@directus/api 23.0.0 → 23.1.1

package/dist/database/migrations/20240909A-separate-comments.js

@@ -0,0 +1,65 @@
+import { Action } from '@directus/constants';
+export async function up(knex) {
+    await knex.schema.createTable('directus_comments', (table) => {
+        table.uuid('id').primary().notNullable();
+        table
+            .string('collection', 64)
+            .notNullable()
+            .references('collection')
+            .inTable('directus_collections')
+            .onDelete('CASCADE');
+        table.string('item').notNullable();
+        table.text('comment').notNullable();
+        table.timestamp('date_created').defaultTo(knex.fn.now());
+        table.timestamp('date_updated').defaultTo(knex.fn.now());
+        table.uuid('user_created').references('id').inTable('directus_users').onDelete('SET NULL');
+        // Cannot have two constraints from/to the same table, handled on API side
+        table.uuid('user_updated').references('id').inTable('directus_users');
+    });
+}
+export async function down(knex) {
+    const rowsLimit = 50;
+    let hasMore = true;
+    while (hasMore) {
+        const comments = await knex
+            .select('id', 'collection', 'item', 'comment', 'date_created', 'user_created')
+            .from('directus_comments')
+            .limit(rowsLimit);
+        if (comments.length === 0) {
+            hasMore = false;
+            break;
+        }
+        await knex.transaction(async (trx) => {
+            for (const comment of comments) {
+                const migratedRecords = await trx('directus_activity')
+                    .select('id')
+                    .where('collection', '=', 'directus_comments')
+                    .andWhere('item', '=', comment.id)
+                    .andWhere('action', '=', Action.CREATE)
+                    .limit(1);
+                if (migratedRecords[0]) {
+                    await trx('directus_activity')
+                        .update({
+                        action: Action.COMMENT,
+                        collection: comment.collection,
+                        item: comment.item,
+                        comment: comment.comment,
+                    })
+                        .where('id', '=', migratedRecords[0].id);
+                }
+                else {
+                    await trx('directus_activity').insert({
+                        action: Action.COMMENT,
+                        collection: comment.collection,
+                        item: comment.item,
+                        comment: comment.comment,
+                        user: comment.user_created,
+                        timestamp: comment.date_created,
+                    });
+                }
+                await trx('directus_comments').where('id', '=', comment.id).delete();
+            }
+        });
+    }
+    await knex.schema.dropTable('directus_comments');
+}

package/dist/database/migrations/20240909B-consolidate-content-versioning.d.ts

@@ -0,0 +1,3 @@
+import type { Knex } from 'knex';
+export declare function up(knex: Knex): Promise<void>;
+export declare function down(knex: Knex): Promise<void>;

package/dist/database/migrations/20240909B-consolidate-content-versioning.js

@@ -0,0 +1,10 @@
+export async function up(knex) {
+    await knex.schema.alterTable('directus_versions', (table) => {
+        table.json('delta');
+    });
+}
+export async function down(knex) {
+    await knex.schema.alterTable('directus_versions', (table) => {
+        table.dropColumn('delta');
+    });
+}

package/dist/database/run-ast/lib/get-db-query.d.ts

@@ -1,4 +1,14 @@
-import type { Filter, Permission, Query, SchemaOverview } from '@directus/types';
+import type { Filter, Permission, Query } from '@directus/types';
 import type { Knex } from 'knex';
+import type { Context } from '../../../permissions/types.js';
 import type { FieldNode, FunctionFieldNode, O2MNode } from '../../../types/ast.js';
-export declare function getDBQuery(schema: SchemaOverview, knex: Knex, table: string, fieldNodes: (FieldNode | FunctionFieldNode)[], o2mNodes: O2MNode[], query: Query, cases: Filter[], permissions: Permission[]): Knex.QueryBuilder;
+export type DBQueryOptions = {
+    table: string;
+    fieldNodes: (FieldNode | FunctionFieldNode)[];
+    o2mNodes: O2MNode[];
+    query: Query;
+    cases: Filter[];
+    permissions: Permission[];
+    permissionsOnly?: boolean;
+};
+export declare function getDBQuery({ table, fieldNodes, o2mNodes, query, cases, permissions, permissionsOnly }: DBQueryOptions, { knex, schema }: Context): Knex.QueryBuilder;

package/dist/database/run-ast/lib/get-db-query.js

@@ -9,10 +9,10 @@ import { getColumnPreprocessor } from '../utils/get-column-pre-processor.js';
 import { getNodeAlias } from '../utils/get-field-alias.js';
 import { getInnerQueryColumnPreProcessor } from '../utils/get-inner-query-column-pre-processor.js';
 import { withPreprocessBindings } from '../utils/with-preprocess-bindings.js';
-export function getDBQuery(schema, knex, table, fieldNodes, o2mNodes, query, cases, permissions) {
+export function getDBQuery({ table, fieldNodes, o2mNodes, query, cases, permissions, permissionsOnly }, { knex, schema }) {
     const aliasMap = Object.create(null);
     const env = useEnv();
-    const preProcess = getColumnPreprocessor(knex, schema, table, cases, permissions, aliasMap);
+    const preProcess = getColumnPreprocessor(knex, schema, table, cases, permissions, aliasMap, permissionsOnly);
     const queryCopy = cloneDeep(query);
     const helpers = getHelpers(knex);
     const hasCaseWhen = o2mNodes.some((node) => node.whenCase && node.whenCase.length > 0) ||
@@ -181,7 +181,7 @@ export function getDBQuery(schema, knex, table, fieldNodes, o2mNodes, query, cas
         // Since the fields are expected to be the same for a single primary key it is safe to include them in the
         // group by without influencing the result.
         // This inclusion depends on the DB vendor, as such it is handled in a dialect specific helper.
-        helpers.schema.addInnerSortFieldsToGroupBy(groupByFields, innerQuerySortRecords, hasMultiRelationalSort ?? false);
+        helpers.schema.addInnerSortFieldsToGroupBy(groupByFields, innerQuerySortRecords, (hasMultiRelationalSort || sortRecords?.some(({ column }) => column.includes('.'))) ?? false);
         dbQuery.groupBy(groupByFields);
     }
     const wrapperQuery = knex

package/dist/database/run-ast/modules/fetch-permitted-ast-root-fields.d.ts

@@ -0,0 +1,15 @@
+import type { Accountability, PermissionsAction, SchemaOverview } from '@directus/types';
+import type { Knex } from 'knex';
+import type { AST } from '../../../types/ast.js';
+type FetchPermittedAstRootFieldsOptions = {
+    schema: SchemaOverview;
+    accountability: Accountability;
+    knex: Knex;
+    action: PermissionsAction;
+};
+/**
+ * Fetch the permitted top level fields of a given root type AST using a case/when query that is constructed the
+ * same way as `runAst` but only returns flags (1/null) instead of actual field values.
+ */
+export declare function fetchPermittedAstRootFields(originalAST: AST, { schema, accountability, knex, action }: FetchPermittedAstRootFieldsOptions): Promise<any>;
+export {};

package/dist/database/run-ast/modules/fetch-permitted-ast-root-fields.js

@@ -0,0 +1,29 @@
+import { cloneDeep } from 'lodash-es';
+import { fetchPermissions } from '../../../permissions/lib/fetch-permissions.js';
+import { fetchPolicies } from '../../../permissions/lib/fetch-policies.js';
+import { getDBQuery } from '../lib/get-db-query.js';
+import { parseCurrentLevel } from '../lib/parse-current-level.js';
+/**
+ * Fetch the permitted top level fields of a given root type AST using a case/when query that is constructed the
+ * same way as `runAst` but only returns flags (1/null) instead of actual field values.
+ */
+export async function fetchPermittedAstRootFields(originalAST, { schema, accountability, knex, action }) {
+    const ast = cloneDeep(originalAST);
+    const { name: collection, children, cases, query } = ast;
+    // Retrieve the database columns to select in the current AST
+    const { fieldNodes } = await parseCurrentLevel(schema, collection, children, query);
+    let permissions = [];
+    if (accountability && !accountability.admin) {
+        const policies = await fetchPolicies(accountability, { schema, knex });
+        permissions = await fetchPermissions({ action, accountability, policies }, { schema, knex });
+    }
+    return getDBQuery({
+        table: collection,
+        fieldNodes,
+        o2mNodes: [],
+        query,
+        cases,
+        permissions,
+        permissionsOnly: true,
+    }, { schema, knex });
+}

package/dist/database/run-ast/run-ast.js

@@ -36,7 +36,14 @@ export async function runAst(originalAST, schema, accountability, options) {
             permissions = await fetchPermissions({ action: 'read', accountability, policies }, { schema, knex });
         }
         // The actual knex query builder instance. This is a promise that resolves with the raw items from the db
-        const dbQuery = getDBQuery(schema, knex, collection, fieldNodes, o2mNodes, query, cases, permissions);
+        const dbQuery = getDBQuery({
+            table: collection,
+            fieldNodes,
+            o2mNodes,
+            query,
+            cases,
+            permissions,
+        }, { schema, knex });
         const rawItems = await dbQuery;
         if (!rawItems)
             return null;

package/dist/database/run-ast/utils/apply-case-when.js

@@ -16,7 +16,7 @@ export function applyCaseWhen({ columnCases, table, aliasMap, cases, column, ali
             sqlParts.push(val);
         }
     }
-    const sql = sqlParts.join(' ');
+    const sql = sqlParts.length > 0 ? sqlParts.join(' ') : '1';
     const bindings = [...caseQuery.toSQL().bindings, column];
     let rawCase = `(CASE WHEN ${sql} THEN ?? END)`;
     if (alias) {

package/dist/database/run-ast/utils/get-column-pre-processor.d.ts

@@ -6,5 +6,5 @@ interface NodePreProcessOptions {
     /** Don't assign an alias to the column but instead return the column as is */
     noAlias?: boolean;
 }
-export declare function getColumnPreprocessor(knex: Knex, schema: SchemaOverview, table: string, cases: Filter[], permissions: Permission[], aliasMap: AliasMap): (fieldNode: FieldNode | FunctionFieldNode | M2ONode, options?: NodePreProcessOptions) => Knex.Raw<string>;
+export declare function getColumnPreprocessor(knex: Knex, schema: SchemaOverview, table: string, cases: Filter[], permissions: Permission[], aliasMap: AliasMap, permissionsOnly?: boolean): (fieldNode: FieldNode | FunctionFieldNode | M2ONode, options?: NodePreProcessOptions) => Knex.Raw<string>;
 export {};

package/dist/database/run-ast/utils/get-column-pre-processor.js

@@ -4,7 +4,7 @@ import { parseFilterKey } from '../../../utils/parse-filter-key.js';
 import { getHelpers } from '../../helpers/index.js';
 import { applyCaseWhen } from './apply-case-when.js';
 import { getNodeAlias } from './get-field-alias.js';
-export function getColumnPreprocessor(knex, schema, table, cases, permissions, aliasMap) {
+export function getColumnPreprocessor(knex, schema, table, cases, permissions, aliasMap, permissionsOnly) {
     const helpers = getHelpers(knex);
     return function (fieldNode, options) {
         // Don't assign an alias to the column expression if the field has a whenCase
@@ -22,7 +22,15 @@ export function getColumnPreprocessor(knex, schema, table, cases, permissions, a
             field = schema.collections[fieldNode.relation.collection].fields[fieldNode.relation.field];
         }
         let column;
-        if (field?.type?.startsWith('geometry')) {
+        if (permissionsOnly) {
+            if (noAlias) {
+                column = knex.raw(1);
+            }
+            else {
+                column = knex.raw('1 as ??', [alias]);
+            }
+        }
+        else if (field?.type?.startsWith('geometry')) {
             column = helpers.st.asText(table, field.field, rawColumnAlias);
         }
         else if (fieldNode.type === 'functionField') {

package/dist/permissions/lib/fetch-permissions.d.ts

@@ -4,7 +4,7 @@ export interface FetchPermissionsOptions {
     action?: PermissionsAction;
     policies: string[];
     collections?: string[];
-    accountability?: Pick<Accountability, 'user' | 'role' | 'roles' | 'app'>;
+    accountability?: Pick<Accountability, 'user' | 'role' | 'roles' | 'app' | 'share' | 'ip'>;
     bypassDynamicVariableProcessing?: boolean;
 }
 export declare function fetchPermissions(options: FetchPermissionsOptions, context: Context): Promise<{

package/dist/permissions/lib/fetch-permissions.js

@@ -1,6 +1,7 @@
 import { fetchDynamicVariableContext } from '../utils/fetch-dynamic-variable-context.js';
 import { fetchRawPermissions } from '../utils/fetch-raw-permissions.js';
 import { processPermissions } from '../utils/process-permissions.js';
+import { getPermissionsForShare } from '../utils/get-permissions-for-share.js';
 export async function fetchPermissions(options, context) {
     const permissions = await fetchRawPermissions({ ...options, bypassMinimalAppPermissions: options.bypassDynamicVariableProcessing ?? false }, context);
     if (options.accountability && !options.bypassDynamicVariableProcessing) {
@@ -15,7 +16,9 @@ export async function fetchPermissions(options, context) {
             accountability: options.accountability,
             permissionsContext,
         });
-        // TODO merge in permissions coming from the share scope
+        if (options.accountability.share && (options.action === undefined || options.action === 'read')) {
+            return await getPermissionsForShare(options.accountability, options.collections, context);
+        }
         return processedPermissions;
     }
     return permissions;

package/dist/permissions/modules/validate-access/lib/validate-item-access.d.ts

@@ -5,5 +5,6 @@ export interface ValidateItemAccessOptions {
     action: PermissionsAction;
     collection: string;
     primaryKeys: PrimaryKey[];
+    fields?: string[];
 }
-export declare function validateItemAccess(options: ValidateItemAccessOptions, context: Context): Promise<boolean>;
+export declare function validateItemAccess(options: ValidateItemAccessOptions, context: Context): Promise<any>;

package/dist/permissions/modules/validate-access/lib/validate-item-access.js

@@ -1,5 +1,4 @@
-import { getAstFromQuery } from '../../../../database/get-ast-from-query/get-ast-from-query.js';
-import { runAst } from '../../../../database/run-ast/run-ast.js';
+import { fetchPermittedAstRootFields } from '../../../../database/run-ast/modules/fetch-permitted-ast-root-fields.js';
 import { processAst } from '../../process-ast/process-ast.js';
 export async function validateItemAccess(options, context) {
     const primaryKeyField = context.schema.collections[options.collection]?.primary;
@@ -8,17 +7,14 @@ export async function validateItemAccess(options, context) {
     }
     // When we're looking up access to specific items, we have to read them from the database to
     // make sure you are allowed to access them.
-    const query = {
-        // We don't actually need any of the field data, just want to know if we can read the item as
-        // whole or not
-        fields: [],
-        limit: options.primaryKeys.length,
+    const ast = {
+        type: 'root',
+        name: options.collection,
+        query: { limit: options.primaryKeys.length },
+        // Act as if every field was a "normal" field
+        children: options.fields?.map((field) => ({ type: 'field', name: field, fieldKey: field, whenCase: [] })) ?? [],
+        cases: [],
     };
-    const ast = await getAstFromQuery({
-        accountability: options.accountability,
-        query,
-        collection: options.collection,
-    }, context);
     await processAst({ ast, ...options }, context);
     // Inject the filter after the permissions have been processed, as to not require access to the primary key
     ast.query.filter = {
@@ -26,8 +22,17 @@ export async function validateItemAccess(options, context) {
             _in: options.primaryKeys,
         },
     };
-    const items = await runAst(ast, context.schema, options.accountability, { knex: context.knex });
+    const items = await fetchPermittedAstRootFields(ast, {
+        schema: context.schema,
+        accountability: options.accountability,
+        knex: context.knex,
+        action: options.action,
+    });
     if (items && items.length === options.primaryKeys.length) {
+        const { fields } = options;
+        if (fields) {
+            return items.every((item) => fields.every((field) => item[field] === 1));
+        }
         return true;
     }
     return false;

package/dist/permissions/modules/validate-access/validate-access.d.ts

@@ -5,6 +5,7 @@ export interface ValidateAccessOptions {
     action: PermissionsAction;
     collection: string;
     primaryKeys?: PrimaryKey[];
+    fields?: string[];
 }
 /**
  * Validate if the current user has access to perform action against the given collection and

package/dist/permissions/modules/validate-access/validate-access.js

@@ -7,6 +7,12 @@ import { validateItemAccess } from './lib/validate-item-access.js';
  * control rules and checking if we got the expected result back
  */
 export async function validateAccess(options, context) {
+    // Skip further validation if the collection does not exist
+    if (options.collection in context.schema.collections === false) {
+        throw new ForbiddenError({
+            reason: `You don't have permission to "${options.action}" from collection "${options.collection}" or it does not exist.`,
+        });
+    }
     if (options.accountability.admin === true) {
         return;
     }
@@ -21,8 +27,15 @@ export async function validateAccess(options, context) {
         access = await validateCollectionAccess(options, context);
     }
     if (!access) {
+        if (options.fields?.length ?? 0 > 0) {
+            throw new ForbiddenError({
+                reason: `You don't have permissions to perform "${options.action}" for the field(s) ${options
+                    .fields.map((field) => `"${field}"`)
+                    .join(', ')} in collection "${options.collection}" or it does not exist.`,
+            });
+        }
         throw new ForbiddenError({
-            reason: `You don't have permission to "${options.action}" from collection "${options.collection}" or it does not exist.`,
+            reason: `You don't have permission to perform "${options.action}" for collection "${options.collection}" or it does not exist.`,
         });
     }
 }

package/dist/permissions/utils/fetch-share-info.d.ts

@@ -0,0 +1,12 @@
+import type { AbstractServiceOptions } from '../../types/services.js';
+export interface ShareInfo {
+    collection: string;
+    item: string;
+    role: string | null;
+    user_created: {
+        id: string;
+        role: string;
+    };
+}
+export declare const fetchShareInfo: typeof _fetchShareInfo;
+export declare function _fetchShareInfo(shareId: string, context: AbstractServiceOptions): Promise<ShareInfo>;

package/dist/permissions/utils/fetch-share-info.js

@@ -0,0 +1,9 @@
+import { withCache } from './with-cache.js';
+export const fetchShareInfo = withCache('share-info', _fetchShareInfo);
+export async function _fetchShareInfo(shareId, context) {
+    const { SharesService } = await import('../../services/shares.js');
+    const sharesService = new SharesService(context);
+    return (await sharesService.readOne(shareId, {
+        fields: ['collection', 'item', 'role', 'user_created.id', 'user_created.role'],
+    }));
+}

package/dist/permissions/utils/get-permissions-for-share.d.ts

@@ -0,0 +1,4 @@
+import type { Accountability, Permission, SchemaOverview } from '@directus/types';
+import type { Context } from '../types.js';
+export declare function getPermissionsForShare(accountability: Pick<Accountability, 'share' | 'ip'>, collections: string[] | undefined, context: Context): Promise<Permission[]>;
+export declare function traverse(schema: SchemaOverview, rootItemPrimaryKeyField: string, rootItemPrimaryKey: string, currentCollection: string, parentCollections?: string[], path?: string[]): Partial<Permission>[];

package/dist/permissions/utils/get-permissions-for-share.js

@@ -0,0 +1,182 @@
+import { schemaPermissions } from '@directus/system-data';
+import { set, uniq } from 'lodash-es';
+import { fetchAllowedFieldMap } from '../modules/fetch-allowed-field-map/fetch-allowed-field-map.js';
+import { fetchShareInfo } from './fetch-share-info.js';
+import { mergePermissions } from './merge-permissions.js';
+import { fetchPermissions } from '../lib/fetch-permissions.js';
+import { fetchPolicies } from '../lib/fetch-policies.js';
+import { fetchRolesTree } from '../lib/fetch-roles-tree.js';
+import { reduceSchema } from '../../utils/reduce-schema.js';
+import { fetchGlobalAccess } from '../modules/fetch-global-access/fetch-global-access.js';
+export async function getPermissionsForShare(accountability, collections, context) {
+    const defaults = {
+        action: 'read',
+        collection: '',
+        permissions: {},
+        policy: null,
+        validation: null,
+        presets: null,
+        fields: null,
+    };
+    const { collection, item, role, user_created } = await fetchShareInfo(accountability.share, context);
+    const userAccountability = {
+        user: user_created.id,
+        role: user_created.role,
+        roles: await fetchRolesTree(user_created.role, context.knex),
+        admin: false,
+        app: false,
+        ip: accountability.ip,
+    };
+    // Fallback to public accountability so merging later on has no issues
+    const shareAccountability = {
+        user: null,
+        role: role,
+        roles: await fetchRolesTree(role, context.knex),
+        admin: false,
+        app: false,
+        ip: accountability.ip,
+    };
+    const [{ admin: shareIsAdmin }, { admin: userIsAdmin }, userPermissions, sharePermissions, shareFieldMap, userFieldMap,] = await Promise.all([
+        fetchGlobalAccess(shareAccountability, context.knex),
+        fetchGlobalAccess(userAccountability, context.knex),
+        getPermissionsForAccountability(userAccountability, context),
+        getPermissionsForAccountability(shareAccountability, context),
+        fetchAllowedFieldMap({
+            accountability: shareAccountability,
+            action: 'read',
+        }, context),
+        fetchAllowedFieldMap({
+            accountability: userAccountability,
+            action: 'read',
+        }, context),
+    ]);
+    const isAdmin = userIsAdmin && shareIsAdmin;
+    let permissions = [];
+    let reducedSchema;
+    if (isAdmin) {
+        defaults.fields = ['*'];
+        reducedSchema = context.schema;
+    }
+    else if (userIsAdmin && !shareIsAdmin) {
+        permissions = sharePermissions;
+        reducedSchema = reduceSchema(context.schema, shareFieldMap);
+    }
+    else if (shareIsAdmin && !userIsAdmin) {
+        permissions = userPermissions;
+        reducedSchema = reduceSchema(context.schema, userFieldMap);
+    }
+    else {
+        permissions = mergePermissions('intersection', sharePermissions, userPermissions);
+        reducedSchema = reduceSchema(context.schema, shareFieldMap);
+        reducedSchema = reduceSchema(reducedSchema, userFieldMap);
+    }
+    const parentPrimaryKeyField = context.schema.collections[collection].primary;
+    const relationalPermissions = traverse(reducedSchema, parentPrimaryKeyField, item, collection);
+    const parentCollectionPermission = {
+        ...defaults,
+        collection,
+        permissions: {
+            [parentPrimaryKeyField]: {
+                _eq: item,
+            },
+        },
+    };
+    // All permissions that will be merged into the original permissions set
+    const allGeneratedPermissions = [
+        parentCollectionPermission,
+        ...relationalPermissions.map((generated) => ({ ...defaults, ...generated })),
+        ...schemaPermissions,
+    ];
+    // All the collections that are touched through the relational tree from the current root collection, and the schema collections
+    const allowedCollections = uniq(allGeneratedPermissions.map(({ collection }) => collection));
+    const generatedPermissions = [];
+    // Merge all the permissions that relate to the same collection with an _or (this allows you to properly retrieve)
+    // the items of a collection if you entered that collection from multiple angles
+    for (const collection of allowedCollections) {
+        const permissionsForCollection = allGeneratedPermissions.filter((permission) => permission.collection === collection);
+        if (permissionsForCollection.length > 0) {
+            generatedPermissions.push(...mergePermissions('or', permissionsForCollection));
+        }
+        else {
+            generatedPermissions.push(...permissionsForCollection);
+        }
+    }
+    if (isAdmin) {
+        return filterCollections(collections, generatedPermissions);
+    }
+    // Explicitly filter out permissions to collections unrelated to the root parent item.
+    const limitedPermissions = permissions.filter(({ action, collection }) => allowedCollections.includes(collection) && action === 'read');
+    return filterCollections(collections, mergePermissions('and', limitedPermissions, generatedPermissions));
+}
+function filterCollections(collections, permissions) {
+    if (!collections) {
+        return permissions;
+    }
+    return permissions.filter(({ collection }) => collections.includes(collection));
+}
+async function getPermissionsForAccountability(accountability, context) {
+    const policies = await fetchPolicies(accountability, context);
+    return fetchPermissions({
+        policies,
+        accountability,
+    }, context);
+}
+export function traverse(schema, rootItemPrimaryKeyField, rootItemPrimaryKey, currentCollection, parentCollections = [], path = []) {
+    const permissions = [];
+    // If there's already a permissions rule for the collection we're currently checking, we'll shortcircuit.
+    // This prevents infinite loop in recursive relationships, like articles->related_articles->articles, or
+    // articles.author->users.avatar->files.created_by->users.avatar->files.created_by->🔁
+    if (parentCollections.includes(currentCollection)) {
+        return permissions;
+    }
+    const relationsInCollection = schema.relations.filter((relation) => {
+        return relation.collection === currentCollection || relation.related_collection === currentCollection;
+    });
+    for (const relation of relationsInCollection) {
+        let type;
+        if (relation.related_collection === currentCollection) {
+            type = 'o2m';
+        }
+        else if (!relation.related_collection) {
+            type = 'a2o';
+        }
+        else {
+            type = 'm2o';
+        }
+        if (type === 'o2m') {
+            permissions.push({
+                collection: relation.collection,
+                permissions: getFilterForPath(type, [...path, relation.field], rootItemPrimaryKeyField, rootItemPrimaryKey),
+            });
+            permissions.push(...traverse(schema, rootItemPrimaryKeyField, rootItemPrimaryKey, relation.collection, [...parentCollections, currentCollection], [...path, relation.field]));
+        }
+        if (type === 'a2o' && relation.meta?.one_allowed_collections) {
+            for (const collection of relation.meta.one_allowed_collections) {
+                permissions.push({
+                    collection,
+                    permissions: getFilterForPath(type, [...path, `$FOLLOW(${relation.collection},${relation.field},${relation.meta.one_collection_field})`], rootItemPrimaryKeyField, rootItemPrimaryKey),
+                });
+            }
+        }
+        if (type === 'm2o') {
+            permissions.push({
+                collection: relation.related_collection,
+                permissions: getFilterForPath(type, [...path, `$FOLLOW(${relation.collection},${relation.field})`], rootItemPrimaryKeyField, rootItemPrimaryKey),
+            });
+            if (relation.meta?.one_field) {
+                permissions.push(...traverse(schema, rootItemPrimaryKeyField, rootItemPrimaryKey, relation.related_collection, [...parentCollections, currentCollection], [...path, relation.meta?.one_field]));
+            }
+        }
+    }
+    return permissions;
+}
+function getFilterForPath(type, path, rootPrimaryKeyField, rootPrimaryKey) {
+    const filter = {};
+    if (type === 'm2o' || type === 'a2o') {
+        set(filter, path.reverse(), { [rootPrimaryKeyField]: { _eq: rootPrimaryKey } });
+    }
+    else {
+        set(filter, path.reverse(), { _eq: rootPrimaryKey });
+    }
+    return filter;
+}

package/dist/permissions/utils/merge-permissions.d.ts

@@ -0,0 +1,9 @@
+import type { Permission } from '@directus/types';
+/**
+ * Merges multiple permission lists into a flat list of unique permissions.
+ * @param strategy `and` or `or` deduplicate permissions while `intersection` makes sure only common permissions across all lists are kept and overlapping permissions are merged through `and`.
+ * @param permissions List of permission lists to merge.
+ * @returns A flat list of unique permissions.
+ */
+export declare function mergePermissions(strategy: 'and' | 'or' | 'intersection', ...permissions: Permission[][]): Permission[];
+export declare function mergePermission(strategy: 'and' | 'or', currentPerm: Permission, newPerm: Permission): Omit<Permission, 'id' | 'system'>;