicies } from '../../lib/fetch-policies.js';
-import { withCache } from '../../utils/with-cache.js';
 import { fetchPermissions } from '../../lib/fetch-permissions.js';
 /**
  * Fetch a field map for fields that may or may not be null based on item-by-item permissions.
  */
-export const fetchInconsistentFieldMap = withCache('inconsistent-field-map', _fetchInconsistentFieldMap, ({ action, accountability }) => ({
-    action,
-    accountability: accountability ? pick(accountability, ['user', 'role', 'roles', 'ip', 'admin', 'app']) : null,
-}));
-export async function _fetchInconsistentFieldMap({ accountability, action }, { knex, schema }) {
+export async function fetchInconsistentFieldMap({ accountability, action }, { knex, schema }) {
     const fieldMap = {};
     if (!accountability || accountability.admin) {
         for (const collection of Object.keys(schema.collections)) {

package/dist/permissions/modules/process-ast/lib/get-cases.d.ts

@@ -0,0 +1,6 @@
+import type { Filter, Permission } from '@directus/types';
+export declare function getCases(collection: string, permissions: Permission[], requestedKeys: string[]): {
+    cases: Filter[];
+    caseMap: Record<string, number[]>;
+    allowedFields: Set<string>;
+};

package/dist/permissions/modules/process-ast/lib/get-cases.js

@@ -0,0 +1,40 @@
+import { dedupeAccess } from '../utils/dedupe-access.js';
+import { hasItemPermissions } from '../utils/has-item-permissions.js';
+export function getCases(collection, permissions, requestedKeys) {
+    const permissionsForCollection = permissions.filter((permission) => permission.collection === collection);
+    const rules = dedupeAccess(permissionsForCollection);
+    const cases = [];
+    const caseMap = {};
+    // TODO this can be optimized if there is only one rule to skip the whole case/where system,
+    //  since fields that are not allowed at all are already filtered out
+    // TODO this can be optimized if all cases are the same for all requested keys, as those should be
+    //
+    let index = 0;
+    for (const { rule, fields } of rules) {
+        // If none of the fields in the current permissions rule overlap with the actually requested
+        // fields in the AST, we can ignore this case altogether
+        if (requestedKeys.length > 0 &&
+            fields.has('*') === false &&
+            Array.from(fields).every((field) => requestedKeys.includes(field) === false)) {
+            continue;
+        }
+        if (rule === null)
+            continue;
+        cases.push(rule);
+        for (const field of fields) {
+            caseMap[field] = [...(caseMap[field] ?? []), index];
+        }
+        index++;
+    }
+    // Field that are allowed no matter what conditions exist for the item. These come from
+    // permissions where the item read access is "everything"
+    const allowedFields = new Set(permissionsForCollection
+        .filter((permission) => hasItemPermissions(permission) === false)
+        .map((permission) => permission.fields ?? [])
+        .flat());
+    return {
+        cases,
+        caseMap,
+        allowedFields,
+    };
+}

package/dist/permissions/modules/process-ast/lib/inject-cases.js

@@ -1,7 +1,6 @@
 import { getUnaliasedFieldKey } from '../../../utils/get-unaliased-field-key.js';
-import { dedupeAccess } from '../utils/dedupe-access.js';
-import { hasItemPermissions } from '../utils/has-item-permissions.js';
 import { uniq } from 'lodash-es';
+import { getCases } from './get-cases.js';
 /**
  * Mutates passed AST
  *
@@ -53,41 +52,3 @@ function processChildren(collection, children, permissions) {
     }
     return cases;
 }
-function getCases(collection, permissions, requestedKeys) {
-    const permissionsForCollection = permissions.filter((permission) => permission.collection === collection);
-    const rules = dedupeAccess(permissionsForCollection);
-    const cases = [];
-    const caseMap = {};
-    // TODO this can be optimized if there is only one rule to skip the whole case/where system,
-    //  since fields that are not allowed at all are already filtered out
-    // TODO this can be optimized if all cases are the same for all requested keys, as those should be
-    //
-    let index = 0;
-    for (const { rule, fields } of rules) {
-        // If none of the fields in the current permissions rule overlap with the actually requested
-        // fields in the AST, we can ignore this case altogether
-        if (requestedKeys.length > 0 &&
-            fields.has('*') === false &&
-            Array.from(fields).every((field) => requestedKeys.includes(field) === false)) {
-            continue;
-        }
-        if (rule === null)
-            continue;
-        cases.push(rule);
-        for (const field of fields) {
-            caseMap[field] = [...(caseMap[field] ?? []), index];
-        }
-        index++;
-    }
-    // Field that are allowed no matter what conditions exist for the item. These come from
-    // permissions where the item read access is "everything"
-    const allowedFields = new Set(permissionsForCollection
-        .filter((permission) => hasItemPermissions(permission) === false)
-        .map((permission) => permission.fields ?? [])
-        .flat());
-    return {
-        cases,
-        caseMap,
-        allowedFields,
-    };
-}

package/dist/permissions/modules/process-payload/process-payload.js

@@ -55,6 +55,8 @@ export async function processPayload(options, context) {
         }
         fieldValidationRules.push(field.validation);
     }
+    const presets = (permissions ?? []).map((permission) => permission.presets);
+    const payloadWithPresets = assign({}, ...presets, options.payload);
     const validationRules = [...fieldValidationRules, ...permissionValidationRules].filter((rule) => {
         if (rule === null)
             return false;
@@ -64,14 +66,11 @@ export async function processPayload(options, context) {
     });
     if (validationRules.length > 0) {
         const validationErrors = [];
-        validationErrors.push(...validatePayload({ _and: validationRules }, options.payload)
+        validationErrors.push(...validatePayload({ _and: validationRules }, payloadWithPresets)
             .map((error) => error.details.map((details) => new FailedValidationError(joiValidationErrorItemToErrorExtensions(details))))
             .flat());
         if (validationErrors.length > 0)
             throw validationErrors;
     }
-    if (!permissions)
-        return options.payload;
-    const presets = permissions.map((permission) => permission.presets);
-    return assign({}, ...presets, options.payload);
+    return payloadWithPresets;
 }

package/dist/permissions/modules/validate-access/lib/validate-item-access.js

@@ -13,11 +13,6 @@ export async function validateItemAccess(options, context) {
         // whole or not
         fields: [],
         limit: options.primaryKeys.length,
-        filter: {
-            [primaryKeyField]: {
-                _in: options.primaryKeys,
-            },
-        },
     };
     const ast = await getAstFromQuery({
         accountability: options.accountability,
@@ -25,7 +20,13 @@ export async function validateItemAccess(options, context) {
         collection: options.collection,
     }, context);
     await processAst({ ast, ...options }, context);
-    const items = await runAst(ast, context.schema, { knex: context.knex });
+    // Inject the filter after the permissions have been processed, as to not require access to the primary key
+    ast.query.filter = {
+        [primaryKeyField]: {
+            _in: options.primaryKeys,
+        },
+    };
+    const items = await runAst(ast, context.schema, options.accountability, { knex: context.knex });
     if (items && items.length === options.primaryKeys.length) {
         return true;
     }

package/dist/permissions/utils/fetch-dynamic-variable-context.d.ts

@@ -1,9 +1,8 @@
 import type { Accountability, Permission } from '@directus/types';
 import type { Context } from '../types.js';
-export declare const fetchDynamicVariableContext: typeof _fetchDynamicVariableContext;
 export interface FetchDynamicVariableContext {
     accountability: Pick<Accountability, 'user' | 'role' | 'roles'>;
     policies: string[];
     permissions: Permission[];
 }
-export declare function _fetchDynamicVariableContext(options: FetchDynamicVariableContext, context: Context): Promise<Record<string, any>>;
+export declare function fetchDynamicVariableContext(options: FetchDynamicVariableContext, context: Context): Promise<Record<string, any>>;

package/dist/permissions/utils/fetch-dynamic-variable-context.js

@@ -1,43 +1,63 @@
-import { extractRequiredDynamicVariableContext } from './extract-required-dynamic-variable-context.js';
-import { withCache } from './with-cache.js';
-export const fetchDynamicVariableContext = withCache('permission-dynamic-variables', _fetchDynamicVariableContext, ({ policies, permissions, accountability: { user, role, roles } }) => ({
-    policies,
-    permissions,
-    accountability: {
-        user,
-        role,
-        roles,
-    },
-}));
-export async function _fetchDynamicVariableContext(options, context) {
+import { useEnv } from '@directus/env';
+import { getSimpleHash } from '@directus/utils';
+import { getCache, getCacheValue, setCacheValue } from '../../cache.js';
+import { extractRequiredDynamicVariableContext, } from './extract-required-dynamic-variable-context.js';
+export async function fetchDynamicVariableContext(options, context) {
     const { UsersService } = await import('../../services/users.js');
     const { RolesService } = await import('../../services/roles.js');
     const { PoliciesService } = await import('../../services/policies.js');
     const contextData = {};
     const permissionContext = extractRequiredDynamicVariableContext(options.permissions);
     if (options.accountability.user && (permissionContext.$CURRENT_USER?.size ?? 0) > 0) {
-        const usersService = new UsersService(context);
-        contextData['$CURRENT_USER'] = await usersService.readOne(options.accountability.user, {
-            fields: Array.from(permissionContext.$CURRENT_USER),
+        contextData['$CURRENT_USER'] = await fetchContextData('$CURRENT_USER', permissionContext, { user: options.accountability.user }, async (fields) => {
+            const usersService = new UsersService(context);
+            return await usersService.readOne(options.accountability.user, {
+                fields,
+            });
         });
     }
     if (options.accountability.role && (permissionContext.$CURRENT_ROLE?.size ?? 0) > 0) {
-        const rolesService = new RolesService(context);
-        contextData['$CURRENT_ROLE'] = await rolesService.readOne(options.accountability.role, {
-            fields: Array.from(permissionContext.$CURRENT_ROLE),
+        contextData['$CURRENT_ROLE'] = await fetchContextData('$CURRENT_ROLE', permissionContext, { role: options.accountability.role }, async (fields) => {
+            const usersService = new RolesService(context);
+            return await usersService.readOne(options.accountability.role, {
+                fields,
+            });
         });
     }
     if (options.accountability.roles.length > 0 && (permissionContext.$CURRENT_ROLES?.size ?? 0) > 0) {
-        const rolesService = new RolesService(context);
-        contextData['$CURRENT_ROLES'] = await rolesService.readMany(options.accountability.roles, {
-            fields: Array.from(permissionContext.$CURRENT_ROLES),
+        contextData['$CURRENT_ROLES'] = await fetchContextData('$CURRENT_ROLES', permissionContext, { roles: options.accountability.roles }, async (fields) => {
+            const rolesService = new RolesService(context);
+            return await rolesService.readMany(options.accountability.roles, {
+                fields,
+            });
         });
     }
     if (options.policies.length > 0 && (permissionContext.$CURRENT_POLICIES?.size ?? 0) > 0) {
-        const policiesService = new PoliciesService(context);
-        contextData['$CURRENT_POLICIES'] = await policiesService.readMany(options.policies, {
-            fields: Array.from(permissionContext.$CURRENT_POLICIES),
+        contextData['$CURRENT_POLICIES'] = await fetchContextData('$CURRENT_POLICIES', permissionContext, { policies: options.policies }, async (fields) => {
+            const policiesService = new PoliciesService(context);
+            return await policiesService.readMany(options.policies, {
+                fields,
+            });
         });
     }
     return contextData;
 }
+async function fetchContextData(key, permissionContext, cacheContext, fetch) {
+    const { cache } = getCache();
+    const env = useEnv();
+    const fields = Array.from(permissionContext[key]);
+    const cacheKey = cache
+        ? `filter-context-${key.slice(1)}-${getSimpleHash(JSON.stringify({ ...cacheContext, fields }))}`
+        : '';
+    let data = undefined;
+    if (cache) {
+        data = await getCacheValue(cache, cacheKey);
+    }
+    if (!data) {
+        data = await fetch(fields);
+        if (cache && env['CACHE_ENABLED'] !== false) {
+            await setCacheValue(cache, cacheKey, data);
+        }
+    }
+    return data;
+}

package/dist/permissions/utils/fetch-raw-permissions.d.ts

@@ -0,0 +1,11 @@
+import type { Accountability, Permission, PermissionsAction } from '@directus/types';
+import type { Context } from '../types.js';
+export declare const fetchRawPermissions: typeof _fetchRawPermissions;
+export interface FetchRawPermissionsOptions {
+    action?: PermissionsAction;
+    policies: string[];
+    collections?: string[];
+    accountability?: Pick<Accountability, 'app'>;
+    bypassMinimalAppPermissions?: boolean;
+}
+export declare function _fetchRawPermissions(options: FetchRawPermissionsOptions, context: Context): Promise<Permission[]>;

package/dist/permissions/utils/fetch-raw-permissions.js

@@ -0,0 +1,39 @@
+import { sortBy } from 'lodash-es';
+import { withAppMinimalPermissions } from '../lib/with-app-minimal-permissions.js';
+import { withCache } from './with-cache.js';
+export const fetchRawPermissions = withCache('raw-permissions', _fetchRawPermissions, ({ action, policies, collections, accountability, bypassMinimalAppPermissions }) => ({
+    policies, // we assume that policies always come from the same source, so they should be in the same order
+    ...(action && { action }),
+    ...(collections && { collections: sortBy(collections) }),
+    ...(accountability && { accountability: { app: accountability.app } }),
+    ...(bypassMinimalAppPermissions && { bypassMinimalAppPermissions }),
+}));
+export async function _fetchRawPermissions(options, context) {
+    const { PermissionsService } = await import('../../services/permissions.js');
+    const permissionsService = new PermissionsService(context);
+    const filter = {
+        _and: [{ policy: { _in: options.policies } }],
+    };
+    if (options.action) {
+        filter._and.push({ action: { _eq: options.action } });
+    }
+    if (options.collections) {
+        filter._and.push({ collection: { _in: options.collections } });
+    }
+    let permissions = (await permissionsService.readByQuery({
+        filter,
+        limit: -1,
+    }));
+    // Sort permissions by their order in the policies array
+    // This ensures that if a sorted array of policies is passed in the permissions are returned in the same order
+    // which is necessary for correctly applying the presets in order
+    permissions = sortBy(permissions, (permission) => options.policies.indexOf(permission.policy));
+    if (options.accountability && !options.bypassMinimalAppPermissions) {
+        // Add app minimal permissions for the request accountability, if applicable.
+        // Normally this is done in the permissions service readByQuery, but it also needs to do it here
+        // since the permissions service is created without accountability.
+        // We call it without the policies filter, since the static minimal app permissions don't have a policy attached.
+        return withAppMinimalPermissions(options.accountability ?? null, permissions, { _and: filter._and.slice(1) });
+    }
+    return permissions;
+}

package/dist/services/fields.d.ts

@@ -30,5 +30,5 @@ export declare class FieldsService {
     updateField(collection: string, field: RawField, opts?: MutationOptions): Promise<string>;
     updateFields(collection: string, fields: RawField[], opts?: MutationOptions): Promise<string[]>;
     deleteField(collection: string, field: string, opts?: MutationOptions): Promise<void>;
-    addColumnToTable(table: Knex.CreateTableBuilder, field: RawField | Field, alter?: Column | null): void;
+    addColumnToTable(table: Knex.CreateTableBuilder, field: RawField | Field, existing?: Column | null): void;
 }

package/dist/services/fields.js

@@ -621,7 +621,7 @@ export class FieldsService {
             }
         }
     }
-    addColumnToTable(table, field, alter = null) {
+    addColumnToTable(table, field, existing = null) {
         let column;
         // Don't attempt to add a DB column for alias / corrupt fields
         if (field.type === 'alias' || field.type === 'unknown')
@@ -662,45 +662,48 @@ export class FieldsService {
         else {
             throw new InvalidPayloadError({ reason: `Illegal type passed: "${field.type}"` });
         }
-        if (field.schema?.default_value !== undefined) {
-            if (typeof field.schema.default_value === 'string' &&
-                (field.schema.default_value.toLowerCase() === 'now()' || field.schema.default_value === 'CURRENT_TIMESTAMP')) {
+        const defaultValue = field.schema?.default_value !== undefined ? field.schema?.default_value : existing?.default_value;
+        if (defaultValue) {
+            const newDefaultValueIsString = typeof defaultValue === 'string';
+            const newDefaultIsNowFunction = newDefaultValueIsString && defaultValue.toLowerCase() === 'now()';
+            const newDefaultIsCurrentTimestamp = newDefaultValueIsString && defaultValue === 'CURRENT_TIMESTAMP';
+            const newDefaultIsSetToCurrentTime = newDefaultIsNowFunction || newDefaultIsCurrentTimestamp;
+            const newDefaultIsTimestampWithPrecision = newDefaultValueIsString && defaultValue.includes('CURRENT_TIMESTAMP(') && defaultValue.includes(')');
+            if (newDefaultIsSetToCurrentTime) {
                 column.defaultTo(this.knex.fn.now());
             }
-            else if (typeof field.schema.default_value === 'string' &&
-                field.schema.default_value.includes('CURRENT_TIMESTAMP(') &&
-                field.schema.default_value.includes(')')) {
-                const precision = field.schema.default_value.match(REGEX_BETWEEN_PARENS)[1];
+            else if (newDefaultIsTimestampWithPrecision) {
+                const precision = defaultValue.match(REGEX_BETWEEN_PARENS)[1];
                 column.defaultTo(this.knex.fn.now(Number(precision)));
             }
             else {
-                column.defaultTo(field.schema.default_value);
+                column.defaultTo(defaultValue);
             }
         }
-        if (field.schema?.is_nullable === false) {
-            if (!alter || alter.is_nullable === true) {
-                column.notNullable();
-            }
+        else {
+            column.defaultTo(null);
+        }
+        const isNullable = field.schema?.is_nullable ?? existing?.is_nullable ?? true;
+        if (isNullable) {
+            column.nullable();
         }
         else {
-            if (!alter || alter.is_nullable === false) {
-                column.nullable();
-            }
+            column.notNullable();
         }
         if (field.schema?.is_primary_key) {
             column.primary().notNullable();
         }
         else if (field.schema?.is_unique === true) {
-            if (!alter || alter.is_unique === false) {
+            if (!existing || existing.is_unique === false) {
                 column.unique();
             }
         }
         else if (field.schema?.is_unique === false) {
-            if (alter && alter.is_unique === true) {
+            if (existing && existing.is_unique === true) {
                 table.dropUnique([field.field]);
             }
         }
-        if (alter) {
+        if (existing) {
             column.alter();
         }
     }

package/dist/services/import-export.js

@@ -133,6 +133,8 @@ export class ImportService {
             };
             const PapaOptions = {
                 header: true,
+                // Trim whitespaces in headers, including the byte order mark (BOM) zero-width no-break space
+                transformHeader: (header) => header.trim(),
                 transform,
             };
             return new Promise((resolve, reject) => {
@@ -304,7 +306,6 @@ export class ExportService {
             const savedFile = await filesService.uploadOne(createReadStream(tmpFile.path), fileWithDefaults);
             if (this.accountability?.user) {
                 const notificationsService = new NotificationsService({
-                    accountability: this.accountability,
                     schema: this.schema,
                 });
                 const usersService = new UsersService({
@@ -333,7 +334,6 @@ Your export of ${collection} is ready. <a href="${href}">Click here to view.</a>
             logger.error(err, `Couldn't export ${collection}: ${err.message}`);
             if (this.accountability?.user) {
                 const notificationsService = new NotificationsService({
-                    accountability: this.accountability,
                     schema: this.schema,
                 });
                 await notificationsService.createOne({

package/dist/services/items.js

@@ -370,7 +370,7 @@ export class ItemsService {
             knex: this.knex,
         });
         ast = await processAst({ ast, action: 'read', accountability: this.accountability }, { knex: this.knex, schema: this.schema });
-        const records = await runAst(ast, this.schema, {
+        const records = await runAst(ast, this.schema, this.accountability, {
             knex: this.knex,
             // GraphQL requires relational keys to be returned regardless
             stripNonRequested: opts?.stripNonRequested !== undefined ? opts.stripNonRequested : true,

package/dist/services/meta.js

@@ -45,14 +45,14 @@ export class MetaService {
                 action: 'read',
                 policies,
                 accountability: this.accountability,
-                ...(collection ? { collections: [collection] } : {}),
             }, context);
-            const rules = dedupeAccess(permissions);
+            const collectionPermissions = permissions.filter((permission) => permission.collection === collection);
+            const rules = dedupeAccess(collectionPermissions);
             const cases = rules.map(({ rule }) => rule);
             const filter = {
                 _or: cases,
             };
-            const result = applyFilter(this.knex, this.schema, dbQuery, filter, collection, {}, cases);
+            const result = applyFilter(this.knex, this.schema, dbQuery, filter, collection, {}, cases, permissions);
             hasJoins = result.hasJoins;
         }
         if (hasJoins) {
@@ -70,6 +70,7 @@ export class MetaService {
         let filter = query.filter || {};
         let hasJoins = false;
         let cases = [];
+        let permissions = [];
         if (this.accountability && this.accountability.admin === false) {
             const context = { knex: this.knex, schema: this.schema };
             await validateAccess({
@@ -78,13 +79,13 @@ export class MetaService {
                 collection,
             }, context);
             const policies = await fetchPolicies(this.accountability, context);
-            const permissions = await fetchPermissions({
+            permissions = await fetchPermissions({
                 action: 'read',
                 policies,
                 accountability: this.accountability,
-                ...(collection ? { collections: [collection] } : {}),
             }, context);
-            const rules = dedupeAccess(permissions);
+            const collectionPermissions = permissions.filter((permission) => permission.collection === collection);
+            const rules = dedupeAccess(collectionPermissions);
             cases = rules.map(({ rule }) => rule);
             const permissionsFilter = {
                 _or: cases,
@@ -97,7 +98,7 @@ export class MetaService {
             }
         }
         if (Object.keys(filter).length > 0) {
-            ({ hasJoins } = applyFilter(this.knex, this.schema, dbQuery, filter, collection, {}, cases));
+            ({ hasJoins } = applyFilter(this.knex, this.schema, dbQuery, filter, collection, {}, cases, permissions));
         }
         if (query.search) {
             applySearch(this.knex, this.schema, dbQuery, query.search, collection);

package/dist/services/permissions.js

@@ -1,5 +1,8 @@
 import { ForbiddenError } from '@directus/errors';
+import { uniq } from 'lodash-es';
 import { clearSystemCache } from '../cache.js';
+import { fetchPermissions } from '../permissions/lib/fetch-permissions.js';
+import { fetchPolicies } from '../permissions/lib/fetch-policies.js';
 import { withAppMinimalPermissions } from '../permissions/lib/with-app-minimal-permissions.js';
 import { validateAccess } from '../permissions/modules/validate-access/validate-access.js';
 import { ItemsService } from './items.js';
@@ -105,27 +108,24 @@ export class PermissionsService extends ItemsService {
                 .catch(() => { });
         }));
         if (schema?.singleton && itemPermissions.update.access) {
-            const query = {
-                filter: {
-                    _and: [
-                        ...(this.accountability?.role ? [{ role: { _eq: this.accountability.role } }] : []),
-                        { collection: { _eq: collection } },
-                        { action: { _eq: updateAction } },
-                    ],
-                },
-                fields: ['presets', 'fields'],
-            };
-            try {
-                const result = await this.readByQuery(query);
-                const permission = result[0];
-                if (permission) {
-                    itemPermissions.update.presets = permission['presets'];
-                    itemPermissions.update.fields = permission['fields'];
+            const context = { schema: this.schema, knex: this.knex };
+            const policies = await fetchPolicies(this.accountability, context);
+            const permissions = await fetchPermissions({ policies, accountability: this.accountability, action: updateAction, collections: [collection] }, context);
+            let fields = [];
+            let presets = {};
+            for (const permission of permissions) {
+                if (permission.fields && fields[0] !== '*') {
+                    fields = uniq([...fields, ...permission.fields]);
+                    if (fields.includes('*')) {
+                        fields = ['*'];
+                    }
+                }
+                if (permission.presets) {
+                    presets = { ...(presets ?? {}), ...permission.presets };
                 }
             }
-            catch {
-                // No permission
-            }
+            itemPermissions.update.fields = fields;
+            itemPermissions.update.presets = presets;
         }
         return itemPermissions;
     }

package/dist/utils/apply-query.d.ts

@@ -1,4 +1,4 @@
-import type { Aggregate, Filter, Query, SchemaOverview } from '@directus/types';
+import type { Aggregate, Filter, Permission, Query, SchemaOverview } from '@directus/types';
 import type { Knex } from 'knex';
 import type { AliasMap } from './get-column-path.js';
 export declare const generateAlias: (size?: number | undefined) => string;
@@ -11,7 +11,7 @@ type ApplyQueryOptions = {
 /**
  * Apply the Query to a given Knex query builder instance
  */
-export default function applyQuery(knex: Knex, collection: string, dbQuery: Knex.QueryBuilder, query: Query, schema: SchemaOverview, cases: Filter[], options?: ApplyQueryOptions): {
+export default function applyQuery(knex: Knex, collection: string, dbQuery: Knex.QueryBuilder, query: Query, schema: SchemaOverview, cases: Filter[], permissions: Permission[], options?: ApplyQueryOptions): {
     query: Knex.QueryBuilder<any, any>;
     hasJoins: boolean;
     hasMultiRelationalFilter: boolean;
@@ -34,7 +34,7 @@ export declare function applySort(knex: Knex, schema: SchemaOverview, rootQuery:
 };
 export declare function applyLimit(knex: Knex, rootQuery: Knex.QueryBuilder, limit: any): void;
 export declare function applyOffset(knex: Knex, rootQuery: Knex.QueryBuilder, offset: any): void;
-export declare function applyFilter(knex: Knex, schema: SchemaOverview, rootQuery: Knex.QueryBuilder, rootFilter: Filter, collection: string, aliasMap: AliasMap, cases: Filter[]): {
+export declare function applyFilter(knex: Knex, schema: SchemaOverview, rootQuery: Knex.QueryBuilder, rootFilter: Filter, collection: string, aliasMap: AliasMap, cases: Filter[], permissions: Permission[]): {
     query: Knex.QueryBuilder<any, any>;
     hasJoins: boolean;
     hasMultiRelationalFilter: boolean;