@directus/api 25.0.1 → 26.0.0

package/dist/services/payload.js

@@ -20,12 +20,14 @@ export class PayloadService {
     helpers;
     collection;
     schema;
+    nested;
     constructor(collection, options) {
         this.accountability = options.accountability || null;
         this.knex = options.knex || getDatabase();
         this.helpers = getHelpers(this.knex);
         this.collection = collection;
         this.schema = options.schema;
+        this.nested = options.nested ?? [];
         return this;
     }
     transformers = {
@@ -346,6 +348,7 @@ export class PayloadService {
                 accountability: this.accountability,
                 knex: this.knex,
                 schema: this.schema,
+                nested: [...this.nested, relation.field],
             });
             const relatedPrimaryKeyField = this.schema.collections[relatedCollection].primary;
             const relatedRecord = payload[relation.field];
@@ -412,6 +415,7 @@ export class PayloadService {
                 accountability: this.accountability,
                 knex: this.knex,
                 schema: this.schema,
+                nested: [...this.nested, relation.field],
             });
             const relatedRecord = payload[relation.field];
             if (['string', 'number'].includes(typeof relatedRecord))
@@ -482,6 +486,7 @@ export class PayloadService {
                 accountability: this.accountability,
                 knex: this.knex,
                 schema: this.schema,
+                nested: [...this.nested, relation.meta.one_field],
             });
             const recordsToUpsert = [];
             const savedPrimaryKeys = [];
@@ -490,15 +495,23 @@ export class PayloadService {
             if (!field || Array.isArray(field)) {
                 const updates = field || []; // treat falsey values as removing all children
                 for (let i = 0; i < updates.length; i++) {
+                    const currentId = parent || payload[currentPrimaryKeyField];
                     const relatedRecord = updates[i];
+                    const relatedId = typeof relatedRecord === 'string' || typeof relatedRecord === 'number'
+                        ? relatedRecord
+                        : relatedRecord[relatedPrimaryKeyField];
                     let record = cloneDeep(relatedRecord);
-                    if (typeof relatedRecord === 'string' || typeof relatedRecord === 'number') {
-                        const existingRecord = await this.knex
+                    let existingRecord;
+                    // No relatedId means it's a new record
+                    if (relatedId) {
+                        existingRecord = await this.knex
                             .select(relatedPrimaryKeyField, relation.field)
                             .from(relation.collection)
-                            .where({ [relatedPrimaryKeyField]: record })
+                            .where({ [relatedPrimaryKeyField]: relatedId })
                             .first();
-                        if (!!existingRecord === false) {
+                    }
+                    if (typeof relatedRecord === 'string' || typeof relatedRecord === 'number') {
+                        if (!existingRecord) {
                             throw new ForbiddenError();
                         }
                         // If the related item is already associated to the current item, and there's no
@@ -507,9 +520,7 @@ export class PayloadService {
                         // for items that aren't actually being updated. NOTE: We use == here, as the
                         // primary key might be reported as a string instead of number, coming from the
                         // http route, and or a bigInteger in the DB
-                        if (isNil(existingRecord[relation.field]) === false &&
-                            (existingRecord[relation.field] == parent ||
-                                existingRecord[relation.field] == payload[currentPrimaryKeyField])) {
+                        if (isNil(existingRecord[relation.field]) === false && existingRecord[relation.field] == currentId) {
                             savedPrimaryKeys.push(existingRecord[relatedPrimaryKeyField]);
                             continue;
                         }
@@ -517,10 +528,10 @@ export class PayloadService {
                             [relatedPrimaryKeyField]: relatedRecord,
                         };
                     }
-                    recordsToUpsert.push({
-                        ...record,
-                        [relation.field]: parent || payload[currentPrimaryKeyField],
-                    });
+                    if (!existingRecord || existingRecord[relation.field] != parent) {
+                        record[relation.field] = currentId;
+                    }
+                    recordsToUpsert.push(record);
                 }
                 savedPrimaryKeys.push(...(await service.upsertMany(recordsToUpsert, {
                     onRevisionCreate: (pk) => revisions.push(pk),
@@ -608,13 +619,17 @@ export class PayloadService {
                     });
                 }
                 if (alterations.update) {
-                    const primaryKeyField = this.schema.collections[relation.collection].primary;
                     for (const item of alterations.update) {
-                        const { [primaryKeyField]: key, ...record } = item;
-                        await service.updateOne(key, {
-                            ...record,
-                            [relation.field]: parent || payload[currentPrimaryKeyField],
-                        }, {
+                        const { [relatedPrimaryKeyField]: key, ...record } = item;
+                        const existingRecord = await this.knex
+                            .select(relatedPrimaryKeyField, relation.field)
+                            .from(relation.collection)
+                            .where({ [relatedPrimaryKeyField]: key })
+                            .first();
+                        if (!existingRecord || existingRecord[relation.field] != parent) {
+                            record[relation.field] = parent || payload[currentPrimaryKeyField];
+                        }
+                        await service.updateOne(key, record, {
                             onRevisionCreate: (pk) => revisions.push(pk),
                             onRequireUserIntegrityCheck: (flags) => (userIntegrityCheckFlags |= flags),
                             bypassEmitAction: (params) => opts?.bypassEmitAction ? opts.bypassEmitAction(params) : nestedActionEvents.push(params),

package/dist/services/shares.js

@@ -4,6 +4,7 @@ import argon2 from 'argon2';
 import jwt from 'jsonwebtoken';
 import { nanoid } from 'nanoid';
 import { useLogger } from '../logger/index.js';
+import { clearCache as clearPermissionsCache } from '../permissions/cache.js';
 import { validateAccess } from '../permissions/modules/validate-access/validate-access.js';
 import { getMilliseconds } from '../utils/get-milliseconds.js';
 import { getSecret } from '../utils/get-secret.js';
@@ -13,7 +14,6 @@ import { userName } from '../utils/user-name.js';
 import { ItemsService } from './items.js';
 import { MailService } from './mail/index.js';
 import { UsersService } from './users.js';
-import { clearCache as clearPermissionsCache } from '../permissions/cache.js';
 const env = useEnv();
 const logger = useLogger();
 export class SharesService extends ItemsService {

package/dist/services/specifications.js

@@ -49,7 +49,7 @@ class OASSpecsService {
             permissions = await fetchPermissions({ policies, accountability: this.accountability }, { schema: this.schema, knex: this.knex });
         }
         const tags = await this.generateTags(schemaForSpec);
-        const paths = await this.generatePaths(permissions, tags);
+        const paths = await this.generatePaths(schemaForSpec, permissions, tags);
         const components = await this.generateComponents(schemaForSpec, tags);
         const isDefaultPublicUrl = env['PUBLIC_URL'] === '/';
         const url = isDefaultPublicUrl && host ? host : env['PUBLIC_URL'];
@@ -114,7 +114,7 @@ class OASSpecsService {
         // Filter out the generic Items information
         return tags.filter((tag) => tag.name !== 'Items');
     }
-    async generatePaths(permissions, tags) {
+    async generatePaths(schema, permissions, tags) {
         const paths = {};
         if (!tags)
             return paths;
@@ -195,11 +195,16 @@ class OASSpecsService {
                                                 'application/json': {
                                                     schema: {
                                                         properties: {
-                                                            data: {
-                                                                items: {
+                                                            data: schema.collections[collection]?.singleton
+                                                                ? {
                                                                     $ref: `#/components/schemas/${tag.name}`,
+                                                                }
+                                                                : {
+                                                                    type: 'array',
+                                                                    items: {
+                                                                        $ref: `#/components/schemas/${tag.name}`,
+                                                                    },
                                                                 },
-                                                            },
                                                         },
                                                     },
                                                 },

package/dist/services/tus/lockers.d.ts

@@ -29,7 +29,7 @@ export declare class KvLock implements Lock {
     private acquireTimeout;
     private kv;
     constructor(id: string, lockTimeout?: number, acquireTimeout?: number);
-    lock(cancelReq: RequestRelease): Promise<void>;
+    lock(signal: AbortSignal, cancelReq: RequestRelease): Promise<void>;
     protected acquireLock(id: string, requestRelease: RequestRelease, signal: AbortSignal): Promise<boolean>;
     unlock(): Promise<void>;
 }

package/dist/services/tus/lockers.js

@@ -38,11 +38,12 @@ export class KvLock {
         this.acquireTimeout = acquireTimeout;
         this.kv = useLock();
     }
-    async lock(cancelReq) {
+    async lock(signal, cancelReq) {
         const abortController = new AbortController();
+        const abortSignal = AbortSignal.any([signal, abortController.signal]);
         const lock = await Promise.race([
-            waitTimeout(this.acquireTimeout, abortController.signal),
-            this.acquireLock(this.id, cancelReq, abortController.signal),
+            waitTimeout(this.acquireTimeout, abortSignal),
+            this.acquireLock(this.id, cancelReq, abortSignal),
         ]);
         abortController.abort();
         if (!lock) {
@@ -50,10 +51,10 @@ export class KvLock {
         }
     }
     async acquireLock(id, requestRelease, signal) {
+        const lockTime = await this.kv.get(id);
         if (signal.aborted) {
-            return false;
+            return typeof lockTime !== 'undefined';
         }
-        const lockTime = await this.kv.get(id);
         const now = Date.now();
         if (!lockTime || Number(lockTime) < now - this.lockTimeout) {
             await this.kv.set(id, now);

package/dist/services/tus/server.js

@@ -14,6 +14,8 @@ import { ItemsService } from '../index.js';
 import { TusDataStore } from './data-store.js';
 import { getTusLocker } from './lockers.js';
 import { pick } from 'lodash-es';
+import emitter from '../../emitter.js';
+import getDatabase from '../../database/index.js';
 async function createTusStore(context) {
     const env = useEnv();
     const storage = await getStorage();
@@ -48,6 +50,7 @@ export async function createTusServer(context) {
             }))[0];
             if (!file)
                 return res;
+            let fileData;
             // update metadata when file is replaced
             if (file.tus_data?.['metadata']?.['replace_id']) {
                 const newFile = await service.readOne(file.tus_data['metadata']['replace_id']);
@@ -60,6 +63,12 @@ export async function createTusServer(context) {
                     ...updateFields,
                     ...metadata,
                 });
+                fileData = {
+                    ...newFile,
+                    ...updateFields,
+                    ...metadata,
+                    id: file.tus_data['metadata']['replace_id'],
+                };
                 await service.deleteOne(file.id);
             }
             else {
@@ -69,7 +78,22 @@ export async function createTusServer(context) {
                     tus_id: null,
                     tus_data: null,
                 });
+                fileData = {
+                    ...file,
+                    ...metadata,
+                    tus_id: null,
+                    tus_data: null,
+                };
             }
+            emitter.emitAction('files.upload', {
+                payload: fileData,
+                key: fileData.id,
+                collection: 'directus_files',
+            }, {
+                database: getDatabase(),
+                schema: req.schema,
+                accountability: req.accountability,
+            });
             return res;
         },
         generateUrl(_req, opts) {

package/dist/services/users.js

@@ -137,6 +137,7 @@ export class UsersService extends ItemsService {
                 throw new FailedValidationError({
                     field: 'email',
                     type: 'email',
+                    path: [],
                 });
             }
         }

package/dist/types/services.d.ts

@@ -4,10 +4,12 @@ export type AbstractServiceOptions = {
     knex?: Knex | undefined;
     accountability?: Accountability | null | undefined;
     schema: SchemaOverview;
+    nested?: string[];
 };
 export interface AbstractService {
     knex: Knex;
     accountability: Accountability | null | undefined;
+    nested: string[];
     createOne(data: Partial<Item>): Promise<PrimaryKey>;
     createMany(data: Partial<Item>[]): Promise<PrimaryKey[]>;
     readOne(key: PrimaryKey, query?: Query): Promise<Item>;

package/dist/utils/apply-query.d.ts

@@ -7,6 +7,7 @@ type ApplyQueryOptions = {
     isInnerQuery?: boolean;
     hasMultiRelationalSort?: boolean | undefined;
     groupWhenCases?: number[][] | undefined;
+    groupColumnPositions?: number[] | undefined;
 };
 /**
  * Apply the Query to a given Knex query builder instance

package/dist/utils/apply-query.js

@@ -47,20 +47,28 @@ export default function applyQuery(knex, collection, dbQuery, query, schema, cas
         hasMultiRelationalFilter = filterResult.hasMultiRelationalFilter;
     }
     if (query.group) {
+        const helpers = getHelpers(knex);
         const rawColumns = query.group.map((column) => getColumn(knex, collection, column, false, schema));
         let columns;
         if (options?.groupWhenCases) {
-            columns = rawColumns.map((column, index) => applyCaseWhen({
-                columnCases: options.groupWhenCases[index].map((caseIndex) => cases[caseIndex]),
-                column,
-                aliasMap,
-                cases,
-                table: collection,
-                permissions,
-            }, {
-                knex,
-                schema,
-            }));
+            if (helpers.capabilities.supportsColumnPositionInGroupBy() && options.groupColumnPositions) {
+                // This can be streamlined for databases that support reusing the alias in group by expressions
+                columns = query.group.map((column, index) => options.groupColumnPositions[index] !== undefined ? knex.raw(options.groupColumnPositions[index]) : column);
+            }
+            else {
+                // Reconstruct the columns with the case/when logic
+                columns = rawColumns.map((column, index) => applyCaseWhen({
+                    columnCases: options.groupWhenCases[index].map((caseIndex) => cases[caseIndex]),
+                    column,
+                    aliasMap,
+                    cases,
+                    table: collection,
+                    permissions,
+                }, {
+                    knex,
+                    schema,
+                }));
+            }
             if (query.sort && query.sort.length === 1 && query.sort[0] === query.group[0]) {
                 // Special case, where the sort query is injected by the group by operation
                 dbQuery.clear('order');
@@ -352,26 +360,29 @@ export function applyFilter(knex, schema, rootQuery, rootFilter, collection, ali
                         pkField = knex.raw(getHelpers(knex).schema.castA2oPrimaryKey(), [pkField]);
                     }
                     const childKey = Object.keys(value)?.[0];
-                    if (childKey === '_none' || childKey === '_some') {
-                        const subQueryBuilder = (filter, cases) => (subQueryKnex) => {
-                            const field = relation.field;
-                            const collection = relation.collection;
-                            const column = `${collection}.${field}`;
-                            subQueryKnex
-                                .select({ [field]: column })
-                                .from(collection)
-                                .whereNotNull(column);
-                            applyQuery(knex, relation.collection, subQueryKnex, { filter }, schema, cases, permissions);
-                        };
-                        const { cases: subCases } = getCases(relation.collection, permissions, []);
-                        if (childKey === '_none') {
-                            dbQuery[logical].whereNotIn(pkField, subQueryBuilder(Object.values(value)[0], subCases));
-                            continue;
-                        }
-                        else if (childKey === '_some') {
-                            dbQuery[logical].whereIn(pkField, subQueryBuilder(Object.values(value)[0], subCases));
-                            continue;
-                        }
+                    const subQueryBuilder = (filter, cases) => (subQueryKnex) => {
+                        const field = relation.field;
+                        const collection = relation.collection;
+                        const column = `${collection}.${field}`;
+                        subQueryKnex
+                            .select({ [field]: column })
+                            .from(collection)
+                            .whereNotNull(column);
+                        applyQuery(knex, relation.collection, subQueryKnex, { filter }, schema, cases, permissions);
+                    };
+                    const { cases: subCases } = getCases(relation.collection, permissions, []);
+                    if (childKey === '_none') {
+                        dbQuery[logical].whereNotIn(pkField, subQueryBuilder(Object.values(value)[0], subCases));
+                        continue;
+                    }
+                    else if (childKey === '_some') {
+                        dbQuery[logical].whereIn(pkField, subQueryBuilder(Object.values(value)[0], subCases));
+                        continue;
+                    }
+                    else {
+                        // Add implicit _some behavior when no operator is provided
+                        dbQuery[logical].whereIn(pkField, subQueryBuilder(value, subCases));
+                        continue;
                     }
                 }
                 if (filterPath.includes('_none') || filterPath.includes('_some')) {

package/dist/utils/generate-hash.js

@@ -1,7 +1,7 @@
 import argon2 from 'argon2';
 import { getConfigFromEnv } from './get-config-from-env.js';
 export function generateHash(stringToHash) {
-    const argon2HashConfigOptions = getConfigFromEnv('HASH_', 'HASH_RAW'); // Disallow the HASH_RAW option, see https://github.com/directus/directus/discussions/7670#discussioncomment-1255805
+    const argon2HashConfigOptions = getConfigFromEnv('HASH_', { omitPrefix: 'HASH_RAW' }); // Disallow the HASH_RAW option, see https://github.com/directus/directus/discussions/7670#discussioncomment-1255805
     // associatedData, if specified, must be passed as a Buffer to argon2.hash, see https://github.com/ranisalt/node-argon2/wiki/Options#associateddata
     if ('associatedData' in argon2HashConfigOptions)
         argon2HashConfigOptions['associatedData'] = Buffer.from(argon2HashConfigOptions['associatedData']);

package/dist/utils/get-config-from-env.d.ts

@@ -1 +1,6 @@
-export declare function getConfigFromEnv(prefix: string, omitPrefix?: string | string[], type?: 'camelcase' | 'underscore'): Record<string, any>;
+export interface GetConfigFromEnvOptions {
+    omitPrefix?: string | string[];
+    omitKey?: string | string[];
+    type?: 'camelcase' | 'underscore';
+}
+export declare function getConfigFromEnv(prefix: string, options?: GetConfigFromEnvOptions): Record<string, any>;

package/dist/utils/get-config-from-env.js

@@ -1,21 +1,26 @@
 import { useEnv } from '@directus/env';
+import { toArray } from '@directus/utils';
 import camelcase from 'camelcase';
 import { set } from 'lodash-es';
-export function getConfigFromEnv(prefix, omitPrefix, type = 'camelcase') {
+export function getConfigFromEnv(prefix, options) {
     const env = useEnv();
+    const type = options?.type ?? 'camelcase';
     const config = {};
+    const lowerCasePrefix = prefix.toLowerCase();
+    const omitKeys = toArray(options?.omitKey ?? []).map((key) => key.toLowerCase());
+    const omitPrefixes = toArray(options?.omitPrefix ?? []).map((prefix) => prefix.toLowerCase());
     for (const [key, value] of Object.entries(env)) {
-        if (key.toLowerCase().startsWith(prefix.toLowerCase()) === false)
+        const lowerCaseKey = key.toLowerCase();
+        if (lowerCaseKey.startsWith(lowerCasePrefix) === false)
             continue;
-        if (omitPrefix) {
-            let matches = false;
-            if (Array.isArray(omitPrefix)) {
-                matches = omitPrefix.some((prefix) => key.toLowerCase().startsWith(prefix.toLowerCase()));
-            }
-            else {
-                matches = key.toLowerCase().startsWith(omitPrefix.toLowerCase());
-            }
-            if (matches)
+        if (omitKeys.length > 0) {
+            const isKeyInOmitKeys = omitKeys.some((keyToOmit) => lowerCaseKey === keyToOmit);
+            if (isKeyInOmitKeys)
+                continue;
+        }
+        if (omitPrefixes.length > 0) {
+            const keyStartsWithAnyPrefix = omitPrefixes.some((prefix) => lowerCaseKey.startsWith(prefix));
+            if (keyStartsWithAnyPrefix)
                 continue;
         }
         if (key.includes('__')) {

package/dist/utils/get-graphql-type.js

@@ -1,4 +1,4 @@
-import { GraphQLBoolean, GraphQLFloat, GraphQLInt, GraphQLList, GraphQLScalarType, GraphQLString } from 'graphql';
+import { GraphQLBoolean, GraphQLFloat, GraphQLID, GraphQLInt, GraphQLList, GraphQLScalarType, GraphQLString, } from 'graphql';
 import { GraphQLJSON } from 'graphql-compose';
 import { GraphQLBigInt } from '../services/graphql/types/bigint.js';
 import { GraphQLDate } from '../services/graphql/types/date.js';
@@ -31,6 +31,8 @@ export function getGraphQLType(localType, special) {
             return GraphQLDate;
         case 'hash':
             return GraphQLHash;
+        case 'uuid':
+            return GraphQLID;
         default:
             return GraphQLString;
     }

package/dist/utils/is-login-redirect-allowed.js

@@ -1,5 +1,6 @@
 import { useEnv } from '@directus/env';
 import { toArray } from '@directus/utils';
+import { useLogger } from '../logger/index.js';
 import isUrlAllowed from './is-url-allowed.js';
 /**
  * Checks if the defined redirect after successful SSO login is in the allow list
@@ -26,6 +27,7 @@ export function isLoginRedirectAllowed(redirect, provider) {
             return true;
     }
     if (URL.canParse(publicUrl) === false) {
+        useLogger().error('Invalid PUBLIC_URL for login redirect');
         return false;
     }
     // allow redirects to the defined PUBLIC_URL

package/dist/utils/redact-object.js

@@ -116,7 +116,8 @@ export function getReplacer(replacement, values) {
             let finalValue = value;
             for (const [redactKey, valueToRedact] of filteredValues) {
                 if (finalValue.includes(valueToRedact)) {
-                    finalValue = finalValue.replace(new RegExp(valueToRedact, 'g'), replacement(redactKey));
+                    const regexp = new RegExp(escapeRegexString(valueToRedact), 'g');
+                    finalValue = finalValue.replace(regexp, replacement(redactKey));
                 }
             }
             return finalValue;
@@ -125,3 +126,6 @@ export function getReplacer(replacement, values) {
     const seen = new WeakSet();
     return replacer(seen);
 }
+function escapeRegexString(string) {
+    return string.replace(/[\\^$.*+?()[\]{}|]/g, '\\$&');
+}

package/dist/utils/sanitize-query.d.ts

@@ -1,2 +1,5 @@
-import type { Accountability, Query } from '@directus/types';
-export declare function sanitizeQuery(rawQuery: Record<string, any>, accountability?: Accountability | null): Query;
+import type { Accountability, Query, SchemaOverview } from '@directus/types';
+/**
+ * Sanitize the query parameters and parse them where necessary.
+ */
+export declare function sanitizeQuery(rawQuery: Record<string, any>, schema: SchemaOverview, accountability?: Accountability | null): Promise<Query>;

package/dist/utils/sanitize-query.js

@@ -2,9 +2,17 @@ import { useEnv } from '@directus/env';
 import { InvalidQueryError } from '@directus/errors';
 import { parseFilter, parseJSON } from '@directus/utils';
 import { flatten, get, isPlainObject, merge, set } from 'lodash-es';
+import getDatabase from '../database/index.js';
 import { useLogger } from '../logger/index.js';
+import { fetchPolicies } from '../permissions/lib/fetch-policies.js';
+import { contextHasDynamicVariables } from '../permissions/modules/process-ast/utils/context-has-dynamic-variables.js';
+import { extractRequiredDynamicVariableContext } from '../permissions/utils/extract-required-dynamic-variable-context.js';
+import { fetchDynamicVariableData } from '../permissions/utils/fetch-dynamic-variable-data.js';
 import { Meta } from '../types/index.js';
-export function sanitizeQuery(rawQuery, accountability) {
+/**
+ * Sanitize the query parameters and parse them where necessary.
+ */
+export async function sanitizeQuery(rawQuery, schema, accountability) {
     const env = useEnv();
     const query = {};
     const hasMaxLimit = 'QUERY_LIMIT_MAX' in env &&
@@ -33,7 +41,7 @@ export function sanitizeQuery(rawQuery, accountability) {
         query.sort = sanitizeSort(rawQuery['sort']);
     }
     if (rawQuery['filter']) {
-        query.filter = sanitizeFilter(rawQuery['filter'], accountability || null);
+        query.filter = await sanitizeFilter(rawQuery['filter'], schema, accountability || null);
     }
     if (rawQuery['offset'] !== undefined) {
         query.offset = sanitizeOffset(rawQuery['offset']);
@@ -58,7 +66,7 @@ export function sanitizeQuery(rawQuery, accountability) {
     if (rawQuery['deep']) {
         if (!query.deep)
             query.deep = {};
-        query.deep = sanitizeDeep(rawQuery['deep'], accountability);
+        query.deep = await sanitizeDeep(rawQuery['deep'], schema, accountability);
     }
     if (rawQuery['alias']) {
         query.alias = sanitizeAlias(rawQuery['alias']);
@@ -106,7 +114,7 @@ function sanitizeAggregate(rawAggregate) {
     }
     return aggregate;
 }
-function sanitizeFilter(rawFilter, accountability) {
+async function sanitizeFilter(rawFilter, schema, accountability) {
     let filters = rawFilter;
     if (typeof filters === 'string') {
         try {
@@ -117,7 +125,24 @@ function sanitizeFilter(rawFilter, accountability) {
         }
     }
     try {
-        return parseFilter(filters, accountability);
+        let filterContext;
+        if (accountability) {
+            const dynamicVariableContext = extractRequiredDynamicVariableContext(filters);
+            if (contextHasDynamicVariables(dynamicVariableContext)) {
+                const context = {
+                    schema,
+                    knex: getDatabase(),
+                };
+                const policies = await fetchPolicies(accountability, context);
+                context.accountability = accountability;
+                filterContext = await fetchDynamicVariableData({
+                    dynamicVariableContext,
+                    accountability,
+                    policies,
+                }, context);
+            }
+        }
+        return parseFilter(filters, accountability, filterContext);
     }
     catch {
         throw new InvalidQueryError({ reason: 'Invalid filter object' });
@@ -146,7 +171,7 @@ function sanitizeMeta(rawMeta) {
     }
     return [rawMeta];
 }
-function sanitizeDeep(deep, accountability) {
+async function sanitizeDeep(deep, schema, accountability) {
     const logger = useLogger();
     const result = {};
     if (typeof deep === 'string') {
@@ -157,9 +182,9 @@ function sanitizeDeep(deep, accountability) {
             logger.warn('Invalid value passed for deep query parameter.');
         }
     }
-    parse(deep);
+    await parse(deep);
     return result;
-    function parse(level, path = []) {
+    async function parse(level, path = []) {
         const subQuery = {};
         const parsedLevel = {};
         for (const [key, value] of Object.entries(level)) {
@@ -175,7 +200,7 @@ function sanitizeDeep(deep, accountability) {
         }
         if (Object.keys(subQuery).length > 0) {
             // Sanitize the entire sub query
-            const parsedSubQuery = sanitizeQuery(subQuery, accountability);
+            const parsedSubQuery = await sanitizeQuery(subQuery, schema, accountability);
             for (const [parsedKey, parsedValue] of Object.entries(parsedSubQuery)) {
                 parsedLevel[`_${parsedKey}`] = parsedValue;
             }

package/dist/websocket/controllers/base.d.ts

@@ -2,11 +2,11 @@ import type { Accountability } from '@directus/types';
 import type { IncomingMessage, Server as httpServer } from 'http';
 import type { RateLimiterAbstract } from 'rate-limiter-flexible';
 import type internal from 'stream';
-import WebSocket from 'ws';
+import WebSocket, { type Server } from 'ws';
 import { WebSocketAuthMessage, WebSocketMessage } from '../messages.js';
 import type { AuthenticationState, UpgradeContext, WebSocketAuthentication, WebSocketClient } from '../types.js';
 export default abstract class SocketController {
-    server: WebSocket.Server;
+    server: Server;
     clients: Set<WebSocketClient>;
     authentication: WebSocketAuthentication;
     endpoint: string;