@directus/api 23.1.0 → 23.1.2

package/dist/controllers/permissions.js

@@ -72,7 +72,7 @@ const readHandler = asyncHandler(async (req, res, next) => {
 router.get('/', validateBatch('read'), readHandler, respond);
 router.search('/', validateBatch('read'), readHandler, respond);
 router.get('/me', asyncHandler(async (req, res, next) => {
-    if (!req.accountability?.user && !req.accountability?.role)
+    if (!req.accountability?.user && !req.accountability?.role && !req.accountability?.share)
         throw new ForbiddenError();
     const result = await fetchAccountabilityCollectionAccess(req.accountability, {
         schema: req.schema,

package/dist/controllers/users.js

@@ -62,16 +62,12 @@ const readHandler = asyncHandler(async (req, res, next) => {
 router.get('/', validateBatch('read'), readHandler, respond);
 router.search('/', validateBatch('read'), readHandler, respond);
 router.get('/me', asyncHandler(async (req, res, next) => {
-    if (req.accountability?.share_scope) {
-        const user = {
-            share: req.accountability?.share,
-            role: {
-                id: req.accountability.role,
-                admin_access: false,
-                app_access: false,
+    if (req.accountability?.share) {
+        res.locals['payload'] = {
+            data: {
+                share: req.accountability?.share,
             },
         };
-        res.locals['payload'] = { data: user };
         return next();
     }
     if (!req.accountability?.user) {

package/dist/database/helpers/schema/dialects/cockroachdb.d.ts

@@ -7,5 +7,5 @@ export declare class SchemaHelperCockroachDb extends SchemaHelper {
     constraintName(existingName: string): string;
     getDatabaseSize(): Promise<number | null>;
     preprocessBindings(queryParams: Sql): Sql;
-    addInnerSortFieldsToGroupBy(groupByFields: (string | Knex.Raw)[], sortRecords: SortRecord[], hasMultiRelationalSort: boolean): void;
+    addInnerSortFieldsToGroupBy(groupByFields: (string | Knex.Raw)[], sortRecords: SortRecord[], hasRelationalSort: boolean): void;
 }

package/dist/database/helpers/schema/dialects/cockroachdb.js

@@ -32,8 +32,8 @@ export class SchemaHelperCockroachDb extends SchemaHelper {
     preprocessBindings(queryParams) {
         return preprocessBindings(queryParams, { format: (index) => `$${index + 1}` });
     }
-    addInnerSortFieldsToGroupBy(groupByFields, sortRecords, hasMultiRelationalSort) {
-        if (hasMultiRelationalSort) {
+    addInnerSortFieldsToGroupBy(groupByFields, sortRecords, hasRelationalSort) {
+        if (hasRelationalSort) {
             /*
             Cockroach allows aliases to be used in the GROUP BY clause and only needs columns in the GROUP BY clause that
             are not functionally dependent on the primary key.

package/dist/database/helpers/schema/dialects/mssql.d.ts

@@ -6,5 +6,5 @@ export declare class SchemaHelperMSSQL extends SchemaHelper {
     formatUUID(uuid: string): string;
     getDatabaseSize(): Promise<number | null>;
     preprocessBindings(queryParams: Sql): Sql;
-    addInnerSortFieldsToGroupBy(groupByFields: (string | Knex.Raw)[], sortRecords: SortRecord[], _hasMultiRelationalSort: boolean): void;
+    addInnerSortFieldsToGroupBy(groupByFields: (string | Knex.Raw)[], sortRecords: SortRecord[], _hasRelationalSort: boolean): void;
 }

package/dist/database/helpers/schema/dialects/mssql.js

@@ -30,7 +30,7 @@ export class SchemaHelperMSSQL extends SchemaHelper {
     preprocessBindings(queryParams) {
         return preprocessBindings(queryParams, { format: (index) => `@p${index}` });
     }
-    addInnerSortFieldsToGroupBy(groupByFields, sortRecords, _hasMultiRelationalSort) {
+    addInnerSortFieldsToGroupBy(groupByFields, sortRecords, _hasRelationalSort) {
         /*
         MSSQL requires all selected columns that are not aggregated over are to be present in the GROUP BY clause
 

package/dist/database/helpers/schema/dialects/mysql.d.ts

@@ -3,5 +3,5 @@ import { SchemaHelper, type SortRecord } from '../types.js';
 export declare class SchemaHelperMySQL extends SchemaHelper {
     applyMultiRelationalSort(knex: Knex, dbQuery: Knex.QueryBuilder, table: string, primaryKey: string, orderByString: string, orderByFields: Knex.Raw[]): Knex.QueryBuilder;
     getDatabaseSize(): Promise<number | null>;
-    addInnerSortFieldsToGroupBy(groupByFields: (string | Knex.Raw)[], sortRecords: SortRecord[], hasMultiRelationalSort: boolean): void;
+    addInnerSortFieldsToGroupBy(groupByFields: (string | Knex.Raw)[], sortRecords: SortRecord[], hasRelationalSort: boolean): void;
 }

package/dist/database/helpers/schema/dialects/mysql.js

@@ -28,8 +28,8 @@ export class SchemaHelperMySQL extends SchemaHelper {
             return null;
         }
     }
-    addInnerSortFieldsToGroupBy(groupByFields, sortRecords, hasMultiRelationalSort) {
-        if (hasMultiRelationalSort) {
+    addInnerSortFieldsToGroupBy(groupByFields, sortRecords, hasRelationalSort) {
+        if (hasRelationalSort) {
             /*
             ** MySQL **
 

package/dist/database/helpers/schema/dialects/oracle.d.ts

@@ -10,5 +10,5 @@ export declare class SchemaHelperOracle extends SchemaHelper {
     processFieldType(field: Field): Type;
     getDatabaseSize(): Promise<number | null>;
     preprocessBindings(queryParams: Sql): Sql;
-    addInnerSortFieldsToGroupBy(groupByFields: (string | Knex.Raw)[], sortRecords: SortRecord[], _hasMultiRelationalSort: boolean): void;
+    addInnerSortFieldsToGroupBy(groupByFields: (string | Knex.Raw)[], sortRecords: SortRecord[], _hasRelationalSort: boolean): void;
 }

package/dist/database/helpers/schema/dialects/oracle.js

@@ -42,7 +42,7 @@ export class SchemaHelperOracle extends SchemaHelper {
     preprocessBindings(queryParams) {
         return preprocessBindings(queryParams, { format: (index) => `:${index + 1}` });
     }
-    addInnerSortFieldsToGroupBy(groupByFields, sortRecords, _hasMultiRelationalSort) {
+    addInnerSortFieldsToGroupBy(groupByFields, sortRecords, _hasRelationalSort) {
         /*
         Oracle requires all selected columns that are not aggregated over to be present in the GROUP BY clause
         aliases can not be used before version 23c.

package/dist/database/helpers/schema/dialects/postgres.d.ts

@@ -3,5 +3,5 @@ import { SchemaHelper, type SortRecord, type Sql } from '../types.js';
 export declare class SchemaHelperPostgres extends SchemaHelper {
     getDatabaseSize(): Promise<number | null>;
     preprocessBindings(queryParams: Sql): Sql;
-    addInnerSortFieldsToGroupBy(groupByFields: (string | Knex.Raw)[], sortRecords: SortRecord[], hasMultiRelationalSort: boolean): void;
+    addInnerSortFieldsToGroupBy(groupByFields: (string | Knex.Raw)[], sortRecords: SortRecord[], hasRelationalSort: boolean): void;
 }

package/dist/database/helpers/schema/dialects/postgres.js

@@ -15,12 +15,12 @@ export class SchemaHelperPostgres extends SchemaHelper {
     preprocessBindings(queryParams) {
         return preprocessBindings(queryParams, { format: (index) => `$${index + 1}` });
     }
-    addInnerSortFieldsToGroupBy(groupByFields, sortRecords, hasMultiRelationalSort) {
-        if (hasMultiRelationalSort) {
+    addInnerSortFieldsToGroupBy(groupByFields, sortRecords, hasRelationalSort) {
+        if (hasRelationalSort) {
             /*
             Postgres only requires selected columns that are not functionally dependent on the primary key to be
             included in the GROUP BY clause. Since the results are already grouped by the primary key, we don't need to
-            always include the sort columns in the GROUP BY but only if there is a multi relational sort involved, eg.
+            always include the sort columns in the GROUP BY but only if there is a relational sort involved, eg.
             a sort column that comes from a related M2O relation.
 
             > When GROUP BY is present, or any aggregate functions are present, it is not valid for the SELECT list

package/dist/database/helpers/schema/types.d.ts

@@ -36,5 +36,5 @@ export declare abstract class SchemaHelper extends DatabaseHelper {
      */
     getDatabaseSize(): Promise<number | null>;
     preprocessBindings(queryParams: Sql): Sql;
-    addInnerSortFieldsToGroupBy(_groupByFields: (string | Knex.Raw)[], _sortRecords: SortRecord[], _hasMultiRelationalSort: boolean): void;
+    addInnerSortFieldsToGroupBy(_groupByFields: (string | Knex.Raw)[], _sortRecords: SortRecord[], _hasRelationalSort: boolean): void;
 }

package/dist/database/helpers/schema/types.js

@@ -97,7 +97,7 @@ export class SchemaHelper extends DatabaseHelper {
     preprocessBindings(queryParams) {
         return queryParams;
     }
-    addInnerSortFieldsToGroupBy(_groupByFields, _sortRecords, _hasMultiRelationalSort) {
+    addInnerSortFieldsToGroupBy(_groupByFields, _sortRecords, _hasRelationalSort) {
         // no-op by default
     }
 }

package/dist/database/migrations/20240806A-permissions-policies.d.ts

@@ -1,6 +1,3 @@
 import type { Knex } from 'knex';
-import type { Permission } from '@directus/types';
-export declare function mergePermissions(strategy: 'and' | 'or', ...permissions: Permission[][]): any[];
-export declare function mergePermission(strategy: 'and' | 'or', currentPerm: Permission, newPerm: Permission): Omit<Permission, 'id' | 'system'>;
 export declare function up(knex: Knex): Promise<void>;
 export declare function down(knex: Knex): Promise<void>;

package/dist/database/migrations/20240806A-permissions-policies.js

@@ -1,5 +1,5 @@
 import { processChunk, toBoolean } from '@directus/utils';
-import { flatten, intersection, isEqual, merge, omit, uniq } from 'lodash-es';
+import { omit } from 'lodash-es';
 import { randomUUID } from 'node:crypto';
 import { useLogger } from '../../logger/index.js';
 import { fetchPermissions } from '../../permissions/lib/fetch-permissions.js';
@@ -7,98 +7,7 @@ import { fetchPolicies } from '../../permissions/lib/fetch-policies.js';
 import { fetchRolesTree } from '../../permissions/lib/fetch-roles-tree.js';
 import { getSchema } from '../../utils/get-schema.js';
 import { getSchemaInspector } from '../index.js';
-// Adapted from https://github.com/directus/directus/blob/141b8adbf4dd8e06530a7929f34e3fc68a522053/api/src/utils/merge-permissions.ts#L4
-export function mergePermissions(strategy, ...permissions) {
-    const allPermissions = flatten(permissions);
-    const mergedPermissions = allPermissions
-        .reduce((acc, val) => {
-        const key = `${val.collection}__${val.action}`;
-        const current = acc.get(key);
-        acc.set(key, current ? mergePermission(strategy, current, val) : val);
-        return acc;
-    }, new Map())
-        .values();
-    return Array.from(mergedPermissions);
-}
-export function mergePermission(strategy, currentPerm, newPerm) {
-    const logicalKey = `_${strategy}`;
-    let { permissions, validation, fields, presets } = currentPerm;
-    if (newPerm.permissions) {
-        if (currentPerm.permissions && Object.keys(currentPerm.permissions)[0] === logicalKey) {
-            permissions = {
-                [logicalKey]: [
-                    ...currentPerm.permissions[logicalKey],
-                    newPerm.permissions,
-                ],
-            };
-        }
-        else if (currentPerm.permissions) {
-            // Empty {} supersedes other permissions in _OR merge
-            if (strategy === 'or' && (isEqual(currentPerm.permissions, {}) || isEqual(newPerm.permissions, {}))) {
-                permissions = {};
-            }
-            else {
-                permissions = {
-                    [logicalKey]: [currentPerm.permissions, newPerm.permissions],
-                };
-            }
-        }
-        else {
-            permissions = {
-                [logicalKey]: [newPerm.permissions],
-            };
-        }
-    }
-    if (newPerm.validation) {
-        if (currentPerm.validation && Object.keys(currentPerm.validation)[0] === logicalKey) {
-            validation = {
-                [logicalKey]: [
-                    ...currentPerm.validation[logicalKey],
-                    newPerm.validation,
-                ],
-            };
-        }
-        else if (currentPerm.validation) {
-            // Empty {} supersedes other validations in _OR merge
-            if (strategy === 'or' && (isEqual(currentPerm.validation, {}) || isEqual(newPerm.validation, {}))) {
-                validation = {};
-            }
-            else {
-                validation = {
-                    [logicalKey]: [currentPerm.validation, newPerm.validation],
-                };
-            }
-        }
-        else {
-            validation = {
-                [logicalKey]: [newPerm.validation],
-            };
-        }
-    }
-    if (newPerm.fields) {
-        if (Array.isArray(currentPerm.fields) && strategy === 'or') {
-            fields = uniq([...currentPerm.fields, ...newPerm.fields]);
-        }
-        else if (Array.isArray(currentPerm.fields) && strategy === 'and') {
-            fields = intersection(currentPerm.fields, newPerm.fields);
-        }
-        else {
-            fields = newPerm.fields;
-        }
-        if (fields.includes('*'))
-            fields = ['*'];
-    }
-    if (newPerm.presets) {
-        presets = merge({}, presets, newPerm.presets);
-    }
-    return omit({
-        ...currentPerm,
-        permissions,
-        validation,
-        fields,
-        presets,
-    }, ['id', 'system']);
-}
+import { mergePermissions } from '../../permissions/utils/merge-permissions.js';
 async function fetchRoleAccess(roles, context) {
     const roleAccess = {
         admin_access: false,
@@ -286,7 +195,12 @@ export async function down(knex) {
             const policies = await fetchPolicies({ roles: roleTree, user: null, ip: null }, context);
             //  fetch all of the policies permissions
             const rawPermissions = await fetchPermissions({
-                accountability: { role: null, roles: roleTree, user: null, app: roleAccess?.app_access || false },
+                accountability: {
+                    role: null,
+                    roles: roleTree,
+                    user: null,
+                    app: roleAccess?.app_access || false,
+                },
                 policies,
                 bypassDynamicVariableProcessing: true,
             }, context);

package/dist/database/run-ast/lib/get-db-query.js

@@ -181,7 +181,7 @@ export function getDBQuery({ table, fieldNodes, o2mNodes, query, cases, permissi
         // Since the fields are expected to be the same for a single primary key it is safe to include them in the
         // group by without influencing the result.
         // This inclusion depends on the DB vendor, as such it is handled in a dialect specific helper.
-        helpers.schema.addInnerSortFieldsToGroupBy(groupByFields, innerQuerySortRecords, hasMultiRelationalSort ?? false);
+        helpers.schema.addInnerSortFieldsToGroupBy(groupByFields, innerQuerySortRecords, (hasMultiRelationalSort || sortRecords?.some(({ column }) => column.includes('.'))) ?? false);
         dbQuery.groupBy(groupByFields);
     }
     const wrapperQuery = knex

package/dist/database/run-ast/utils/apply-case-when.js

@@ -16,7 +16,7 @@ export function applyCaseWhen({ columnCases, table, aliasMap, cases, column, ali
             sqlParts.push(val);
         }
     }
-    const sql = sqlParts.join(' ');
+    const sql = sqlParts.length > 0 ? sqlParts.join(' ') : '1';
     const bindings = [...caseQuery.toSQL().bindings, column];
     let rawCase = `(CASE WHEN ${sql} THEN ?? END)`;
     if (alias) {

package/dist/permissions/lib/fetch-permissions.d.ts

@@ -4,7 +4,7 @@ export interface FetchPermissionsOptions {
     action?: PermissionsAction;
     policies: string[];
     collections?: string[];
-    accountability?: Pick<Accountability, 'user' | 'role' | 'roles' | 'app'>;
+    accountability?: Pick<Accountability, 'user' | 'role' | 'roles' | 'app' | 'share' | 'ip'>;
     bypassDynamicVariableProcessing?: boolean;
 }
 export declare function fetchPermissions(options: FetchPermissionsOptions, context: Context): Promise<{

package/dist/permissions/lib/fetch-permissions.js

@@ -1,6 +1,7 @@
 import { fetchDynamicVariableContext } from '../utils/fetch-dynamic-variable-context.js';
 import { fetchRawPermissions } from '../utils/fetch-raw-permissions.js';
 import { processPermissions } from '../utils/process-permissions.js';
+import { getPermissionsForShare } from '../utils/get-permissions-for-share.js';
 export async function fetchPermissions(options, context) {
     const permissions = await fetchRawPermissions({ ...options, bypassMinimalAppPermissions: options.bypassDynamicVariableProcessing ?? false }, context);
     if (options.accountability && !options.bypassDynamicVariableProcessing) {
@@ -15,7 +16,9 @@ export async function fetchPermissions(options, context) {
             accountability: options.accountability,
             permissionsContext,
         });
-        // TODO merge in permissions coming from the share scope
+        if (options.accountability.share && (options.action === undefined || options.action === 'read')) {
+            return await getPermissionsForShare(options.accountability, options.collections, context);
+        }
         return processedPermissions;
     }
     return permissions;

package/dist/permissions/modules/validate-access/validate-access.d.ts

@@ -6,6 +6,7 @@ export interface ValidateAccessOptions {
     collection: string;
     primaryKeys?: PrimaryKey[];
     fields?: string[];
+    skipCollectionExistsCheck?: boolean;
 }
 /**
  * Validate if the current user has access to perform action against the given collection and

package/dist/permissions/modules/validate-access/validate-access.js

@@ -8,7 +8,7 @@ import { validateItemAccess } from './lib/validate-item-access.js';
  */
 export async function validateAccess(options, context) {
     // Skip further validation if the collection does not exist
-    if (options.collection in context.schema.collections === false) {
+    if (!options.skipCollectionExistsCheck && options.collection in context.schema.collections === false) {
         throw new ForbiddenError({
             reason: `You don't have permission to "${options.action}" from collection "${options.collection}" or it does not exist.`,
         });

package/dist/permissions/utils/fetch-share-info.d.ts

@@ -0,0 +1,12 @@
+import type { AbstractServiceOptions } from '../../types/services.js';
+export interface ShareInfo {
+    collection: string;
+    item: string;
+    role: string | null;
+    user_created: {
+        id: string;
+        role: string;
+    };
+}
+export declare const fetchShareInfo: typeof _fetchShareInfo;
+export declare function _fetchShareInfo(shareId: string, context: AbstractServiceOptions): Promise<ShareInfo>;

package/dist/permissions/utils/fetch-share-info.js

@@ -0,0 +1,9 @@
+import { withCache } from './with-cache.js';
+export const fetchShareInfo = withCache('share-info', _fetchShareInfo);
+export async function _fetchShareInfo(shareId, context) {
+    const { SharesService } = await import('../../services/shares.js');
+    const sharesService = new SharesService(context);
+    return (await sharesService.readOne(shareId, {
+        fields: ['collection', 'item', 'role', 'user_created.id', 'user_created.role'],
+    }));
+}

package/dist/permissions/utils/get-permissions-for-share.d.ts

@@ -0,0 +1,4 @@
+import type { Accountability, Permission, SchemaOverview } from '@directus/types';
+import type { Context } from '../types.js';
+export declare function getPermissionsForShare(accountability: Pick<Accountability, 'share' | 'ip'>, collections: string[] | undefined, context: Context): Promise<Permission[]>;
+export declare function traverse(schema: SchemaOverview, rootItemPrimaryKeyField: string, rootItemPrimaryKey: string, currentCollection: string, parentCollections?: string[], path?: string[]): Partial<Permission>[];

package/dist/permissions/utils/get-permissions-for-share.js

@@ -0,0 +1,182 @@
+import { schemaPermissions } from '@directus/system-data';
+import { set, uniq } from 'lodash-es';
+import { fetchAllowedFieldMap } from '../modules/fetch-allowed-field-map/fetch-allowed-field-map.js';
+import { fetchShareInfo } from './fetch-share-info.js';
+import { mergePermissions } from './merge-permissions.js';
+import { fetchPermissions } from '../lib/fetch-permissions.js';
+import { fetchPolicies } from '../lib/fetch-policies.js';
+import { fetchRolesTree } from '../lib/fetch-roles-tree.js';
+import { reduceSchema } from '../../utils/reduce-schema.js';
+import { fetchGlobalAccess } from '../modules/fetch-global-access/fetch-global-access.js';
+export async function getPermissionsForShare(accountability, collections, context) {
+    const defaults = {
+        action: 'read',
+        collection: '',
+        permissions: {},
+        policy: null,
+        validation: null,
+        presets: null,
+        fields: null,
+    };
+    const { collection, item, role, user_created } = await fetchShareInfo(accountability.share, context);
+    const userAccountability = {
+        user: user_created.id,
+        role: user_created.role,
+        roles: await fetchRolesTree(user_created.role, context.knex),
+        admin: false,
+        app: false,
+        ip: accountability.ip,
+    };
+    // Fallback to public accountability so merging later on has no issues
+    const shareAccountability = {
+        user: null,
+        role: role,
+        roles: await fetchRolesTree(role, context.knex),
+        admin: false,
+        app: false,
+        ip: accountability.ip,
+    };
+    const [{ admin: shareIsAdmin }, { admin: userIsAdmin }, userPermissions, sharePermissions, shareFieldMap, userFieldMap,] = await Promise.all([
+        fetchGlobalAccess(shareAccountability, context.knex),
+        fetchGlobalAccess(userAccountability, context.knex),
+        getPermissionsForAccountability(userAccountability, context),
+        getPermissionsForAccountability(shareAccountability, context),
+        fetchAllowedFieldMap({
+            accountability: shareAccountability,
+            action: 'read',
+        }, context),
+        fetchAllowedFieldMap({
+            accountability: userAccountability,
+            action: 'read',
+        }, context),
+    ]);
+    const isAdmin = userIsAdmin && shareIsAdmin;
+    let permissions = [];
+    let reducedSchema;
+    if (isAdmin) {
+        defaults.fields = ['*'];
+        reducedSchema = context.schema;
+    }
+    else if (userIsAdmin && !shareIsAdmin) {
+        permissions = sharePermissions;
+        reducedSchema = reduceSchema(context.schema, shareFieldMap);
+    }
+    else if (shareIsAdmin && !userIsAdmin) {
+        permissions = userPermissions;
+        reducedSchema = reduceSchema(context.schema, userFieldMap);
+    }
+    else {
+        permissions = mergePermissions('intersection', sharePermissions, userPermissions);
+        reducedSchema = reduceSchema(context.schema, shareFieldMap);
+        reducedSchema = reduceSchema(reducedSchema, userFieldMap);
+    }
+    const parentPrimaryKeyField = context.schema.collections[collection].primary;
+    const relationalPermissions = traverse(reducedSchema, parentPrimaryKeyField, item, collection);
+    const parentCollectionPermission = {
+        ...defaults,
+        collection,
+        permissions: {
+            [parentPrimaryKeyField]: {
+                _eq: item,
+            },
+        },
+    };
+    // All permissions that will be merged into the original permissions set
+    const allGeneratedPermissions = [
+        parentCollectionPermission,
+        ...relationalPermissions.map((generated) => ({ ...defaults, ...generated })),
+        ...schemaPermissions,
+    ];
+    // All the collections that are touched through the relational tree from the current root collection, and the schema collections
+    const allowedCollections = uniq(allGeneratedPermissions.map(({ collection }) => collection));
+    const generatedPermissions = [];
+    // Merge all the permissions that relate to the same collection with an _or (this allows you to properly retrieve)
+    // the items of a collection if you entered that collection from multiple angles
+    for (const collection of allowedCollections) {
+        const permissionsForCollection = allGeneratedPermissions.filter((permission) => permission.collection === collection);
+        if (permissionsForCollection.length > 0) {
+            generatedPermissions.push(...mergePermissions('or', permissionsForCollection));
+        }
+        else {
+            generatedPermissions.push(...permissionsForCollection);
+        }
+    }
+    if (isAdmin) {
+        return filterCollections(collections, generatedPermissions);
+    }
+    // Explicitly filter out permissions to collections unrelated to the root parent item.
+    const limitedPermissions = permissions.filter(({ action, collection }) => allowedCollections.includes(collection) && action === 'read');
+    return filterCollections(collections, mergePermissions('and', limitedPermissions, generatedPermissions));
+}
+function filterCollections(collections, permissions) {
+    if (!collections) {
+        return permissions;
+    }
+    return permissions.filter(({ collection }) => collections.includes(collection));
+}
+async function getPermissionsForAccountability(accountability, context) {
+    const policies = await fetchPolicies(accountability, context);
+    return fetchPermissions({
+        policies,
+        accountability,
+    }, context);
+}
+export function traverse(schema, rootItemPrimaryKeyField, rootItemPrimaryKey, currentCollection, parentCollections = [], path = []) {
+    const permissions = [];
+    // If there's already a permissions rule for the collection we're currently checking, we'll shortcircuit.
+    // This prevents infinite loop in recursive relationships, like articles->related_articles->articles, or
+    // articles.author->users.avatar->files.created_by->users.avatar->files.created_by->🔁
+    if (parentCollections.includes(currentCollection)) {
+        return permissions;
+    }
+    const relationsInCollection = schema.relations.filter((relation) => {
+        return relation.collection === currentCollection || relation.related_collection === currentCollection;
+    });
+    for (const relation of relationsInCollection) {
+        let type;
+        if (relation.related_collection === currentCollection) {
+            type = 'o2m';
+        }
+        else if (!relation.related_collection) {
+            type = 'a2o';
+        }
+        else {
+            type = 'm2o';
+        }
+        if (type === 'o2m') {
+            permissions.push({
+                collection: relation.collection,
+                permissions: getFilterForPath(type, [...path, relation.field], rootItemPrimaryKeyField, rootItemPrimaryKey),
+            });
+            permissions.push(...traverse(schema, rootItemPrimaryKeyField, rootItemPrimaryKey, relation.collection, [...parentCollections, currentCollection], [...path, relation.field]));
+        }
+        if (type === 'a2o' && relation.meta?.one_allowed_collections) {
+            for (const collection of relation.meta.one_allowed_collections) {
+                permissions.push({
+                    collection,
+                    permissions: getFilterForPath(type, [...path, `$FOLLOW(${relation.collection},${relation.field},${relation.meta.one_collection_field})`], rootItemPrimaryKeyField, rootItemPrimaryKey),
+                });
+            }
+        }
+        if (type === 'm2o') {
+            permissions.push({
+                collection: relation.related_collection,
+                permissions: getFilterForPath(type, [...path, `$FOLLOW(${relation.collection},${relation.field})`], rootItemPrimaryKeyField, rootItemPrimaryKey),
+            });
+            if (relation.meta?.one_field) {
+                permissions.push(...traverse(schema, rootItemPrimaryKeyField, rootItemPrimaryKey, relation.related_collection, [...parentCollections, currentCollection], [...path, relation.meta?.one_field]));
+            }
+        }
+    }
+    return permissions;
+}
+function getFilterForPath(type, path, rootPrimaryKeyField, rootPrimaryKey) {
+    const filter = {};
+    if (type === 'm2o' || type === 'a2o') {
+        set(filter, path.reverse(), { [rootPrimaryKeyField]: { _eq: rootPrimaryKey } });
+    }
+    else {
+        set(filter, path.reverse(), { _eq: rootPrimaryKey });
+    }
+    return filter;
+}

package/dist/permissions/utils/merge-permissions.d.ts

@@ -0,0 +1,9 @@
+import type { Permission } from '@directus/types';
+/**
+ * Merges multiple permission lists into a flat list of unique permissions.
+ * @param strategy `and` or `or` deduplicate permissions while `intersection` makes sure only common permissions across all lists are kept and overlapping permissions are merged through `and`.
+ * @param permissions List of permission lists to merge.
+ * @returns A flat list of unique permissions.
+ */
+export declare function mergePermissions(strategy: 'and' | 'or' | 'intersection', ...permissions: Permission[][]): Permission[];
+export declare function mergePermission(strategy: 'and' | 'or', currentPerm: Permission, newPerm: Permission): Omit<Permission, 'id' | 'system'>;

package/dist/permissions/utils/merge-permissions.js

@@ -0,0 +1,118 @@
+import { flatten, intersection, isEqual, merge, omit, uniq } from 'lodash-es';
+// Adapted from https://github.com/directus/directus/blob/141b8adbf4dd8e06530a7929f34e3fc68a522053/api/src/utils/merge-permissions.ts#L4
+/**
+ * Merges multiple permission lists into a flat list of unique permissions.
+ * @param strategy `and` or `or` deduplicate permissions while `intersection` makes sure only common permissions across all lists are kept and overlapping permissions are merged through `and`.
+ * @param permissions List of permission lists to merge.
+ * @returns A flat list of unique permissions.
+ */
+export function mergePermissions(strategy, ...permissions) {
+    let allPermissions;
+    // Only keep permissions that are common to all lists
+    if (strategy === 'intersection') {
+        const permissionKeys = permissions.map((permissions) => {
+            return new Set(permissions.map((permission) => `${permission.collection}__${permission.action}`));
+        });
+        const intersectionKeys = permissionKeys.reduce((acc, val) => {
+            return new Set([...acc].filter((x) => val.has(x)));
+        }, permissionKeys[0]);
+        const deduplicateSubpermissions = permissions.map((permissions) => {
+            return mergePermissions('or', permissions);
+        });
+        allPermissions = flatten(deduplicateSubpermissions).filter((permission) => {
+            return intersectionKeys.has(`${permission.collection}__${permission.action}`);
+        });
+        strategy = 'and';
+    }
+    else {
+        allPermissions = flatten(permissions);
+    }
+    const mergedPermissions = allPermissions
+        .reduce((acc, val) => {
+        const key = `${val.collection}__${val.action}`;
+        const current = acc.get(key);
+        acc.set(key, current ? mergePermission(strategy, current, val) : val);
+        return acc;
+    }, new Map())
+        .values();
+    return Array.from(mergedPermissions);
+}
+export function mergePermission(strategy, currentPerm, newPerm) {
+    const logicalKey = `_${strategy}`;
+    let { permissions, validation, fields, presets } = currentPerm;
+    if (newPerm.permissions) {
+        if (currentPerm.permissions && Object.keys(currentPerm.permissions)[0] === logicalKey) {
+            permissions = {
+                [logicalKey]: [
+                    ...currentPerm.permissions[logicalKey],
+                    newPerm.permissions,
+                ],
+            };
+        }
+        else if (currentPerm.permissions) {
+            // Empty {} supersedes other permissions in _OR merge
+            if (strategy === 'or' && (isEqual(currentPerm.permissions, {}) || isEqual(newPerm.permissions, {}))) {
+                permissions = {};
+            }
+            else {
+                permissions = {
+                    [logicalKey]: [currentPerm.permissions, newPerm.permissions],
+                };
+            }
+        }
+        else {
+            permissions = {
+                [logicalKey]: [newPerm.permissions],
+            };
+        }
+    }
+    if (newPerm.validation) {
+        if (currentPerm.validation && Object.keys(currentPerm.validation)[0] === logicalKey) {
+            validation = {
+                [logicalKey]: [
+                    ...currentPerm.validation[logicalKey],
+                    newPerm.validation,
+                ],
+            };
+        }
+        else if (currentPerm.validation) {
+            // Empty {} supersedes other validations in _OR merge
+            if (strategy === 'or' && (isEqual(currentPerm.validation, {}) || isEqual(newPerm.validation, {}))) {
+                validation = {};
+            }
+            else {
+                validation = {
+                    [logicalKey]: [currentPerm.validation, newPerm.validation],
+                };
+            }
+        }
+        else {
+            validation = {
+                [logicalKey]: [newPerm.validation],
+            };
+        }
+    }
+    if (newPerm.fields) {
+        if (Array.isArray(currentPerm.fields) && strategy === 'or') {
+            fields = uniq([...currentPerm.fields, ...newPerm.fields]);
+        }
+        else if (Array.isArray(currentPerm.fields) && strategy === 'and') {
+            fields = intersection(currentPerm.fields, newPerm.fields);
+        }
+        else {
+            fields = newPerm.fields;
+        }
+        if (fields.includes('*'))
+            fields = ['*'];
+    }
+    if (newPerm.presets) {
+        presets = merge({}, presets, newPerm.presets);
+    }
+    return omit({
+        ...currentPerm,
+        permissions,
+        validation,
+        fields,
+        presets,
+    }, ['id', 'system']);
+}

package/dist/services/assets.js

@@ -121,7 +121,7 @@ export class AssetsService {
                     reason: 'Server too busy',
                 });
             }
-            const version = file.modified_on !== undefined ? String(new Date(file.modified_on).getTime() / 1000) : undefined;
+            const version = file.modified_on !== undefined ? String(Math.round(new Date(file.modified_on).getTime() / 1000)) : undefined;
             const readStream = await storage.location(file.storage).read(file.filename_disk, { range, version });
             const transformer = getSharpInstance();
             transformer.timeout({

package/dist/services/authentication.js

@@ -212,13 +212,8 @@ export class AuthenticationService {
             user_auth_data: 'u.auth_data',
             user_role: 'u.role',
             share_id: 'd.id',
-            share_item: 'd.item',
-            share_role: 'd.role',
-            share_collection: 'd.collection',
             share_start: 'd.date_start',
             share_end: 'd.date_end',
-            share_times_used: 'd.times_used',
-            share_max_uses: 'd.max_uses',
         })
             .from('directus_sessions AS s')
             .leftJoin('directus_users AS u', 's.user', 'u.id')
@@ -289,11 +284,7 @@ export class AuthenticationService {
         }
         if (record.share_id) {
             tokenPayload.share = record.share_id;
-            tokenPayload.role = record.share_role;
-            tokenPayload.share_scope = {
-                collection: record.share_collection,
-                item: record.share_item,
-            };
+            tokenPayload.role = null;
             tokenPayload.app_access = false;
             tokenPayload.admin_access = false;
             delete tokenPayload.id;

package/dist/services/collections.js

@@ -155,11 +155,10 @@ export class CollectionsService {
             if (opts?.autoPurgeSystemCache !== false) {
                 await clearSystemCache({ autoPurgeCache: opts?.autoPurgeCache });
             }
-            // Refresh the schema for subsequent reads
-            this.schema = await getSchema();
             if (opts?.emitEvents !== false && nestedActionEvents.length > 0) {
+                const updatedSchema = await getSchema();
                 for (const nestedActionEvent of nestedActionEvents) {
-                    nestedActionEvent.context.schema = this.schema;
+                    nestedActionEvent.context.schema = updatedSchema;
                     emitter.emitAction(nestedActionEvent.event, nestedActionEvent.meta, nestedActionEvent.context);
                 }
             }
@@ -197,11 +196,10 @@ export class CollectionsService {
             if (opts?.autoPurgeSystemCache !== false) {
                 await clearSystemCache({ autoPurgeCache: opts?.autoPurgeCache });
             }
-            // Refresh the schema for subsequent reads
-            this.schema = await getSchema();
             if (opts?.emitEvents !== false && nestedActionEvents.length > 0) {
+                const updatedSchema = await getSchema();
                 for (const nestedActionEvent of nestedActionEvents) {
-                    nestedActionEvent.context.schema = this.schema;
+                    nestedActionEvent.context.schema = updatedSchema;
                     emitter.emitAction(nestedActionEvent.event, nestedActionEvent.meta, nestedActionEvent.context);
                 }
             }
@@ -290,6 +288,7 @@ export class CollectionsService {
                 accountability: this.accountability,
                 action: 'read',
                 collection,
+                skipCollectionExistsCheck: true,
             }, {
                 schema: this.schema,
                 knex: this.knex,

package/dist/services/comments.js

@@ -5,6 +5,7 @@ import { cloneDeep, mergeWith, uniq } from 'lodash-es';
 import { randomUUID } from 'node:crypto';
 import { useLogger } from '../logger/index.js';
 import { fetchRolesTree } from '../permissions/lib/fetch-roles-tree.js';
+import { fetchGlobalAccess } from '../permissions/modules/fetch-global-access/fetch-global-access.js';
 import { validateAccess } from '../permissions/modules/validate-access/validate-access.js';
 import { isValidUuid } from '../utils/is-valid-uuid.js';
 import { transaction } from '../utils/transaction.js';
@@ -118,16 +119,19 @@ export class CommentsService extends ItemsService {
         for (const mention of mentions) {
             const userID = mention.substring(1);
             const user = await this.usersService.readOne(userID, {
-                fields: ['id', 'first_name', 'last_name', 'email', 'role.id', 'role.admin_access', 'role.app_access'],
+                fields: ['id', 'first_name', 'last_name', 'email', 'role.id'],
             });
             const accountability = {
                 user: userID,
                 role: user['role']?.id ?? null,
-                admin: user['role']?.admin_access ?? null,
-                app: user['role']?.app_access ?? null,
-                roles: await fetchRolesTree(user['role']?.id, this.knex),
+                admin: false,
+                app: false,
+                roles: await fetchRolesTree(user['role']?.id ?? null, this.knex),
                 ip: null,
             };
+            const userGlobalAccess = await fetchGlobalAccess(accountability, this.knex);
+            accountability.admin = userGlobalAccess.admin;
+            accountability.app = userGlobalAccess.app;
             const usersService = new UsersService({ schema: this.schema, accountability });
             try {
                 await validateAccess({

package/dist/services/shares.d.ts

@@ -4,6 +4,8 @@ import { ItemsService } from './items.js';
 export declare class SharesService extends ItemsService {
     constructor(options: AbstractServiceOptions);
     createOne(data: Partial<Item>, opts?: MutationOptions): Promise<PrimaryKey>;
+    updateMany(keys: PrimaryKey[], data: Partial<Item>, opts?: MutationOptions): Promise<PrimaryKey[]>;
+    deleteMany(keys: PrimaryKey[], opts?: MutationOptions): Promise<PrimaryKey[]>;
     login(payload: Record<string, any>, options?: Partial<{
         session: boolean;
     }>): Promise<Omit<LoginResult, 'id'>>;

package/dist/services/shares.js

@@ -2,6 +2,7 @@ import { useEnv } from '@directus/env';
 import { ForbiddenError, InvalidCredentialsError } from '@directus/errors';
 import argon2 from 'argon2';
 import jwt from 'jsonwebtoken';
+import { nanoid } from 'nanoid';
 import { useLogger } from '../logger/index.js';
 import { validateAccess } from '../permissions/modules/validate-access/validate-access.js';
 import { getMilliseconds } from '../utils/get-milliseconds.js';
@@ -12,6 +13,7 @@ import { userName } from '../utils/user-name.js';
 import { ItemsService } from './items.js';
 import { MailService } from './mail/index.js';
 import { UsersService } from './users.js';
+import { clearCache as clearPermissionsCache } from '../permissions/cache.js';
 const env = useEnv();
 const logger = useLogger();
 export class SharesService extends ItemsService {
@@ -32,14 +34,18 @@ export class SharesService extends ItemsService {
         }
         return super.createOne(data, opts);
     }
+    async updateMany(keys, data, opts) {
+        await clearPermissionsCache();
+        return super.updateMany(keys, data, opts);
+    }
+    async deleteMany(keys, opts) {
+        await clearPermissionsCache();
+        return super.deleteMany(keys, opts);
+    }
     async login(payload, options) {
-        const { nanoid } = await import('nanoid');
         const record = await this.knex
             .select({
             share_id: 'id',
-            share_role: 'role',
-            share_item: 'item',
-            share_collection: 'collection',
             share_start: 'date_start',
             share_end: 'date_end',
             share_times_used: 'times_used',
@@ -70,12 +76,8 @@ export class SharesService extends ItemsService {
         const tokenPayload = {
             app_access: false,
             admin_access: false,
-            role: record.share_role,
+            role: null,
             share: record.share_id,
-            share_scope: {
-                item: record.share_item,
-                collection: record.share_collection,
-            },
         };
         const refreshToken = nanoid(64);
         const refreshTokenExpiration = new Date(Date.now() + getMilliseconds(env['REFRESH_TOKEN_TTL'], 0));

package/dist/types/auth.d.ts

@@ -31,16 +31,9 @@ export type DirectusTokenPayload = {
     app_access: boolean | number;
     admin_access: boolean | number;
     share?: string;
-    share_scope?: {
-        collection: string;
-        item: string;
-    };
 };
 export type ShareData = {
     share_id: string;
-    share_role: string;
-    share_item: string;
-    share_collection: string;
     share_start: Date;
     share_end: Date;
     share_times_used: number;

package/dist/utils/get-accountability-for-token.js

@@ -21,8 +21,6 @@ export async function getAccountabilityForToken(token, accountability) {
             }
             if (payload.share)
                 accountability.share = payload.share;
-            if (payload.share_scope)
-                accountability.share_scope = payload.share_scope;
             if (payload.id)
                 accountability.user = payload.id;
             accountability.role = payload.role;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@directus/api",
-  "version": "23.1.0",
+  "version": "23.1.2",
   "description": "Directus is a real-time API and App dashboard for managing SQL database content",
   "keywords": [
     "directus",
@@ -149,29 +149,29 @@
     "ws": "8.18.0",
     "zod": "3.23.8",
     "zod-validation-error": "3.4.0",
+    "@directus/app": "13.3.2",
     "@directus/constants": "12.0.0",
+    "@directus/env": "3.1.3",
     "@directus/errors": "1.0.1",
-    "@directus/app": "13.3.0",
-    "@directus/env": "3.1.2",
-    "@directus/extensions-registry": "2.0.3",
-    "@directus/extensions-sdk": "12.1.1",
-    "@directus/extensions": "2.0.3",
+    "@directus/extensions-registry": "2.0.4",
+    "@directus/extensions": "2.0.4",
+    "@directus/extensions-sdk": "12.1.2",
     "@directus/format-title": "11.0.0",
-    "@directus/memory": "2.0.3",
-    "@directus/pressure": "2.0.2",
-    "@directus/specs": "11.1.0",
+    "@directus/memory": "2.0.4",
+    "@directus/pressure": "2.0.3",
     "@directus/schema": "12.1.1",
+    "@directus/specs": "11.1.0",
     "@directus/storage": "11.0.1",
-    "@directus/storage-driver-azure": "11.0.2",
-    "@directus/storage-driver-cloudinary": "11.0.3",
-    "@directus/storage-driver-gcs": "11.0.2",
+    "@directus/storage-driver-azure": "11.1.0",
+    "@directus/storage-driver-gcs": "11.1.0",
+    "@directus/storage-driver-cloudinary": "11.1.0",
     "@directus/storage-driver-local": "11.0.1",
-    "@directus/storage-driver-s3": "11.0.2",
-    "@directus/storage-driver-supabase": "2.0.2",
-    "@directus/system-data": "2.1.0",
-    "@directus/utils": "12.0.2",
-    "directus": "11.1.2",
-    "@directus/validation": "1.0.2"
+    "@directus/storage-driver-s3": "11.0.3",
+    "@directus/storage-driver-supabase": "2.1.0",
+    "@directus/system-data": "2.1.1",
+    "@directus/validation": "1.0.3",
+    "@directus/utils": "12.0.3",
+    "directus": "11.2.1"
   },
   "devDependencies": {
     "@ngneat/falso": "7.2.0",
@@ -214,8 +214,8 @@
     "typescript": "5.6.3",
     "vitest": "2.1.2",
     "@directus/random": "1.0.0",
-    "@directus/types": "12.2.0",
-    "@directus/tsconfig": "2.0.0"
+    "@directus/tsconfig": "2.0.0",
+    "@directus/types": "12.2.1"
   },
   "optionalDependencies": {
     "@keyv/redis": "3.0.1",