npm - @directus/api - Versions diffs - 26.0.0 → 26.0.1 - Mend

@directus/api 26.0.0 → 26.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/permissions/modules/process-payload/process-payload.js +17 -11
package/dist/permissions/utils/fetch-dynamic-variable-data.js +3 -1
package/dist/utils/apply-query.js +22 -24
package/package.json +11 -11

package/dist/permissions/modules/process-payload/process-payload.js CHANGED Viewed

@@ -4,9 +4,10 @@ import { FailedValidationError, joiValidationErrorItemToErrorExtensions } from '
 import { assign, difference, uniq } from 'lodash-es';
 import { fetchPermissions } from '../../lib/fetch-permissions.js';
 import { fetchPolicies } from '../../lib/fetch-policies.js';
-import { isFieldNullable } from './lib/is-field-nullable.js';
-import { fetchDynamicVariableData } from '../../utils/fetch-dynamic-variable-data.js';
 import { extractRequiredDynamicVariableContext } from '../../utils/extract-required-dynamic-variable-context.js';
+import { fetchDynamicVariableData } from '../../utils/fetch-dynamic-variable-data.js';
+import { contextHasDynamicVariables } from '../process-ast/utils/context-has-dynamic-variables.js';
+import { isFieldNullable } from './lib/is-field-nullable.js';
 /**
  * @note this only validates the top-level fields. The expectation is that this function is called
  * for each level of nested insert separately
@@ -14,8 +15,9 @@ import { extractRequiredDynamicVariableContext } from '../../utils/extract-requi
 export async function processPayload(options, context) {
     let permissions;
     let permissionValidationRules = [];
-    const policies = await fetchPolicies(options.accountability, context);
+    let policies = [];
     if (!options.accountability.admin) {
+        policies = await fetchPolicies(options.accountability, context);
         permissions = await fetchPermissions({ action: options.action, policies, collections: [options.collection], accountability: options.accountability }, context);
         if (permissions.length === 0) {
             throw new ForbiddenError({
@@ -55,14 +57,18 @@ export async function processPayload(options, context) {
                 },
             });
         }
-        const permissionContext = extractRequiredDynamicVariableContext(field.validation);
-        const filterContext = await fetchDynamicVariableData({
-            accountability: options.accountability,
-            policies,
-            dynamicVariableContext: permissionContext,
-        }, context);
-        const validationFilter = parseFilter(field.validation, options.accountability, filterContext);
-        fieldValidationRules.push(validationFilter);
+        if (field.validation) {
+            const permissionContext = extractRequiredDynamicVariableContext(field.validation);
+            const filterContext = contextHasDynamicVariables(permissionContext)
+                ? await fetchDynamicVariableData({
+                    accountability: options.accountability,
+                    policies,
+                    dynamicVariableContext: permissionContext,
+                }, context)
+                : undefined;
+            const validationFilter = parseFilter(field.validation, options.accountability, filterContext);
+            fieldValidationRules.push(validationFilter);
+        }
     }
     const presets = (permissions ?? []).map((permission) => permission.presets);
     const payloadWithPresets = assign({}, ...presets, options.payload);

package/dist/permissions/utils/fetch-dynamic-variable-data.js CHANGED Viewed

@@ -23,7 +23,9 @@ export async function fetchDynamicVariableData(options, context) {
             });
         });
     }
-    if (options.accountability.roles.length > 0 && (options.dynamicVariableContext.$CURRENT_ROLES?.size ?? 0) > 0) {
+    if (options.accountability.roles &&
+        options.accountability.roles.length > 0 &&
+        (options.dynamicVariableContext.$CURRENT_ROLES?.size ?? 0) > 0) {
         contextData['$CURRENT_ROLES'] = await fetchContextData('$CURRENT_ROLES', options.dynamicVariableContext, { roles: options.accountability.roles }, async (fields) => {
             const rolesService = new RolesService(context);
             return await rolesService.readMany(options.accountability.roles, {

package/dist/utils/apply-query.js CHANGED Viewed

@@ -360,29 +360,26 @@ export function applyFilter(knex, schema, rootQuery, rootFilter, collection, ali
                         pkField = knex.raw(getHelpers(knex).schema.castA2oPrimaryKey(), [pkField]);
                     }
                     const childKey = Object.keys(value)?.[0];
-                    const subQueryBuilder = (filter, cases) => (subQueryKnex) => {
-                        const field = relation.field;
-                        const collection = relation.collection;
-                        const column = `${collection}.${field}`;
-                        subQueryKnex
-                            .select({ [field]: column })
-                            .from(collection)
-                            .whereNotNull(column);
-                        applyQuery(knex, relation.collection, subQueryKnex, { filter }, schema, cases, permissions);
-                    };
-                    const { cases: subCases } = getCases(relation.collection, permissions, []);
-                    if (childKey === '_none') {
-                        dbQuery[logical].whereNotIn(pkField, subQueryBuilder(Object.values(value)[0], subCases));
-                        continue;
-                    }
-                    else if (childKey === '_some') {
-                        dbQuery[logical].whereIn(pkField, subQueryBuilder(Object.values(value)[0], subCases));
-                        continue;
-                    }
-                    else {
-                        // Add implicit _some behavior when no operator is provided
-                        dbQuery[logical].whereIn(pkField, subQueryBuilder(value, subCases));
-                        continue;
+                    if (childKey === '_none' || childKey === '_some') {
+                        const subQueryBuilder = (filter, cases) => (subQueryKnex) => {
+                            const field = relation.field;
+                            const collection = relation.collection;
+                            const column = `${collection}.${field}`;
+                            subQueryKnex
+                                .select({ [field]: column })
+                                .from(collection)
+                                .whereNotNull(column);
+                            applyQuery(knex, relation.collection, subQueryKnex, { filter }, schema, cases, permissions);
+                        };
+                        const { cases: subCases } = getCases(relation.collection, permissions, []);
+                        if (childKey === '_none') {
+                            dbQuery[logical].whereNotIn(pkField, subQueryBuilder(Object.values(value)[0], subCases));
+                            continue;
+                        }
+                        else if (childKey === '_some') {
+                            dbQuery[logical].whereIn(pkField, subQueryBuilder(Object.values(value)[0], subCases));
+                            continue;
+                        }
                     }
                 }
                 if (filterPath.includes('_none') || filterPath.includes('_some')) {
@@ -631,7 +628,8 @@ export function applySearch(knex, schema, dbQuery, searchQuery, collection, alia
     dbQuery.andWhere(function (queryBuilder) {
         let needsFallbackCondition = true;
         fields.forEach(([name, field]) => {
-            const whenCases = (caseMap[name] ?? []).map((caseIndex) => cases[caseIndex]);
+            // only account for when cases when full access is not given
+            const whenCases = allowedFields.has('*') ? [] : (caseMap[name] ?? []).map((caseIndex) => cases[caseIndex]);
             const fieldType = getFieldType(field);
             if (fieldType !== null) {
                 needsFallbackCondition = false;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@directus/api",
-  "version": "26.0.0",
+  "version": "26.0.1",
   "description": "Directus is a real-time API and App dashboard for managing SQL database content",
   "keywords": [
     "directus",
@@ -150,29 +150,29 @@
     "ws": "8.18.1",
     "zod": "3.24.2",
     "zod-validation-error": "3.4.0",
-    "@directus/app": "13.8.0",
-    "@directus/constants": "13.0.1",
+    "@directus/app": "13.8.1",
     "@directus/errors": "2.0.1",
+    "@directus/constants": "13.0.1",
     "@directus/env": "5.0.3",
     "@directus/extensions": "3.0.4",
+    "@directus/extensions-registry": "3.0.4",
+    "@directus/memory": "3.0.3",
     "@directus/extensions-sdk": "13.0.4",
     "@directus/format-title": "12.0.1",
-    "@directus/memory": "3.0.3",
-    "@directus/pressure": "3.0.3",
-    "@directus/extensions-registry": "3.0.4",
-    "@directus/storage": "12.0.0",
-    "@directus/storage-driver-azure": "12.0.3",
     "@directus/schema": "13.0.1",
     "@directus/specs": "11.1.0",
+    "@directus/pressure": "3.0.3",
+    "@directus/storage": "12.0.0",
     "@directus/storage-driver-cloudinary": "12.0.3",
+    "@directus/storage-driver-azure": "12.0.3",
+    "@directus/storage-driver-gcs": "12.0.3",
     "@directus/storage-driver-local": "12.0.0",
     "@directus/storage-driver-s3": "12.0.3",
-    "@directus/storage-driver-gcs": "12.0.3",
+    "@directus/system-data": "3.1.0",
     "@directus/storage-driver-supabase": "3.0.3",
     "@directus/utils": "13.0.3",
-    "@directus/system-data": "3.1.0",
     "@directus/validation": "2.0.3",
-    "directus": "11.6.0"
+    "directus": "11.6.1"
   },
   "devDependencies": {
     "@directus/tsconfig": "3.0.0",