@directus/api 25.0.0 → 26.0.0

package/dist/database/helpers/index.js

@@ -1,4 +1,5 @@
 import { getDatabaseClient } from '../index.js';
+import * as capabilitiesHelpers from './capabilities/index.js';
 import * as dateHelpers from './date/index.js';
 import * as fnHelpers from './fn/index.js';
 import * as geometryHelpers from './geometry/index.js';
@@ -13,6 +14,7 @@ export function getHelpers(database) {
         schema: new schemaHelpers[client](database),
         sequence: new sequenceHelpers[client](database),
         number: new numberHelpers[client](database),
+        capabilities: new capabilitiesHelpers[client](database),
     };
 }
 export function getFunctions(database, schema) {

package/dist/database/helpers/schema/dialects/cockroachdb.d.ts

@@ -1,11 +1,10 @@
 import type { KNEX_TYPES } from '@directus/constants';
 import { type Knex } from 'knex';
-import type { Options, SortRecord, Sql } from '../types.js';
+import type { Options, SortRecord } from '../types.js';
 import { SchemaHelper } from '../types.js';
 export declare class SchemaHelperCockroachDb extends SchemaHelper {
     changeToType(table: string, column: string, type: (typeof KNEX_TYPES)[number], options?: Options): Promise<void>;
     constraintName(existingName: string): string;
     getDatabaseSize(): Promise<number | null>;
-    prepQueryParams(queryParams: Sql): Sql;
     addInnerSortFieldsToGroupBy(groupByFields: (string | Knex.Raw)[], sortRecords: SortRecord[], hasRelationalSort: boolean): void;
 }

package/dist/database/helpers/schema/dialects/cockroachdb.js

@@ -1,7 +1,6 @@
 import {} from 'knex';
 import { SchemaHelper } from '../types.js';
 import { useEnv } from '@directus/env';
-import { prepQueryParams } from '../utils/prep-query-params.js';
 const env = useEnv();
 export class SchemaHelperCockroachDb extends SchemaHelper {
     async changeToType(table, column, type, options = {}) {
@@ -29,9 +28,6 @@ export class SchemaHelperCockroachDb extends SchemaHelper {
             return null;
         }
     }
-    prepQueryParams(queryParams) {
-        return prepQueryParams(queryParams, { format: (index) => `$${index + 1}` });
-    }
     addInnerSortFieldsToGroupBy(groupByFields, sortRecords, hasRelationalSort) {
         if (hasRelationalSort) {
             /*

package/dist/database/helpers/schema/dialects/postgres.d.ts

@@ -1,8 +1,7 @@
 import type { Knex } from 'knex';
-import { SchemaHelper, type SortRecord, type Sql } from '../types.js';
+import { SchemaHelper, type SortRecord } from '../types.js';
 export declare class SchemaHelperPostgres extends SchemaHelper {
     generateIndexName(type: 'unique' | 'foreign' | 'index', collection: string, fields: string | string[]): string;
     getDatabaseSize(): Promise<number | null>;
-    prepQueryParams(queryParams: Sql): Sql;
     addInnerSortFieldsToGroupBy(groupByFields: (string | Knex.Raw)[], sortRecords: SortRecord[], hasRelationalSort: boolean): void;
 }

package/dist/database/helpers/schema/dialects/postgres.js

@@ -1,7 +1,6 @@
 import { useEnv } from '@directus/env';
 import { getDefaultIndexName } from '../../../../utils/get-default-index-name.js';
 import { SchemaHelper } from '../types.js';
-import { prepQueryParams } from '../utils/prep-query-params.js';
 const env = useEnv();
 export class SchemaHelperPostgres extends SchemaHelper {
     generateIndexName(type, collection, fields) {
@@ -16,9 +15,6 @@ export class SchemaHelperPostgres extends SchemaHelper {
             return null;
         }
     }
-    prepQueryParams(queryParams) {
-        return prepQueryParams(queryParams, { format: (index) => `$${index + 1}` });
-    }
     addInnerSortFieldsToGroupBy(groupByFields, sortRecords, hasRelationalSort) {
         if (hasRelationalSort) {
             /*

package/dist/database/index.js

@@ -27,7 +27,7 @@ export function getDatabase() {
     const env = useEnv();
     const logger = useLogger();
     const metrics = useMetrics();
-    const { client, version, searchPath, connectionString, pool: poolConfig = {}, ...connectionConfig } = getConfigFromEnv('DB_', ['DB_EXCLUDE_TABLES']);
+    const { client, version, searchPath, connectionString, pool: poolConfig = {}, ...connectionConfig } = getConfigFromEnv('DB_', { omitPrefix: 'DB_EXCLUDE_TABLES' });
     const requiredEnvVars = ['DB_CLIENT'];
     switch (client) {
         case 'sqlite3':

package/dist/database/migrations/20250224A-visual-editor.d.ts

@@ -0,0 +1,3 @@
+import type { Knex } from 'knex';
+export declare function up(knex: Knex): Promise<void>;
+export declare function down(knex: Knex): Promise<void>;

package/dist/database/migrations/20250224A-visual-editor.js

@@ -0,0 +1,35 @@
+export async function up(knex) {
+    await knex.schema.alterTable('directus_settings', (table) => {
+        table.json('visual_editor_urls').nullable();
+    });
+    await updateModuleBar(knex, (moduleBar) => {
+        if (moduleBar.find(({ id }) => id === 'visual'))
+            return;
+        const visualEditorModule = {
+            type: 'module',
+            id: 'visual',
+            enabled: false,
+        };
+        const contentModuleIndex = moduleBar.findIndex(({ id }) => id === 'content');
+        moduleBar.splice(contentModuleIndex + 1, 0, visualEditorModule);
+        return moduleBar;
+    });
+}
+export async function down(knex) {
+    await knex.schema.alterTable('directus_settings', (table) => {
+        table.dropColumns('visual_editor_urls');
+    });
+    await updateModuleBar(knex, (moduleBar) => moduleBar.filter(({ id }) => id !== 'visual'));
+}
+async function updateModuleBar(knex, modify) {
+    const result = await knex('directus_settings').select('module_bar', 'id').first();
+    if (result && result.module_bar) {
+        const moduleBar = typeof result.module_bar === 'string' ? JSON.parse(result.module_bar) : result.module_bar;
+        const updatedModuleBar = modify(moduleBar);
+        if (!updatedModuleBar)
+            return;
+        await knex('directus_settings')
+            .update({ module_bar: JSON.stringify(updatedModuleBar) })
+            .where('id', result.id);
+    }
+}

package/dist/database/run-ast/lib/get-db-query.js

@@ -21,16 +21,28 @@ export function getDBQuery({ table, fieldNodes, o2mNodes, query, cases, permissi
     // Queries with aggregates and groupBy will not have duplicate result
     if (queryCopy.aggregate || queryCopy.group) {
         const flatQuery = knex.from(table);
+        const fieldNodeMap = Object.fromEntries(fieldNodes.map((node, index) => [
+            node.fieldKey,
+            [node, index],
+        ]));
+        const groupFieldNodes = queryCopy.group?.map((field) => fieldNodeMap[field][0]) ?? [];
         // Map the group fields to their respective field nodes
-        const groupWhenCases = hasCaseWhen
-            ? queryCopy.group?.map((field) => fieldNodes.find(({ fieldKey }) => fieldKey === field)?.whenCase ?? [])
-            : undefined;
+        const groupWhenCases = hasCaseWhen ? groupFieldNodes.map((node) => node.whenCase ?? []) : undefined;
+        // Determine the number of aggregates that will be selected
+        const aggregateCount = Object.entries(queryCopy.aggregate ?? {}).reduce((acc, [_, fields]) => acc + fields.length, 0);
+        // Map the group field to their respective select column positions (1 based, offset by the number of aggregate terms that are applied in applyQuery)
+        // The positions need to be offset by the number of aggregate terms, since the aggregate terms are selected first
+        const groupColumnPositions = queryCopy.group?.map((field) => fieldNodeMap[field][1] + 1 + aggregateCount) ?? [];
         const dbQuery = applyQuery(knex, table, flatQuery, queryCopy, schema, cases, permissions, {
             aliasMap,
             groupWhenCases,
+            groupColumnPositions,
         }).query;
         flatQuery.select(fieldNodes.map((node) => preProcess(node)));
-        withPreprocessBindings(knex, dbQuery);
+        if (helpers.capabilities.supportsDeduplicationOfParameters() &&
+            !helpers.capabilities.supportsColumnPositionInGroupBy()) {
+            withPreprocessBindings(knex, dbQuery);
+        }
         return dbQuery;
     }
     const primaryKey = schema.collections[table].primary;

package/dist/logger/index.js

@@ -43,7 +43,7 @@ export const createLogger = () => {
             censor: REDACTED_TEXT,
         },
     };
-    const loggerEnvConfig = getConfigFromEnv('LOGGER_', 'LOGGER_HTTP');
+    const loggerEnvConfig = getConfigFromEnv('LOGGER_', { omitPrefix: 'LOGGER_HTTP' });
     // Expose custom log levels into formatter function
     if (loggerEnvConfig['levels']) {
         const customLogLevels = {};
@@ -91,8 +91,8 @@ export const createLogger = () => {
 };
 export const createExpressLogger = () => {
     const env = useEnv();
-    const httpLoggerEnvConfig = getConfigFromEnv('LOGGER_HTTP', ['LOGGER_HTTP_LOGGER']);
-    const loggerEnvConfig = getConfigFromEnv('LOGGER_', 'LOGGER_HTTP');
+    const httpLoggerEnvConfig = getConfigFromEnv('LOGGER_HTTP', { omitPrefix: 'LOGGER_HTTP_LOGGER' });
+    const loggerEnvConfig = getConfigFromEnv('LOGGER_', { omitPrefix: 'LOGGER_HTTP' });
     const httpLoggerOptions = {
         level: env['LOG_LEVEL'] || 'info',
         redact: {

package/dist/middleware/sanitize-query.js

@@ -4,16 +4,26 @@
  */
 import { sanitizeQuery } from '../utils/sanitize-query.js';
 import { validateQuery } from '../utils/validate-query.js';
-const sanitizeQueryMiddleware = (req, _res, next) => {
+const sanitizeQueryMiddleware = async (req, _res, next) => {
     req.sanitizedQuery = {};
     if (!req.query)
         return;
-    req.sanitizedQuery = sanitizeQuery({
-        fields: req.query['fields'] || '*',
-        ...req.query,
-    }, req.accountability || null);
-    Object.freeze(req.sanitizedQuery);
-    validateQuery(req.sanitizedQuery);
+    // Skip sanitization and validation if query is empty
+    if (Object.keys(req.query).length === 0) {
+        Object.freeze(req.sanitizedQuery);
+        return next();
+    }
+    try {
+        req.sanitizedQuery = await sanitizeQuery({
+            fields: req.query['fields'] || '*',
+            ...req.query,
+        }, req.schema, req.accountability || null);
+        Object.freeze(req.sanitizedQuery);
+        validateQuery(req.sanitizedQuery);
+    }
+    catch (error) {
+        return next(error);
+    }
     return next();
 };
 export default sanitizeQueryMiddleware;

package/dist/middleware/validate-batch.js

@@ -18,7 +18,7 @@ export const validateBatch = (scope) => asyncHandler(async (req, _res, next) =>
     }
     // In reads, the query in the body should override the query params for searching
     if (scope === 'read' && req.body.query) {
-        req.sanitizedQuery = sanitizeQuery(req.body.query, req.accountability);
+        req.sanitizedQuery = await sanitizeQuery(req.body.query, req.schema, req.accountability);
         validateQuery(req.sanitizedQuery);
     }
     // Every cRUD action has either keys or query

package/dist/operations/item-delete/index.js

@@ -26,7 +26,7 @@ export default defineOperationApi({
             knex: database,
         });
         const queryObject = query ? optionToObject(query) : {};
-        const sanitizedQueryObject = sanitizeQuery(queryObject, customAccountability);
+        const sanitizedQueryObject = await sanitizeQuery(queryObject, schema, customAccountability);
         let result;
         if (!key || (Array.isArray(key) && key.length === 0)) {
             result = await itemsService.deleteByQuery(sanitizedQueryObject, { emitEvents: !!emitEvents });

package/dist/operations/item-read/index.js

@@ -26,7 +26,7 @@ export default defineOperationApi({
             knex: database,
         });
         const queryObject = query ? optionToObject(query) : {};
-        const sanitizedQueryObject = sanitizeQuery(queryObject, customAccountability);
+        const sanitizedQueryObject = await sanitizeQuery(queryObject, schema, customAccountability);
         let result;
         if (!key || (Array.isArray(key) && key.length === 0)) {
             result = await itemsService.readByQuery(sanitizedQueryObject, { emitEvents: !!emitEvents });

package/dist/operations/item-update/index.js

@@ -27,7 +27,7 @@ export default defineOperationApi({
         });
         const payloadObject = optionToObject(payload) ?? null;
         const queryObject = query ? optionToObject(query) : {};
-        const sanitizedQueryObject = sanitizeQuery(queryObject, customAccountability);
+        const sanitizedQueryObject = await sanitizeQuery(queryObject, schema, customAccountability);
         if (!payloadObject) {
             return null;
         }

package/dist/permissions/lib/fetch-permissions.js

@@ -1,14 +1,16 @@
-import { fetchDynamicVariableContext } from '../utils/fetch-dynamic-variable-context.js';
+import { extractRequiredDynamicVariableContextForPermissions } from '../utils/extract-required-dynamic-variable-context.js';
+import { fetchDynamicVariableData } from '../utils/fetch-dynamic-variable-data.js';
 import { fetchRawPermissions } from '../utils/fetch-raw-permissions.js';
-import { processPermissions } from '../utils/process-permissions.js';
 import { getPermissionsForShare } from '../utils/get-permissions-for-share.js';
+import { processPermissions } from '../utils/process-permissions.js';
 export async function fetchPermissions(options, context) {
     const permissions = await fetchRawPermissions({ ...options, bypassMinimalAppPermissions: options.bypassDynamicVariableProcessing ?? false }, context);
     if (options.accountability && !options.bypassDynamicVariableProcessing) {
-        const permissionsContext = await fetchDynamicVariableContext({
+        const dynamicVariableContext = extractRequiredDynamicVariableContextForPermissions(permissions);
+        const permissionsContext = await fetchDynamicVariableData({
             accountability: options.accountability,
             policies: options.policies,
-            permissions,
+            dynamicVariableContext,
         }, context);
         // Replace dynamic variables with their actual values
         const processedPermissions = processPermissions({

package/dist/permissions/modules/process-ast/utils/context-has-dynamic-variables.d.ts

@@ -0,0 +1,2 @@
+import type { DynamicVariableContext } from '../../../utils/extract-required-dynamic-variable-context.js';
+export declare function contextHasDynamicVariables(context: DynamicVariableContext): boolean;

package/dist/permissions/modules/process-ast/utils/context-has-dynamic-variables.js

@@ -0,0 +1,3 @@
+export function contextHasDynamicVariables(context) {
+    return Object.values(context).some((v) => v.size > 0);
+}

package/dist/permissions/modules/process-payload/process-payload.d.ts

@@ -5,6 +5,7 @@ export interface ProcessPayloadOptions {
     action: PermissionsAction;
     collection: string;
     payload: Item;
+    nested: string[];
 }
 /**
  * @note this only validates the top-level fields. The expectation is that this function is called

package/dist/permissions/modules/process-payload/process-payload.js

@@ -1,10 +1,12 @@
 import { ForbiddenError } from '@directus/errors';
-import { validatePayload } from '@directus/utils';
+import { parseFilter, validatePayload } from '@directus/utils';
 import { FailedValidationError, joiValidationErrorItemToErrorExtensions } from '@directus/validation';
 import { assign, difference, uniq } from 'lodash-es';
 import { fetchPermissions } from '../../lib/fetch-permissions.js';
 import { fetchPolicies } from '../../lib/fetch-policies.js';
 import { isFieldNullable } from './lib/is-field-nullable.js';
+import { fetchDynamicVariableData } from '../../utils/fetch-dynamic-variable-data.js';
+import { extractRequiredDynamicVariableContext } from '../../utils/extract-required-dynamic-variable-context.js';
 /**
  * @note this only validates the top-level fields. The expectation is that this function is called
  * for each level of nested insert separately
@@ -12,8 +14,8 @@ import { isFieldNullable } from './lib/is-field-nullable.js';
 export async function processPayload(options, context) {
     let permissions;
     let permissionValidationRules = [];
+    const policies = await fetchPolicies(options.accountability, context);
     if (!options.accountability.admin) {
-        const policies = await fetchPolicies(options.accountability, context);
         permissions = await fetchPermissions({ action: options.action, policies, collections: [options.collection], accountability: options.accountability }, context);
         if (permissions.length === 0) {
             throw new ForbiddenError({
@@ -53,7 +55,14 @@ export async function processPayload(options, context) {
                 },
             });
         }
-        fieldValidationRules.push(field.validation);
+        const permissionContext = extractRequiredDynamicVariableContext(field.validation);
+        const filterContext = await fetchDynamicVariableData({
+            accountability: options.accountability,
+            policies,
+            dynamicVariableContext: permissionContext,
+        }, context);
+        const validationFilter = parseFilter(field.validation, options.accountability, filterContext);
+        fieldValidationRules.push(validationFilter);
     }
     const presets = (permissions ?? []).map((permission) => permission.presets);
     const payloadWithPresets = assign({}, ...presets, options.payload);
@@ -67,7 +76,7 @@ export async function processPayload(options, context) {
     if (validationRules.length > 0) {
         const validationErrors = [];
         validationErrors.push(...validatePayload({ _and: validationRules }, payloadWithPresets)
-            .map((error) => error.details.map((details) => new FailedValidationError(joiValidationErrorItemToErrorExtensions(details))))
+            .map((error) => error.details.map((details) => new FailedValidationError(joiValidationErrorItemToErrorExtensions(details, options.nested))))
             .flat());
         if (validationErrors.length > 0)
             throw validationErrors;

package/dist/permissions/types.d.ts

@@ -1,6 +1,7 @@
-import type { SchemaOverview } from '@directus/types';
+import type { Accountability, SchemaOverview } from '@directus/types';
 import type { Knex } from 'knex';
 export interface Context {
     schema: SchemaOverview;
     knex: Knex;
+    accountability?: Accountability;
 }

package/dist/permissions/utils/extract-required-dynamic-variable-context.d.ts

@@ -1,8 +1,9 @@
 import type { Permission } from '@directus/types';
-export interface RequiredPermissionContext {
+export interface DynamicVariableContext {
     $CURRENT_USER: Set<string>;
     $CURRENT_ROLE: Set<string>;
     $CURRENT_ROLES: Set<string>;
     $CURRENT_POLICIES: Set<string>;
 }
-export declare function extractRequiredDynamicVariableContext(permissions: Permission[]): RequiredPermissionContext;
+export declare function extractRequiredDynamicVariableContextForPermissions(permissions: Permission[]): DynamicVariableContext;
+export declare function extractRequiredDynamicVariableContext(val: any): DynamicVariableContext;

package/dist/permissions/utils/extract-required-dynamic-variable-context.js

@@ -1,17 +1,27 @@
 import { deepMap } from '@directus/utils';
-export function extractRequiredDynamicVariableContext(permissions) {
-    const permissionContext = {
+export function extractRequiredDynamicVariableContextForPermissions(permissions) {
+    let permissionContext = {
         $CURRENT_USER: new Set(),
         $CURRENT_ROLE: new Set(),
         $CURRENT_ROLES: new Set(),
         $CURRENT_POLICIES: new Set(),
     };
     for (const permission of permissions) {
-        deepMap(permission.permissions, extractPermissionData);
-        deepMap(permission.validation, extractPermissionData);
-        deepMap(permission.presets, extractPermissionData);
+        permissionContext = mergeContexts(permissionContext, extractRequiredDynamicVariableContext(permission.permissions));
+        permissionContext = mergeContexts(permissionContext, extractRequiredDynamicVariableContext(permission.validation));
+        permissionContext = mergeContexts(permissionContext, extractRequiredDynamicVariableContext(permission.presets));
     }
     return permissionContext;
+}
+export function extractRequiredDynamicVariableContext(val) {
+    const permissionContext = {
+        $CURRENT_USER: new Set(),
+        $CURRENT_ROLE: new Set(),
+        $CURRENT_ROLES: new Set(),
+        $CURRENT_POLICIES: new Set(),
+    };
+    deepMap(val, extractPermissionData);
+    return permissionContext;
     function extractPermissionData(val) {
         for (const placeholder of [
             '$CURRENT_USER',
@@ -25,3 +35,12 @@ export function extractRequiredDynamicVariableContext(permissions) {
         }
     }
 }
+function mergeContexts(context1, context2) {
+    const permissionContext = {
+        $CURRENT_USER: new Set([...context1.$CURRENT_USER, ...context2.$CURRENT_USER]),
+        $CURRENT_ROLE: new Set([...context1.$CURRENT_ROLE, ...context2.$CURRENT_ROLE]),
+        $CURRENT_ROLES: new Set([...context1.$CURRENT_ROLES, ...context2.$CURRENT_ROLES]),
+        $CURRENT_POLICIES: new Set([...context1.$CURRENT_POLICIES, ...context2.$CURRENT_POLICIES]),
+    };
+    return permissionContext;
+}

package/dist/permissions/utils/fetch-dynamic-variable-data.d.ts

@@ -0,0 +1,9 @@
+import type { Accountability } from '@directus/types';
+import type { Context } from '../types.js';
+import { type DynamicVariableContext } from './extract-required-dynamic-variable-context.js';
+export interface FetchDynamicVariableContext {
+    accountability: Pick<Accountability, 'user' | 'role' | 'roles'>;
+    policies: string[];
+    dynamicVariableContext: DynamicVariableContext;
+}
+export declare function fetchDynamicVariableData(options: FetchDynamicVariableContext, context: Context): Promise<Record<string, any>>;

package/dist/permissions/utils/{fetch-dynamic-variable-context.js → fetch-dynamic-variable-data.js}

@@ -1,31 +1,30 @@
 import { useEnv } from '@directus/env';
 import { getSimpleHash } from '@directus/utils';
 import { getCache, getCacheValue, setCacheValue } from '../../cache.js';
-import { extractRequiredDynamicVariableContext, } from './extract-required-dynamic-variable-context.js';
-export async function fetchDynamicVariableContext(options, context) {
+import {} from './extract-required-dynamic-variable-context.js';
+export async function fetchDynamicVariableData(options, context) {
     const { UsersService } = await import('../../services/users.js');
     const { RolesService } = await import('../../services/roles.js');
     const { PoliciesService } = await import('../../services/policies.js');
     const contextData = {};
-    const permissionContext = extractRequiredDynamicVariableContext(options.permissions);
-    if (options.accountability.user && (permissionContext.$CURRENT_USER?.size ?? 0) > 0) {
-        contextData['$CURRENT_USER'] = await fetchContextData('$CURRENT_USER', permissionContext, { user: options.accountability.user }, async (fields) => {
+    if (options.accountability.user && (options.dynamicVariableContext.$CURRENT_USER?.size ?? 0) > 0) {
+        contextData['$CURRENT_USER'] = await fetchContextData('$CURRENT_USER', options.dynamicVariableContext, { user: options.accountability.user }, async (fields) => {
             const usersService = new UsersService(context);
             return await usersService.readOne(options.accountability.user, {
                 fields,
             });
         });
     }
-    if (options.accountability.role && (permissionContext.$CURRENT_ROLE?.size ?? 0) > 0) {
-        contextData['$CURRENT_ROLE'] = await fetchContextData('$CURRENT_ROLE', permissionContext, { role: options.accountability.role }, async (fields) => {
+    if (options.accountability.role && (options.dynamicVariableContext.$CURRENT_ROLE?.size ?? 0) > 0) {
+        contextData['$CURRENT_ROLE'] = await fetchContextData('$CURRENT_ROLE', options.dynamicVariableContext, { role: options.accountability.role }, async (fields) => {
             const rolesService = new RolesService(context);
             return await rolesService.readOne(options.accountability.role, {
                 fields,
             });
         });
     }
-    if (options.accountability.roles.length > 0 && (permissionContext.$CURRENT_ROLES?.size ?? 0) > 0) {
-        contextData['$CURRENT_ROLES'] = await fetchContextData('$CURRENT_ROLES', permissionContext, { roles: options.accountability.roles }, async (fields) => {
+    if (options.accountability.roles.length > 0 && (options.dynamicVariableContext.$CURRENT_ROLES?.size ?? 0) > 0) {
+        contextData['$CURRENT_ROLES'] = await fetchContextData('$CURRENT_ROLES', options.dynamicVariableContext, { roles: options.accountability.roles }, async (fields) => {
             const rolesService = new RolesService(context);
             return await rolesService.readMany(options.accountability.roles, {
                 fields,
@@ -33,10 +32,10 @@ export async function fetchDynamicVariableContext(options, context) {
         });
     }
     if (options.policies.length > 0) {
-        if ((permissionContext.$CURRENT_POLICIES?.size ?? 0) > 0) {
+        if ((options.dynamicVariableContext.$CURRENT_POLICIES?.size ?? 0) > 0) {
             // Always add the id field
-            permissionContext.$CURRENT_POLICIES.add('id');
-            contextData['$CURRENT_POLICIES'] = await fetchContextData('$CURRENT_POLICIES', permissionContext, { policies: options.policies }, async (fields) => {
+            options.dynamicVariableContext.$CURRENT_POLICIES.add('id');
+            contextData['$CURRENT_POLICIES'] = await fetchContextData('$CURRENT_POLICIES', options.dynamicVariableContext, { policies: options.policies }, async (fields) => {
                 const policiesService = new PoliciesService(context);
                 return await policiesService.readMany(options.policies, {
                     fields,

package/dist/rate-limiter.js

@@ -16,7 +16,7 @@ export function createRateLimiter(configPrefix = 'RATE_LIMITER', configOverrides
 }
 export { RateLimiterRes };
 function getConfig(store = 'memory', configPrefix = 'RATE_LIMITER', overrides) {
-    const config = getConfigFromEnv(`${configPrefix}_`, `${configPrefix}_${store}_`);
+    const config = getConfigFromEnv(`${configPrefix}_`, { omitPrefix: `${configPrefix}_${store}_` });
     if (store === 'redis') {
         const Redis = require('ioredis');
         const env = useEnv();

package/dist/services/assets.js

@@ -1,5 +1,5 @@
 import { useEnv } from '@directus/env';
-import { ForbiddenError, IllegalAssetTransformationError, RangeNotSatisfiableError, ServiceUnavailableError, } from '@directus/errors';
+import { ForbiddenError, IllegalAssetTransformationError, InvalidQueryError, RangeNotSatisfiableError, ServiceUnavailableError, } from '@directus/errors';
 import { clamp } from 'lodash-es';
 import { contentType } from 'mime-types';
 import hash from 'object-hash';
@@ -130,7 +130,17 @@ export class AssetsService {
             });
             if (transforms.find((transform) => transform[0] === 'rotate') === undefined)
                 transformer.rotate();
-            transforms.forEach(([method, ...args]) => transformer[method].apply(transformer, args));
+            try {
+                for (const [method, ...args] of transforms) {
+                    transformer[method].apply(transformer, args);
+                }
+            }
+            catch (error) {
+                if (error instanceof Error && error.message.startsWith('Expected')) {
+                    throw new InvalidQueryError({ reason: error.message });
+                }
+                throw error;
+            }
             const readStream = await storage.location(file.storage).read(file.filename_disk, { range, version });
             readStream.on('error', (e) => {
                 logger.error(e, `Couldn't transform file ${file.id}`);

package/dist/services/authentication.js

@@ -1,5 +1,3 @@
-import { fetchRolesTree } from '../permissions/lib/fetch-roles-tree.js';
-import { fetchGlobalAccess } from '../permissions/modules/fetch-global-access/fetch-global-access.js';
 import { Action } from '@directus/constants';
 import { useEnv } from '@directus/env';
 import { InvalidCredentialsError, InvalidOtpError, ServiceUnavailableError, UserSuspendedError, } from '@directus/errors';
@@ -10,6 +8,8 @@ import { getAuthProvider } from '../auth.js';
 import { DEFAULT_AUTH_PROVIDER } from '../constants.js';
 import getDatabase from '../database/index.js';
 import emitter from '../emitter.js';
+import { fetchRolesTree } from '../permissions/lib/fetch-roles-tree.js';
+import { fetchGlobalAccess } from '../permissions/modules/fetch-global-access/fetch-global-access.js';
 import { RateLimiterRes, createRateLimiter } from '../rate-limiter.js';
 import { getMilliseconds } from '../utils/get-milliseconds.js';
 import { getSecret } from '../utils/get-secret.js';

package/dist/services/collections.js

@@ -15,6 +15,9 @@ import { getSchema } from '../utils/get-schema.js';
 import { shouldClearCache } from '../utils/should-clear-cache.js';
 import { transaction } from '../utils/transaction.js';
 import { FieldsService } from './fields.js';
+import { buildCollectionAndFieldRelations } from './fields/build-collection-and-field-relations.js';
+import { getCollectionMetaUpdates } from './fields/get-collection-meta-updates.js';
+import { getCollectionRelationList } from './fields/get-collection-relation-list.js';
 import { ItemsService } from './items.js';
 export class CollectionsService {
     knex;
@@ -41,8 +44,11 @@ export class CollectionsService {
         if (this.accountability && this.accountability.admin !== true) {
             throw new ForbiddenError();
         }
-        if (!payload.collection)
+        if (!('collection' in payload))
             throw new InvalidPayloadError({ reason: `"collection" is required` });
+        if (typeof payload.collection !== 'string' || payload.collection === '') {
+            throw new InvalidPayloadError({ reason: `"collection" must be a non-empty string` });
+        }
         if (payload.collection.startsWith('directus_')) {
             throw new InvalidPayloadError({ reason: `Collections can't start with "directus_"` });
         }
@@ -61,10 +67,13 @@ export class CollectionsService {
             // transactions.
             await transaction(this.knex, async (trx) => {
                 if (payload.schema) {
+                    if ('fields' in payload && !Array.isArray(payload.fields)) {
+                        throw new InvalidPayloadError({ reason: `"fields" must be an array` });
+                    }
                     // Directus heavily relies on the primary key of a collection, so we have to make sure that
                     // every collection that is created has a primary key. If no primary key field is created
                     // while making the collection, we default to an auto incremented id named `id`
-                    if (!payload.fields) {
+                    if (!payload.fields || payload.fields.length === 0) {
                         payload.fields = [
                             {
                                 field: 'id',
@@ -478,7 +487,18 @@ export class CollectionsService {
                         accountability: this.accountability,
                         schema: this.schema,
                     });
-                    await trx('directus_fields').delete().where('collection', '=', collectionKey);
+                    const fieldItemsService = new ItemsService('directus_fields', {
+                        knex: trx,
+                        accountability: this.accountability,
+                        schema: this.schema,
+                    });
+                    await fieldItemsService.deleteByQuery({
+                        filter: {
+                            collection: { _eq: collectionKey },
+                        },
+                    }, {
+                        bypassEmitAction: (params) => opts?.bypassEmitAction ? opts.bypassEmitAction(params) : nestedActionEvents.push(params),
+                    });
                     await trx('directus_presets').delete().where('collection', '=', collectionKey);
                     const revisionsToDelete = await trx
                         .select('id')
@@ -494,6 +514,22 @@ export class CollectionsService {
                     await trx('directus_activity').delete().where('collection', '=', collectionKey);
                     await trx('directus_permissions').delete().where('collection', '=', collectionKey);
                     await trx('directus_relations').delete().where({ many_collection: collectionKey });
+                    const { collectionRelationTree, fieldToCollectionList } = await buildCollectionAndFieldRelations(this.schema.relations);
+                    const collectionRelationList = getCollectionRelationList(collectionKey, collectionRelationTree);
+                    // only process duplication fields if related collections have them
+                    if (collectionRelationList.size !== 0) {
+                        const collectionMetas = await trx
+                            .select('collection', 'archive_field', 'sort_field', 'item_duplication_fields')
+                            .from('directus_collections')
+                            .whereIn('collection', Array.from(collectionRelationList))
+                            .whereNotNull('item_duplication_fields');
+                        await Promise.all(Object.keys(this.schema.collections[collectionKey]?.fields ?? {}).map(async (fieldKey) => {
+                            const collectionMetaUpdates = getCollectionMetaUpdates(collectionKey, fieldKey, collectionMetas, this.schema.collections, fieldToCollectionList);
+                            for (const meta of collectionMetaUpdates) {
+                                await trx('directus_collections').update(meta.updates).where({ collection: meta.collection });
+                            }
+                        }));
+                    }
                     const relations = this.schema.relations.filter((relation) => {
                         return relation.collection === collectionKey || relation.related_collection === collectionKey;
                     });