@directus/api 22.1.0 → 22.2.0

package/dist/logger/logs-stream.js

@@ -0,0 +1,41 @@
+import { nanoid } from 'nanoid';
+import { Writable } from 'stream';
+import { useBus } from '../bus/index.js';
+const nodeId = nanoid(8);
+export class LogsStream extends Writable {
+    messenger;
+    pretty;
+    constructor(pretty) {
+        super({ objectMode: true });
+        this.messenger = useBus();
+        this.pretty = pretty;
+    }
+    _write(chunk, _encoding, callback) {
+        if (!this.pretty) {
+            // keeping this string interpolation for performance on RAW logs
+            this.messenger.publish('logs', `{"log":${chunk},"nodeId":"${nodeId}"}`);
+            return callback();
+        }
+        const log = JSON.parse(chunk);
+        if (this.pretty === 'http' && log.req?.method && log.req?.url && log.res?.statusCode && log.responseTime) {
+            this.messenger.publish('logs', JSON.stringify({
+                log: {
+                    level: log['level'],
+                    time: log['time'],
+                    msg: `${log.req.method} ${log.req.url} ${log.res.statusCode} ${log.responseTime}ms`,
+                },
+                nodeId: nodeId,
+            }));
+            return callback();
+        }
+        this.messenger.publish('logs', JSON.stringify({
+            log: {
+                level: log['level'],
+                time: log['time'],
+                msg: log['msg'],
+            },
+            nodeId: nodeId,
+        }));
+        callback();
+    }
+}

package/dist/middleware/respond.js

@@ -20,6 +20,7 @@ export const respond = asyncHandler(async (req, res) => {
         exceedsMaxSize = valueSize > maxSize;
     }
     if ((req.method.toLowerCase() === 'get' || req.originalUrl?.startsWith('/graphql')) &&
+        req.originalUrl?.startsWith('/auth') === false &&
         env['CACHE_ENABLED'] === true &&
         cache &&
         !req.sanitizedQuery.export &&

package/dist/permissions/lib/fetch-permissions.d.ts

@@ -1,6 +1,5 @@
-import type { Accountability, Permission, PermissionsAction } from '@directus/types';
+import type { Accountability, PermissionsAction } from '@directus/types';
 import type { Context } from '../types.js';
-export declare const fetchPermissions: typeof _fetchPermissions;
 export interface FetchPermissionsOptions {
     action?: PermissionsAction;
     policies: string[];
@@ -8,4 +7,4 @@ export interface FetchPermissionsOptions {
     accountability?: Pick<Accountability, 'user' | 'role' | 'roles' | 'app'>;
     bypassDynamicVariableProcessing?: boolean;
 }
-export declare function _fetchPermissions(options: FetchPermissionsOptions, context: Context): Promise<Permission[]>;
+export declare function fetchPermissions(options: FetchPermissionsOptions, context: Context): Promise<import("@directus/types").Permission[]>;

package/dist/permissions/lib/fetch-permissions.js

@@ -1,51 +1,17 @@
-import { pick, sortBy } from 'lodash-es';
 import { fetchDynamicVariableContext } from '../utils/fetch-dynamic-variable-context.js';
+import { fetchRawPermissions } from '../utils/fetch-raw-permissions.js';
 import { processPermissions } from '../utils/process-permissions.js';
-import { withCache } from '../utils/with-cache.js';
-import { withAppMinimalPermissions } from './with-app-minimal-permissions.js';
-export const fetchPermissions = withCache('permissions', _fetchPermissions, ({ action, policies, collections, accountability, bypassDynamicVariableProcessing }) => ({
-    policies, // we assume that policies always come from the same source, so they should be in the same order
-    ...(action && { action }),
-    ...(collections && { collections: sortBy(collections) }),
-    ...(accountability && { accountability: pick(accountability, ['user', 'role', 'roles', 'app']) }),
-    ...(bypassDynamicVariableProcessing && { bypassDynamicVariableProcessing }),
-}));
-export async function _fetchPermissions(options, context) {
-    const { PermissionsService } = await import('../../services/permissions.js');
-    const permissionsService = new PermissionsService(context);
-    const filter = {
-        _and: [{ policy: { _in: options.policies } }],
-    };
-    if (options.action) {
-        filter._and.push({ action: { _eq: options.action } });
-    }
-    if (options.collections) {
-        filter._and.push({ collection: { _in: options.collections } });
-    }
-    let permissions = (await permissionsService.readByQuery({
-        filter,
-        limit: -1,
-    }));
-    // Sort permissions by their order in the policies array
-    // This ensures that if a sorted array of policies is passed in the permissions are returned in the same order
-    // which is necessary for correctly applying the presets in order
-    permissions = sortBy(permissions, (permission) => options.policies.indexOf(permission.policy));
+export async function fetchPermissions(options, context) {
+    const permissions = await fetchRawPermissions({ ...options, bypassMinimalAppPermissions: options.bypassDynamicVariableProcessing ?? false }, context);
     if (options.accountability && !options.bypassDynamicVariableProcessing) {
-        // Add app minimal permissions for the request accountability, if applicable.
-        // Normally this is done in the permissions service readByQuery, but it also needs to do it here
-        // since the permissions service is created without accountability.
-        // We call it without the policies filter, since the static minimal app permissions don't have a policy attached.
-        const permissionsWithAppPermissions = withAppMinimalPermissions(options.accountability ?? null, permissions, {
-            _and: filter._and.slice(1),
-        });
         const permissionsContext = await fetchDynamicVariableContext({
             accountability: options.accountability,
             policies: options.policies,
-            permissions: permissionsWithAppPermissions,
+            permissions,
         }, context);
         // Replace dynamic variables with their actual values
         const processedPermissions = processPermissions({
-            permissions: permissionsWithAppPermissions,
+            permissions,
             accountability: options.accountability,
             permissionsContext,
         });

package/dist/permissions/modules/fetch-allowed-collections/fetch-allowed-collections.d.ts

@@ -4,5 +4,4 @@ export interface FetchAllowedCollectionsOptions {
     action: PermissionsAction;
     accountability: Pick<Accountability, 'user' | 'role' | 'roles' | 'ip' | 'admin' | 'app'>;
 }
-export declare const fetchAllowedCollections: typeof _fetchAllowedCollections;
-export declare function _fetchAllowedCollections({ action, accountability }: FetchAllowedCollectionsOptions, { knex, schema }: Context): Promise<string[]>;
+export declare function fetchAllowedCollections({ action, accountability }: FetchAllowedCollectionsOptions, { knex, schema }: Context): Promise<string[]>;

package/dist/permissions/modules/fetch-allowed-collections/fetch-allowed-collections.js

@@ -1,19 +1,7 @@
 import { uniq } from 'lodash-es';
 import { fetchPolicies } from '../../lib/fetch-policies.js';
-import { withCache } from '../../utils/with-cache.js';
 import { fetchPermissions } from '../../lib/fetch-permissions.js';
-export const fetchAllowedCollections = withCache('allowed-collections', _fetchAllowedCollections, ({ action, accountability: { user, role, roles, ip, admin, app } }) => ({
-    action,
-    accountability: {
-        user,
-        role,
-        roles,
-        ip,
-        admin,
-        app,
-    },
-}));
-export async function _fetchAllowedCollections({ action, accountability }, { knex, schema }) {
+export async function fetchAllowedCollections({ action, accountability }, { knex, schema }) {
     if (accountability.admin) {
         return Object.keys(schema.collections);
     }

package/dist/permissions/modules/fetch-allowed-field-map/fetch-allowed-field-map.d.ts

@@ -5,5 +5,4 @@ export interface FetchAllowedFieldMapOptions {
     accountability: Pick<Accountability, 'user' | 'role' | 'roles' | 'ip' | 'admin' | 'app'>;
     action: PermissionsAction;
 }
-export declare const fetchAllowedFieldMap: typeof _fetchAllowedFieldMap;
-export declare function _fetchAllowedFieldMap({ accountability, action }: FetchAllowedFieldMapOptions, { knex, schema }: Context): Promise<FieldMap>;
+export declare function fetchAllowedFieldMap({ accountability, action }: FetchAllowedFieldMapOptions, { knex, schema }: Context): Promise<FieldMap>;

package/dist/permissions/modules/fetch-allowed-field-map/fetch-allowed-field-map.js

@@ -1,12 +1,7 @@
 import { uniq } from 'lodash-es';
 import { fetchPolicies } from '../../lib/fetch-policies.js';
-import { withCache } from '../../utils/with-cache.js';
 import { fetchPermissions } from '../../lib/fetch-permissions.js';
-export const fetchAllowedFieldMap = withCache('allowed-field-map', _fetchAllowedFieldMap, ({ action, accountability: { user, role, roles, ip, admin, app } }) => ({
-    action,
-    accountability: { user, role, roles, ip, admin, app },
-}));
-export async function _fetchAllowedFieldMap({ accountability, action }, { knex, schema }) {
+export async function fetchAllowedFieldMap({ accountability, action }, { knex, schema }) {
     const fieldMap = {};
     if (accountability.admin) {
         for (const [collection, { fields }] of Object.entries(schema.collections)) {

package/dist/permissions/modules/fetch-allowed-fields/fetch-allowed-fields.d.ts

@@ -5,7 +5,6 @@ export interface FetchAllowedFieldsOptions {
     action: PermissionsAction;
     accountability: Pick<Accountability, 'user' | 'role' | 'roles' | 'ip' | 'app'>;
 }
-export declare const fetchAllowedFields: typeof _fetchAllowedFields;
 /**
  * Look up all fields that are allowed to be used for the given collection and action for the given
  * accountability object
@@ -13,4 +12,4 @@ export declare const fetchAllowedFields: typeof _fetchAllowedFields;
  * Done by looking up all available policies for the current accountability object, and reading all
  * permissions that exist for the collection+action+policy combination
  */
-export declare function _fetchAllowedFields({ accountability, action, collection }: FetchAllowedFieldsOptions, { knex, schema }: Context): Promise<string[]>;
+export declare function fetchAllowedFields({ accountability, action, collection }: FetchAllowedFieldsOptions, { knex, schema }: Context): Promise<string[]>;

package/dist/permissions/modules/fetch-allowed-fields/fetch-allowed-fields.js

@@ -1,12 +1,6 @@
 import { uniq } from 'lodash-es';
 import { fetchPermissions } from '../../lib/fetch-permissions.js';
 import { fetchPolicies } from '../../lib/fetch-policies.js';
-import { withCache } from '../../utils/with-cache.js';
-export const fetchAllowedFields = withCache('allowed-fields', _fetchAllowedFields, ({ action, collection, accountability: { user, role, roles, ip, app } }) => ({
-    action,
-    collection,
-    accountability: { user, role, roles, ip, app },
-}));
 /**
  * Look up all fields that are allowed to be used for the given collection and action for the given
  * accountability object
@@ -14,7 +8,7 @@ export const fetchAllowedFields = withCache('allowed-fields', _fetchAllowedField
  * Done by looking up all available policies for the current accountability object, and reading all
  * permissions that exist for the collection+action+policy combination
  */
-export async function _fetchAllowedFields({ accountability, action, collection }, { knex, schema }) {
+export async function fetchAllowedFields({ accountability, action, collection }, { knex, schema }) {
     const policies = await fetchPolicies(accountability, { knex, schema });
     const permissions = await fetchPermissions({ action, collections: [collection], policies, accountability }, { knex, schema });
     const allowedFields = [];

package/dist/permissions/modules/fetch-inconsistent-field-map/fetch-inconsistent-field-map.d.ts

@@ -8,5 +8,4 @@ export interface FetchInconsistentFieldMapOptions {
 /**
  * Fetch a field map for fields that may or may not be null based on item-by-item permissions.
  */
-export declare const fetchInconsistentFieldMap: typeof _fetchInconsistentFieldMap;
-export declare function _fetchInconsistentFieldMap({ accountability, action }: FetchInconsistentFieldMapOptions, { knex, schema }: Context): Promise<FieldMap>;
+export declare function fetchInconsistentFieldMap({ accountability, action }: FetchInconsistentFieldMapOptions, { knex, schema }: Context): Promise<FieldMap>;

package/dist/permissions/modules/fetch-inconsistent-field-map/fetch-inconsistent-field-map.js

@@ -1,15 +1,10 @@
-import { uniq, intersection, difference, pick } from 'lodash-es';
+import { uniq, intersection, difference } from 'lodash-es';
 import { fetchPolicies } from '../../lib/fetch-policies.js';
-import { withCache } from '../../utils/with-cache.js';
 import { fetchPermissions } from '../../lib/fetch-permissions.js';
 /**
  * Fetch a field map for fields that may or may not be null based on item-by-item permissions.
  */
-export const fetchInconsistentFieldMap = withCache('inconsistent-field-map', _fetchInconsistentFieldMap, ({ action, accountability }) => ({
-    action,
-    accountability: accountability ? pick(accountability, ['user', 'role', 'roles', 'ip', 'admin', 'app']) : null,
-}));
-export async function _fetchInconsistentFieldMap({ accountability, action }, { knex, schema }) {
+export async function fetchInconsistentFieldMap({ accountability, action }, { knex, schema }) {
     const fieldMap = {};
     if (!accountability || accountability.admin) {
         for (const collection of Object.keys(schema.collections)) {

package/dist/permissions/modules/process-ast/lib/get-cases.d.ts

@@ -0,0 +1,6 @@
+import type { Filter, Permission } from '@directus/types';
+export declare function getCases(collection: string, permissions: Permission[], requestedKeys: string[]): {
+    cases: Filter[];
+    caseMap: Record<string, number[]>;
+    allowedFields: Set<string>;
+};

package/dist/permissions/modules/process-ast/lib/get-cases.js

@@ -0,0 +1,40 @@
+import { dedupeAccess } from '../utils/dedupe-access.js';
+import { hasItemPermissions } from '../utils/has-item-permissions.js';
+export function getCases(collection, permissions, requestedKeys) {
+    const permissionsForCollection = permissions.filter((permission) => permission.collection === collection);
+    const rules = dedupeAccess(permissionsForCollection);
+    const cases = [];
+    const caseMap = {};
+    // TODO this can be optimized if there is only one rule to skip the whole case/where system,
+    //  since fields that are not allowed at all are already filtered out
+    // TODO this can be optimized if all cases are the same for all requested keys, as those should be
+    //
+    let index = 0;
+    for (const { rule, fields } of rules) {
+        // If none of the fields in the current permissions rule overlap with the actually requested
+        // fields in the AST, we can ignore this case altogether
+        if (requestedKeys.length > 0 &&
+            fields.has('*') === false &&
+            Array.from(fields).every((field) => requestedKeys.includes(field) === false)) {
+            continue;
+        }
+        if (rule === null)
+            continue;
+        cases.push(rule);
+        for (const field of fields) {
+            caseMap[field] = [...(caseMap[field] ?? []), index];
+        }
+        index++;
+    }
+    // Field that are allowed no matter what conditions exist for the item. These come from
+    // permissions where the item read access is "everything"
+    const allowedFields = new Set(permissionsForCollection
+        .filter((permission) => hasItemPermissions(permission) === false)
+        .map((permission) => permission.fields ?? [])
+        .flat());
+    return {
+        cases,
+        caseMap,
+        allowedFields,
+    };
+}

package/dist/permissions/modules/process-ast/lib/inject-cases.js

@@ -1,7 +1,6 @@
 import { getUnaliasedFieldKey } from '../../../utils/get-unaliased-field-key.js';
-import { dedupeAccess } from '../utils/dedupe-access.js';
-import { hasItemPermissions } from '../utils/has-item-permissions.js';
 import { uniq } from 'lodash-es';
+import { getCases } from './get-cases.js';
 /**
  * Mutates passed AST
  *
@@ -53,41 +52,3 @@ function processChildren(collection, children, permissions) {
     }
     return cases;
 }
-function getCases(collection, permissions, requestedKeys) {
-    const permissionsForCollection = permissions.filter((permission) => permission.collection === collection);
-    const rules = dedupeAccess(permissionsForCollection);
-    const cases = [];
-    const caseMap = {};
-    // TODO this can be optimized if there is only one rule to skip the whole case/where system,
-    //  since fields that are not allowed at all are already filtered out
-    // TODO this can be optimized if all cases are the same for all requested keys, as those should be
-    //
-    let index = 0;
-    for (const { rule, fields } of rules) {
-        // If none of the fields in the current permissions rule overlap with the actually requested
-        // fields in the AST, we can ignore this case altogether
-        if (requestedKeys.length > 0 &&
-            fields.has('*') === false &&
-            Array.from(fields).every((field) => requestedKeys.includes(field) === false)) {
-            continue;
-        }
-        if (rule === null)
-            continue;
-        cases.push(rule);
-        for (const field of fields) {
-            caseMap[field] = [...(caseMap[field] ?? []), index];
-        }
-        index++;
-    }
-    // Field that are allowed no matter what conditions exist for the item. These come from
-    // permissions where the item read access is "everything"
-    const allowedFields = new Set(permissionsForCollection
-        .filter((permission) => hasItemPermissions(permission) === false)
-        .map((permission) => permission.fields ?? [])
-        .flat());
-    return {
-        cases,
-        caseMap,
-        allowedFields,
-    };
-}

package/dist/permissions/modules/process-payload/process-payload.js

@@ -55,6 +55,8 @@ export async function processPayload(options, context) {
         }
         fieldValidationRules.push(field.validation);
     }
+    const presets = (permissions ?? []).map((permission) => permission.presets);
+    const payloadWithPresets = assign({}, ...presets, options.payload);
     const validationRules = [...fieldValidationRules, ...permissionValidationRules].filter((rule) => {
         if (rule === null)
             return false;
@@ -64,14 +66,11 @@ export async function processPayload(options, context) {
     });
     if (validationRules.length > 0) {
         const validationErrors = [];
-        validationErrors.push(...validatePayload({ _and: validationRules }, options.payload)
+        validationErrors.push(...validatePayload({ _and: validationRules }, payloadWithPresets)
             .map((error) => error.details.map((details) => new FailedValidationError(joiValidationErrorItemToErrorExtensions(details))))
             .flat());
         if (validationErrors.length > 0)
             throw validationErrors;
     }
-    if (!permissions)
-        return options.payload;
-    const presets = permissions.map((permission) => permission.presets);
-    return assign({}, ...presets, options.payload);
+    return payloadWithPresets;
 }

package/dist/permissions/modules/validate-access/lib/validate-item-access.js

@@ -13,11 +13,6 @@ export async function validateItemAccess(options, context) {
         // whole or not
         fields: [],
         limit: options.primaryKeys.length,
-        filter: {
-            [primaryKeyField]: {
-                _in: options.primaryKeys,
-            },
-        },
     };
     const ast = await getAstFromQuery({
         accountability: options.accountability,
@@ -25,7 +20,13 @@ export async function validateItemAccess(options, context) {
         collection: options.collection,
     }, context);
     await processAst({ ast, ...options }, context);
-    const items = await runAst(ast, context.schema, { knex: context.knex });
+    // Inject the filter after the permissions have been processed, as to not require access to the primary key
+    ast.query.filter = {
+        [primaryKeyField]: {
+            _in: options.primaryKeys,
+        },
+    };
+    const items = await runAst(ast, context.schema, options.accountability, { knex: context.knex });
     if (items && items.length === options.primaryKeys.length) {
         return true;
     }

package/dist/permissions/utils/fetch-dynamic-variable-context.d.ts

@@ -1,9 +1,8 @@
 import type { Accountability, Permission } from '@directus/types';
 import type { Context } from '../types.js';
-export declare const fetchDynamicVariableContext: typeof _fetchDynamicVariableContext;
 export interface FetchDynamicVariableContext {
     accountability: Pick<Accountability, 'user' | 'role' | 'roles'>;
     policies: string[];
     permissions: Permission[];
 }
-export declare function _fetchDynamicVariableContext(options: FetchDynamicVariableContext, context: Context): Promise<Record<string, any>>;
+export declare function fetchDynamicVariableContext(options: FetchDynamicVariableContext, context: Context): Promise<Record<string, any>>;

package/dist/permissions/utils/fetch-dynamic-variable-context.js

@@ -1,43 +1,63 @@
-import { extractRequiredDynamicVariableContext } from './extract-required-dynamic-variable-context.js';
-import { withCache } from './with-cache.js';
-export const fetchDynamicVariableContext = withCache('permission-dynamic-variables', _fetchDynamicVariableContext, ({ policies, permissions, accountability: { user, role, roles } }) => ({
-    policies,
-    permissions,
-    accountability: {
-        user,
-        role,
-        roles,
-    },
-}));
-export async function _fetchDynamicVariableContext(options, context) {
+import { useEnv } from '@directus/env';
+import { getSimpleHash } from '@directus/utils';
+import { getCache, getCacheValue, setCacheValue } from '../../cache.js';
+import { extractRequiredDynamicVariableContext, } from './extract-required-dynamic-variable-context.js';
+export async function fetchDynamicVariableContext(options, context) {
     const { UsersService } = await import('../../services/users.js');
     const { RolesService } = await import('../../services/roles.js');
     const { PoliciesService } = await import('../../services/policies.js');
     const contextData = {};
     const permissionContext = extractRequiredDynamicVariableContext(options.permissions);
     if (options.accountability.user && (permissionContext.$CURRENT_USER?.size ?? 0) > 0) {
-        const usersService = new UsersService(context);
-        contextData['$CURRENT_USER'] = await usersService.readOne(options.accountability.user, {
-            fields: Array.from(permissionContext.$CURRENT_USER),
+        contextData['$CURRENT_USER'] = await fetchContextData('$CURRENT_USER', permissionContext, { user: options.accountability.user }, async (fields) => {
+            const usersService = new UsersService(context);
+            return await usersService.readOne(options.accountability.user, {
+                fields,
+            });
         });
     }
     if (options.accountability.role && (permissionContext.$CURRENT_ROLE?.size ?? 0) > 0) {
-        const rolesService = new RolesService(context);
-        contextData['$CURRENT_ROLE'] = await rolesService.readOne(options.accountability.role, {
-            fields: Array.from(permissionContext.$CURRENT_ROLE),
+        contextData['$CURRENT_ROLE'] = await fetchContextData('$CURRENT_ROLE', permissionContext, { role: options.accountability.role }, async (fields) => {
+            const usersService = new RolesService(context);
+            return await usersService.readOne(options.accountability.role, {
+                fields,
+            });
         });
     }
     if (options.accountability.roles.length > 0 && (permissionContext.$CURRENT_ROLES?.size ?? 0) > 0) {
-        const rolesService = new RolesService(context);
-        contextData['$CURRENT_ROLES'] = await rolesService.readMany(options.accountability.roles, {
-            fields: Array.from(permissionContext.$CURRENT_ROLES),
+        contextData['$CURRENT_ROLES'] = await fetchContextData('$CURRENT_ROLES', permissionContext, { roles: options.accountability.roles }, async (fields) => {
+            const rolesService = new RolesService(context);
+            return await rolesService.readMany(options.accountability.roles, {
+                fields,
+            });
         });
     }
     if (options.policies.length > 0 && (permissionContext.$CURRENT_POLICIES?.size ?? 0) > 0) {
-        const policiesService = new PoliciesService(context);
-        contextData['$CURRENT_POLICIES'] = await policiesService.readMany(options.policies, {
-            fields: Array.from(permissionContext.$CURRENT_POLICIES),
+        contextData['$CURRENT_POLICIES'] = await fetchContextData('$CURRENT_POLICIES', permissionContext, { policies: options.policies }, async (fields) => {
+            const policiesService = new PoliciesService(context);
+            return await policiesService.readMany(options.policies, {
+                fields,
+            });
         });
     }
     return contextData;
 }
+async function fetchContextData(key, permissionContext, cacheContext, fetch) {
+    const { cache } = getCache();
+    const env = useEnv();
+    const fields = Array.from(permissionContext[key]);
+    const cacheKey = cache
+        ? `filter-context-${key.slice(1)}-${getSimpleHash(JSON.stringify({ ...cacheContext, fields }))}`
+        : '';
+    let data = undefined;
+    if (cache) {
+        data = await getCacheValue(cache, cacheKey);
+    }
+    if (!data) {
+        data = await fetch(fields);
+        if (cache && env['CACHE_ENABLED'] !== false) {
+            await setCacheValue(cache, cacheKey, data);
+        }
+    }
+    return data;
+}

package/dist/permissions/utils/fetch-raw-permissions.d.ts

@@ -0,0 +1,11 @@
+import type { Accountability, Permission, PermissionsAction } from '@directus/types';
+import type { Context } from '../types.js';
+export declare const fetchRawPermissions: typeof _fetchRawPermissions;
+export interface FetchRawPermissionsOptions {
+    action?: PermissionsAction;
+    policies: string[];
+    collections?: string[];
+    accountability?: Pick<Accountability, 'app'>;
+    bypassMinimalAppPermissions?: boolean;
+}
+export declare function _fetchRawPermissions(options: FetchRawPermissionsOptions, context: Context): Promise<Permission[]>;

package/dist/permissions/utils/fetch-raw-permissions.js

@@ -0,0 +1,39 @@
+import { sortBy } from 'lodash-es';
+import { withAppMinimalPermissions } from '../lib/with-app-minimal-permissions.js';
+import { withCache } from './with-cache.js';
+export const fetchRawPermissions = withCache('raw-permissions', _fetchRawPermissions, ({ action, policies, collections, accountability, bypassMinimalAppPermissions }) => ({
+    policies, // we assume that policies always come from the same source, so they should be in the same order
+    ...(action && { action }),
+    ...(collections && { collections: sortBy(collections) }),
+    ...(accountability && { accountability: { app: accountability.app } }),
+    ...(bypassMinimalAppPermissions && { bypassMinimalAppPermissions }),
+}));
+export async function _fetchRawPermissions(options, context) {
+    const { PermissionsService } = await import('../../services/permissions.js');
+    const permissionsService = new PermissionsService(context);
+    const filter = {
+        _and: [{ policy: { _in: options.policies } }],
+    };
+    if (options.action) {
+        filter._and.push({ action: { _eq: options.action } });
+    }
+    if (options.collections) {
+        filter._and.push({ collection: { _in: options.collections } });
+    }
+    let permissions = (await permissionsService.readByQuery({
+        filter,
+        limit: -1,
+    }));
+    // Sort permissions by their order in the policies array
+    // This ensures that if a sorted array of policies is passed in the permissions are returned in the same order
+    // which is necessary for correctly applying the presets in order
+    permissions = sortBy(permissions, (permission) => options.policies.indexOf(permission.policy));
+    if (options.accountability && !options.bypassMinimalAppPermissions) {
+        // Add app minimal permissions for the request accountability, if applicable.
+        // Normally this is done in the permissions service readByQuery, but it also needs to do it here
+        // since the permissions service is created without accountability.
+        // We call it without the policies filter, since the static minimal app permissions don't have a policy attached.
+        return withAppMinimalPermissions(options.accountability ?? null, permissions, { _and: filter._and.slice(1) });
+    }
+    return permissions;
+}

package/dist/request/is-denied-ip.js

@@ -1,5 +1,6 @@
 import { useEnv } from '@directus/env';
 import os from 'node:os';
+import { matches } from 'ip-matching';
 import { useLogger } from '../logger/index.js';
 import { ipInNetworks } from '../utils/ip-in-networks.js';
 export function isDeniedIp(ip) {
@@ -24,8 +25,13 @@ export function isDeniedIp(ip) {
             if (!networkInfo)
                 continue;
             for (const info of networkInfo) {
-                if (info.address === ip)
+                if (info.internal && info.cidr) {
+                    if (matches(ip, info.cidr))
+                        return true;
+                }
+                else if (info.address === ip) {
                     return true;
+                }
             }
         }
     }

package/dist/server.js

@@ -14,7 +14,7 @@ import { useLogger } from './logger/index.js';
 import { getConfigFromEnv } from './utils/get-config-from-env.js';
 import { getIPFromReq } from './utils/get-ip-from-req.js';
 import { getAddress } from './utils/get-address.js';
-import { createSubscriptionController, createWebSocketController, getSubscriptionController, getWebSocketController, } from './websocket/controllers/index.js';
+import { createLogsController, createSubscriptionController, createWebSocketController, getLogsController, getSubscriptionController, getWebSocketController, } from './websocket/controllers/index.js';
 import { startWebSocketHandlers } from './websocket/handlers/index.js';
 export let SERVER_ONLINE = true;
 const env = useEnv();
@@ -77,6 +77,7 @@ export async function createServer() {
     if (toBoolean(env['WEBSOCKETS_ENABLED']) === true) {
         createSubscriptionController(server);
         createWebSocketController(server);
+        createLogsController(server);
         startWebSocketHandlers();
     }
     const terminusOptions = {
@@ -99,6 +100,7 @@ export async function createServer() {
     async function onSignal() {
         getSubscriptionController()?.terminate();
         getWebSocketController()?.terminate();
+        getLogsController()?.terminate();
         const database = getDatabase();
         await database.destroy();
         logger.info('Database connections destroyed');
@@ -126,7 +128,7 @@ export async function startServer() {
     else {
         listenOptions = {
             host,
-            port: parseInt(port || '8055'),
+            port: parseInt(port),
         };
     }
     server

package/dist/services/fields.d.ts

@@ -30,5 +30,5 @@ export declare class FieldsService {
     updateField(collection: string, field: RawField, opts?: MutationOptions): Promise<string>;
     updateFields(collection: string, fields: RawField[], opts?: MutationOptions): Promise<string[]>;
     deleteField(collection: string, field: string, opts?: MutationOptions): Promise<void>;
-    addColumnToTable(table: Knex.CreateTableBuilder, field: RawField | Field, alter?: Column | null): void;
+    addColumnToTable(table: Knex.CreateTableBuilder, field: RawField | Field, existing?: Column | null): void;
 }