@directus/api 27.1.0 → 28.0.0

package/dist/extensions/lib/get-extensions-settings.js

@@ -2,6 +2,7 @@ import { randomUUID } from 'node:crypto';
 import getDatabase from '../../database/index.js';
 import { ExtensionsService } from '../../services/extensions.js';
 import { getSchema } from '../../utils/get-schema.js';
+import { list } from '@directus/extensions-registry';
 /**
  * Loads stored settings for all extensions. Creates empty new rows in extensions tables for
  * extensions that don't have settings yet, and remove any settings for extensions that are no
@@ -42,11 +43,16 @@ export const getExtensionsSettings = async ({ local, module, registry, }) => {
             });
         }
     };
-    const generateSettingsEntry = (folder, extension, source) => {
+    const generateSettingsEntry = async (folder, extension, source) => {
+        let marketplaceId;
+        if (source === 'registry') {
+            const marketplace = await list({ search: extension.name });
+            marketplaceId = marketplace.data.find((ext) => ext.name === extension.name)?.id;
+        }
+        const id = marketplaceId ?? randomUUID();
         if (extension.type === 'bundle') {
-            const bundleId = randomUUID();
             newSettings.push({
-                id: bundleId,
+                id,
                 enabled: true,
                 source: source,
                 bundle: null,
@@ -57,14 +63,14 @@ export const getExtensionsSettings = async ({ local, module, registry, }) => {
                     id: randomUUID(),
                     enabled: true,
                     source: source,
-                    bundle: bundleId,
+                    bundle: id,
                     folder: entry.name,
                 });
             }
         }
         else {
             newSettings.push({
-                id: randomUUID(),
+                id,
                 enabled: true,
                 source: source,
                 bundle: null,
@@ -94,12 +100,12 @@ export const getExtensionsSettings = async ({ local, module, registry, }) => {
             await service.extensionsItemService.updateOne(settingsForName.id, { folder });
             continue;
         }
-        generateSettingsEntry(folder, extension, 'local');
+        await generateSettingsEntry(folder, extension, 'local');
     }
     for (const [folder, extension] of module.entries()) {
         const existingSettings = moduleSettings.find((settings) => settings.folder === folder);
         if (!existingSettings) {
-            generateSettingsEntry(folder, extension, 'module');
+            await generateSettingsEntry(folder, extension, 'module');
         }
         else if (extension.type === 'bundle') {
             updateBundleEntriesSettings(extension, existingSettings, moduleSettings);
@@ -108,7 +114,7 @@ export const getExtensionsSettings = async ({ local, module, registry, }) => {
     for (const [folder, extension] of registry.entries()) {
         const existingSettings = registrySettings.find((settings) => settings.folder === folder);
         if (!existingSettings) {
-            generateSettingsEntry(folder, extension, 'registry');
+            await generateSettingsEntry(folder, extension, 'registry');
         }
         else if (extension.type === 'bundle') {
             updateBundleEntriesSettings(extension, existingSettings, registrySettings);

package/dist/flows.d.ts

@@ -1,4 +1,5 @@
 import type { OperationHandler } from '@directus/extensions';
+import type { Accountability, SchemaOverview } from '@directus/types';
 export declare function getFlowManager(): FlowManager;
 declare class FlowManager {
     private isLoaded;
@@ -14,7 +15,10 @@ declare class FlowManager {
     addOperation(id: string, operation: OperationHandler): void;
     removeOperation(id: string): void;
     runOperationFlow(id: string, data: unknown, context: Record<string, unknown>): Promise<unknown>;
-    runWebhookFlow(id: string, data: unknown, context: Record<string, unknown>): Promise<{
+    runWebhookFlow(id: string, data: unknown, context: {
+        schema: SchemaOverview;
+        accountability: Accountability | undefined;
+    } & Record<string, unknown>): Promise<{
         result: unknown;
         cacheEnabled?: boolean;
     }>;

package/dist/flows.js

@@ -2,21 +2,23 @@ import { Action } from '@directus/constants';
 import { useEnv } from '@directus/env';
 import { ForbiddenError } from '@directus/errors';
 import { isSystemCollection } from '@directus/system-data';
-import { applyOptionsData, getRedactedString, isValidJSON, parseJSON, toArray } from '@directus/utils';
+import { applyOptionsData, deepMap, getRedactedString, isValidJSON, parseJSON, toArray } from '@directus/utils';
 import { pick } from 'lodash-es';
 import { get } from 'micromustache';
 import { useBus } from './bus/index.js';
 import getDatabase from './database/index.js';
 import emitter from './emitter.js';
 import { useLogger } from './logger/index.js';
+import { fetchPermissions } from './permissions/lib/fetch-permissions.js';
+import { fetchPolicies } from './permissions/lib/fetch-policies.js';
 import { ActivityService } from './services/activity.js';
 import { FlowsService } from './services/flows.js';
 import * as services from './services/index.js';
 import { RevisionsService } from './services/revisions.js';
 import { constructFlowTree } from './utils/construct-flow-tree.js';
 import { getSchema } from './utils/get-schema.js';
+import { getService } from './utils/get-service.js';
 import { JobQueue } from './utils/job-queue.js';
-import { mapValuesDeep } from './utils/map-values-deep.js';
 import { redactObject } from './utils/redact-object.js';
 import { scheduleSynchronizedJob, validateCron } from './utils/schedule.js';
 let flowManager;
@@ -189,7 +191,9 @@ class FlowManager {
             else if (flow.trigger === 'manual') {
                 const handler = async (data, context) => {
                     const enabledCollections = flow.options?.['collections'] ?? [];
+                    const requireSelection = flow.options?.['requireSelection'] ?? true;
                     const targetCollection = data?.['body'].collection;
+                    const targetKeys = data?.['body'].keys;
                     if (!targetCollection) {
                         logger.warn(`Manual trigger requires "collection" to be specified in the payload`);
                         throw new ForbiddenError();
@@ -202,6 +206,44 @@ class FlowManager {
                         logger.warn(`Specified collection must be one of: ${enabledCollections.join(', ')}.`);
                         throw new ForbiddenError();
                     }
+                    if (!targetKeys || !Array.isArray(targetKeys)) {
+                        logger.warn(`Manual trigger requires "keys" to be specified in the payload`);
+                        throw new ForbiddenError();
+                    }
+                    if (requireSelection && targetKeys.length === 0) {
+                        logger.warn(`Manual trigger requires at least one key to be specified in the payload`);
+                        throw new ForbiddenError();
+                    }
+                    const accountability = context?.['accountability'];
+                    if (!accountability) {
+                        logger.warn(`Manual flows are only triggerable when authenticated`);
+                        throw new ForbiddenError();
+                    }
+                    if (accountability.admin === false) {
+                        const database = context['database'] ?? getDatabase();
+                        const schema = context['schema'] ?? (await getSchema({ database }));
+                        const policies = await fetchPolicies(accountability, { schema, knex: database });
+                        const permissions = await fetchPermissions({
+                            policies,
+                            accountability,
+                            action: 'read',
+                            collections: [targetCollection],
+                        }, { schema, knex: database });
+                        if (permissions.length === 0) {
+                            logger.warn(`Triggering ${targetCollection} is not allowed`);
+                            throw new ForbiddenError();
+                        }
+                        const service = getService(targetCollection, { schema, accountability, knex: database });
+                        const primaryField = schema.collections[targetCollection].primary;
+                        let keys = await service.readMany(targetKeys, { fields: [primaryField] }, {
+                            emitEvents: false,
+                        });
+                        keys = keys.map((key) => key[primaryField]);
+                        if (targetKeys.some((key) => !keys.includes(key))) {
+                            logger.warn(`Triggering keys ${targetKeys} is not allowed`);
+                            throw new ForbiddenError();
+                        }
+                    }
                     if (flow.options['async']) {
                         this.executeFlow(flow, data, context);
                         return { result: undefined };
@@ -321,9 +363,24 @@ class FlowManager {
             return { successor: null, status: 'unknown', data: null, options: null };
         }
         const handler = this.operations.get(operation.type);
+        let optionData = keyedData;
+        if (operation.type === 'log') {
+            optionData = redactObject(keyedData, {
+                keys: [
+                    ['**', 'headers', 'authorization'],
+                    ['**', 'headers', 'cookie'],
+                    ['**', 'query', 'access_token'],
+                    ['**', 'payload', 'password'],
+                    ['**', 'payload', 'token'],
+                    ['**', 'payload', 'tfa_secret'],
+                    ['**', 'payload', 'external_identifier'],
+                    ['**', 'payload', 'auth_data'],
+                ],
+            }, getRedactedString);
+        }
         let options = operation.options;
         try {
-            options = applyOptionsData(options, keyedData);
+            options = applyOptionsData(options, optionData);
             let result = await handler(options, {
                 services,
                 env: useEnv(),
@@ -339,7 +396,7 @@ class FlowManager {
             // JSON structures don't allow for undefined values, so we need to replace them with null
             // Otherwise the applyOptionsData function will not work correctly on the next operation
             if (typeof result === 'object' && result !== null) {
-                result = mapValuesDeep(result, (_, value) => (value === undefined ? null : value));
+                result = deepMap(result, (value) => (value === undefined ? null : value));
             }
             return { successor: operation.resolve, status: 'resolve', data: result ?? null, options };
         }

package/dist/permissions/utils/get-permissions-for-share.js

@@ -70,6 +70,8 @@ export async function getPermissionsForShare(accountability, collections, contex
         reducedSchema = reduceSchema(context.schema, shareFieldMap);
         reducedSchema = reduceSchema(reducedSchema, userFieldMap);
     }
+    if (!isAdmin)
+        defaults.fields = permissions.find((perm) => perm.collection === collection)?.fields ?? [];
     const parentPrimaryKeyField = context.schema.collections[collection].primary;
     const relationalPermissions = traverse(reducedSchema, parentPrimaryKeyField, item, collection);
     const parentCollectionPermission = {

package/dist/permissions/utils/merge-fields.d.ts

@@ -0,0 +1 @@
+export declare function mergeFields(fieldsA: string[] | null, fieldsB: string[] | null, strategy: 'and' | 'or'): string[];

package/dist/permissions/utils/merge-fields.js

@@ -0,0 +1,29 @@
+import { intersection, union } from 'lodash-es';
+export function mergeFields(fieldsA, fieldsB, strategy) {
+    if (fieldsA === null)
+        fieldsA = [];
+    if (fieldsB === null)
+        fieldsB = [];
+    let fields = [];
+    if (strategy === 'and') {
+        if (fieldsA.length === 0 || fieldsB.length === 0)
+            return [];
+        if (fieldsA.includes('*'))
+            return fieldsB;
+        if (fieldsB.includes('*'))
+            return fieldsA;
+        fields = intersection(fieldsA, fieldsB);
+    }
+    else {
+        if (fieldsA.length === 0)
+            return fieldsB;
+        if (fieldsB.length === 0)
+            return fieldsA;
+        if (fieldsA.includes('*') || fieldsB.includes('*'))
+            return ['*'];
+        fields = union(fieldsA, fieldsB);
+    }
+    if (fields.includes('*'))
+        return ['*'];
+    return fields;
+}

package/dist/permissions/utils/merge-permissions.js

@@ -1,4 +1,5 @@
-import { flatten, intersection, isEqual, merge, omit, uniq } from 'lodash-es';
+import { flatten, isEqual, merge, omit } from 'lodash-es';
+import { mergeFields } from './merge-fields.js';
 // Adapted from https://github.com/directus/directus/blob/141b8adbf4dd8e06530a7929f34e3fc68a522053/api/src/utils/merge-permissions.ts#L4
 /**
  * Merges multiple permission lists into a flat list of unique permissions.
@@ -92,19 +93,7 @@ export function mergePermission(strategy, currentPerm, newPerm) {
             };
         }
     }
-    if (newPerm.fields) {
-        if (Array.isArray(currentPerm.fields) && strategy === 'or') {
-            fields = uniq([...currentPerm.fields, ...newPerm.fields]);
-        }
-        else if (Array.isArray(currentPerm.fields) && strategy === 'and') {
-            fields = intersection(currentPerm.fields, newPerm.fields);
-        }
-        else {
-            fields = newPerm.fields;
-        }
-        if (fields.includes('*'))
-            fields = ['*'];
-    }
+    fields = mergeFields(currentPerm.fields, newPerm.fields, strategy);
     if (newPerm.presets) {
         presets = merge({}, presets, newPerm.presets);
     }

package/dist/services/fields.js

@@ -405,7 +405,7 @@ export class FieldsService {
                         });
                     }
                     catch (err) {
-                        throw await translateDatabaseError(err);
+                        throw await translateDatabaseError(err, field);
                     }
                 }
             }
@@ -649,11 +649,11 @@ export class FieldsService {
             }
         }
         else if (field.type === 'string') {
-            column = table.string(field.field, field.schema?.max_length ?? undefined);
+            column = table.string(field.field, field.schema?.max_length ?? existing?.max_length ?? undefined);
         }
         else if (['float', 'decimal'].includes(field.type)) {
             const type = field.type;
-            column = table[type](field.field, field.schema?.numeric_precision ?? DEFAULT_NUMERIC_PRECISION, field.schema?.numeric_scale ?? DEFAULT_NUMERIC_SCALE);
+            column = table[type](field.field, field.schema?.numeric_precision ?? existing?.numeric_precision ?? DEFAULT_NUMERIC_PRECISION, field.schema?.numeric_scale ?? existing?.numeric_scale ?? DEFAULT_NUMERIC_SCALE);
         }
         else if (field.type === 'csv') {
             column = table.text(field.field);

package/dist/services/graphql/resolvers/mutation.js

@@ -8,7 +8,7 @@ export async function resolveMutation(gql, args, info) {
     if (gql.scope === 'system')
         collection = `directus_${collection}`;
     const selections = replaceFragmentsInSelections(info.fieldNodes[0]?.selectionSet?.selections, info.fragments);
-    const query = await getQuery(args, selections || [], info.variableValues, gql.schema, gql.accountability);
+    const query = await getQuery(args, gql.schema, selections || [], info.variableValues, gql.accountability, collection);
     const singleton = collection.endsWith('_batch') === false &&
         collection.endsWith('_items') === false &&
         collection.endsWith('_item') === false &&

package/dist/services/graphql/resolvers/query.js

@@ -26,7 +26,7 @@ export async function resolveQuery(gql, info) {
         collection = collection.slice(0, -11);
     }
     else {
-        query = await getQuery(args, selections, info.variableValues, gql.schema, gql.accountability);
+        query = await getQuery(args, gql.schema, selections, info.variableValues, gql.accountability, collection);
         if (collection.endsWith('_by_id') && collection in gql.schema.collections === false) {
             collection = collection.slice(0, -6);
         }

package/dist/services/graphql/resolvers/system.js

@@ -311,7 +311,7 @@ export function injectSystemResolvers(gql, schemaComposer, { CreateCollectionTyp
                         return null;
                     const service = new UsersService({ schema: gql.schema, accountability: gql.accountability });
                     const selections = replaceFragmentsInSelections(info.fieldNodes[0]?.selectionSet?.selections, info.fragments);
-                    const query = await getQuery(args, selections || [], info.variableValues, gql.schema, gql.accountability);
+                    const query = await getQuery(args, gql.schema, selections || [], info.variableValues, gql.accountability, 'directus_users');
                     return await service.readOne(gql.accountability.user, query);
                 },
             },
@@ -349,7 +349,7 @@ export function injectSystemResolvers(gql, schemaComposer, { CreateCollectionTyp
                         schema: gql.schema,
                     });
                     const selections = replaceFragmentsInSelections(info.fieldNodes[0]?.selectionSet?.selections, info.fragments);
-                    const query = await getQuery(args, selections || [], info.variableValues, gql.schema, gql.accountability);
+                    const query = await getQuery(args, gql.schema, selections || [], info.variableValues, gql.accountability, 'directus_roles');
                     query.limit = -1;
                     const roles = await service.readMany(gql.accountability.roles, query);
                     return roles;
@@ -397,7 +397,7 @@ export function injectSystemResolvers(gql, schemaComposer, { CreateCollectionTyp
                     await service.updateOne(gql.accountability.user, args['data']);
                     if ('directus_users' in ReadCollectionTypes) {
                         const selections = replaceFragmentsInSelections(info.fieldNodes[0]?.selectionSet?.selections, info.fragments);
-                        const query = await getQuery(args, selections || [], info.variableValues, gql.schema, gql.accountability);
+                        const query = await getQuery(args, gql.schema, selections || [], info.variableValues, gql.accountability, 'directus_users');
                         return await service.readOne(gql.accountability.user, query);
                     }
                     return true;
@@ -421,7 +421,7 @@ export function injectSystemResolvers(gql, schemaComposer, { CreateCollectionTyp
                     const primaryKey = await service.importOne(args['url'], args['data']);
                     if ('directus_files' in ReadCollectionTypes) {
                         const selections = replaceFragmentsInSelections(info.fieldNodes[0]?.selectionSet?.selections, info.fragments);
-                        const query = await getQuery(args, selections || [], info.variableValues, gql.schema, gql.accountability);
+                        const query = await getQuery(args, gql.schema, selections || [], info.variableValues, gql.accountability, 'directus_files');
                         return await service.readOne(primaryKey, query);
                     }
                     return true;

package/dist/services/graphql/schema/parse-query.d.ts

@@ -4,4 +4,4 @@ import type { GraphQLResolveInfo, SelectionNode } from 'graphql';
  * Get a Directus Query object from the parsed arguments (rawQuery) and GraphQL AST selectionSet. Converts SelectionSet into
  * Directus' `fields` query for use in the resolver. Also applies variables where appropriate.
  */
-export declare function getQuery(rawQuery: Query, selections: readonly SelectionNode[], variableValues: GraphQLResolveInfo['variableValues'], schema: SchemaOverview, accountability?: Accountability | null): Promise<Query>;
+export declare function getQuery(rawQuery: Query, schema: SchemaOverview, selections: readonly SelectionNode[], variableValues: GraphQLResolveInfo['variableValues'], accountability?: Accountability | null, collection?: string): Promise<Query>;

package/dist/services/graphql/schema/parse-query.js

@@ -3,11 +3,12 @@ import { sanitizeQuery } from '../../../utils/sanitize-query.js';
 import { validateQuery } from '../../../utils/validate-query.js';
 import { replaceFuncs } from '../utils/replace-funcs.js';
 import { parseArgs } from './parse-args.js';
+import { filterReplaceM2A, filterReplaceM2ADeep } from '../utils/filter-replace-m2a.js';
 /**
  * Get a Directus Query object from the parsed arguments (rawQuery) and GraphQL AST selectionSet. Converts SelectionSet into
  * Directus' `fields` query for use in the resolver. Also applies variables where appropriate.
  */
-export async function getQuery(rawQuery, selections, variableValues, schema, accountability) {
+export async function getQuery(rawQuery, schema, selections, variableValues, accountability, collection) {
     const query = await sanitizeQuery(rawQuery, schema, accountability);
     const parseAliases = (selections) => {
         const aliases = {};
@@ -93,6 +94,12 @@ export async function getQuery(rawQuery, selections, variableValues, schema, acc
     if (query.filter)
         query.filter = replaceFuncs(query.filter);
     query.deep = replaceFuncs(query.deep);
+    if (collection) {
+        if (query.filter) {
+            query.filter = filterReplaceM2A(query.filter, collection, schema);
+        }
+        query.deep = filterReplaceM2ADeep(query.deep, collection, schema);
+    }
     validateQuery(query);
     return query;
 }

package/dist/services/graphql/schema/read.js

@@ -721,14 +721,14 @@ export async function getReadableTypes(gql, schemaComposer, schema, inconsistent
             }
         }
         else if (relation.meta?.one_allowed_collections) {
-            ReadableCollectionQuantifierFilterTypes[relation.collection]?.removeField('item');
-            ReadableCollectionFilterTypes[relation.collection]?.removeField('item');
+            ReadableCollectionQuantifierFilterTypes[relation.collection]?.removeField(relation.field);
+            ReadableCollectionFilterTypes[relation.collection]?.removeField(relation.field);
             for (const collection of relation.meta.one_allowed_collections) {
                 ReadableCollectionQuantifierFilterTypes[relation.collection]?.addFields({
-                    [`item__${collection}`]: ReadableCollectionFilterTypes[collection],
+                    [`${relation.field}__${collection}`]: ReadableCollectionFilterTypes[collection],
                 });
                 ReadableCollectionFilterTypes[relation.collection]?.addFields({
-                    [`item__${collection}`]: ReadableCollectionFilterTypes[collection],
+                    [`${relation.field}__${collection}`]: ReadableCollectionFilterTypes[collection],
                 });
             }
         }

package/dist/services/graphql/subscription.js

@@ -89,7 +89,7 @@ async function parseFields(gql, request) {
         }
         return result;
     }, []);
-    const { fields } = await getQuery({}, dataSelections, request.variableValues, gql.schema, gql.accountability);
+    const { fields } = await getQuery({}, gql.schema, dataSelections, request.variableValues, gql.accountability);
     return fields ?? [];
 }
 function parseArguments(request) {

package/dist/services/graphql/utils/filter-replace-m2a.d.ts

@@ -0,0 +1,3 @@
+import type { Filter, NestedDeepQuery, SchemaOverview } from '@directus/types';
+export declare function filterReplaceM2A(filter_arg: Filter, collection: string, schema: SchemaOverview): any;
+export declare function filterReplaceM2ADeep(deep_arg: NestedDeepQuery | null | undefined, collection: string, schema: SchemaOverview): any;

package/dist/services/graphql/utils/filter-replace-m2a.js

@@ -0,0 +1,59 @@
+import { getRelation } from '@directus/utils';
+import { getRelationType } from '../../../utils/get-relation-type.js';
+export function filterReplaceM2A(filter_arg, collection, schema) {
+    const filter = filter_arg;
+    for (const key in filter) {
+        const [field, any_collection] = key.split('__');
+        if (!field)
+            continue;
+        const relation = getRelation(schema.relations, collection, field);
+        const type = relation ? getRelationType({ relation, collection, field }) : null;
+        if (type === 'o2m' && relation) {
+            filter[key] = filterReplaceM2A(filter[key], relation.collection, schema);
+        }
+        else if (type === 'm2o' && relation) {
+            filter[key] = filterReplaceM2A(filter[key], relation.related_collection, schema);
+        }
+        else if (type === 'a2o' &&
+            relation &&
+            any_collection &&
+            relation.meta?.one_allowed_collections?.includes(any_collection)) {
+            filter[`${field}:${any_collection}`] = filterReplaceM2A(filter[key], any_collection, schema);
+            delete filter[key];
+        }
+        else if (Array.isArray(filter[key])) {
+            filter[key] = filter[key].map((item) => filterReplaceM2A(item, collection, schema));
+        }
+        else if (typeof filter[key] === 'object') {
+            filter[key] = filterReplaceM2A(filter[key], collection, schema);
+        }
+    }
+    return filter;
+}
+export function filterReplaceM2ADeep(deep_arg, collection, schema) {
+    const deep = deep_arg;
+    for (const key in deep) {
+        if (key.startsWith('_') === false) {
+            const [field, any_collection] = key.split('__');
+            if (!field)
+                continue;
+            const relation = getRelation(schema.relations, collection, field);
+            if (!relation)
+                continue;
+            const type = getRelationType({ relation, collection, field });
+            if (type === 'o2m') {
+                deep[key] = filterReplaceM2ADeep(deep[key], relation.collection, schema);
+            }
+            else if (type === 'm2o') {
+                deep[key] = filterReplaceM2ADeep(deep[key], relation.related_collection, schema);
+            }
+            else if (type === 'a2o' && any_collection && relation.meta?.one_allowed_collections?.includes(any_collection)) {
+                deep[key] = filterReplaceM2ADeep(deep[key], any_collection, schema);
+            }
+        }
+        if (key === '_filter') {
+            deep[key] = filterReplaceM2A(deep[key], collection, schema);
+        }
+    }
+    return deep;
+}

package/dist/services/items.js

@@ -186,7 +186,7 @@ export class ItemsService {
                 }
             }
             catch (err) {
-                const dbError = await translateDatabaseError(err);
+                const dbError = await translateDatabaseError(err, data);
                 if (isDirectusError(dbError, ErrorCode.RecordNotUnique) && dbError.extensions.primaryKey) {
                     // This is a MySQL specific thing we need to handle here, since MySQL does not return the field name
                     // if the unique constraint is the primary key
@@ -590,7 +590,7 @@ export class ItemsService {
                     await trx(this.collection).update(payloadWithTypeCasting).whereIn(primaryKeyField, keys);
                 }
                 catch (err) {
-                    throw await translateDatabaseError(err);
+                    throw await translateDatabaseError(err, data);
                 }
             }
             const childrenRevisions = [...revisionsM2O, ...revisionsA2O];

package/dist/services/specifications.js

@@ -3,8 +3,8 @@ import formatTitle from '@directus/format-title';
 import { spec } from '@directus/specs';
 import { isSystemCollection } from '@directus/system-data';
 import { getRelation } from '@directus/utils';
-import { version } from 'directus/version';
 import { cloneDeep, mergeWith } from 'lodash-es';
+import hash from 'object-hash';
 import { OAS_REQUIRED_SCHEMAS } from '../constants.js';
 import getDatabase from '../database/index.js';
 import { fetchPermissions } from '../permissions/lib/fetch-permissions.js';
@@ -54,12 +54,16 @@ class OASSpecsService {
         const components = await this.generateComponents(schemaForSpec, tags);
         const isDefaultPublicUrl = env['PUBLIC_URL'] === '/';
         const url = isDefaultPublicUrl && host ? host : env['PUBLIC_URL'];
+        const hashedVersion = hash({
+            now: new Date().toISOString(),
+            user: this.accountability?.user,
+        });
         const spec = {
             openapi: '3.0.1',
             info: {
                 title: 'Dynamic API Specification',
                 description: 'This is a dynamically generated API specification for all endpoints existing on the current project.',
-                version: version,
+                version: hashedVersion,
             },
             servers: [
                 {

package/dist/services/users.js

@@ -40,6 +40,7 @@ export class UsersService extends ItemsService {
             throw new RecordNotUniqueError({
                 collection: 'directus_users',
                 field: 'email',
+                value: '[' + String(duplicates) + ']',
             });
         }
         const query = this.knex
@@ -54,6 +55,7 @@ export class UsersService extends ItemsService {
             throw new RecordNotUniqueError({
                 collection: 'directus_users',
                 field: 'email',
+                value: '[' + String(emails) + ']',
             });
         }
     }
@@ -210,6 +212,7 @@ export class UsersService extends ItemsService {
                     throw new RecordNotUniqueError({
                         collection: 'directus_users',
                         field: 'email',
+                        value: data['email'],
                     });
                 }
                 this.validateEmail(data['email']);

package/dist/telemetry/lib/get-report.js

@@ -8,6 +8,7 @@ import { getFieldCount } from '../utils/get-field-count.js';
 import { getFilesizeSum } from '../utils/get-filesize-sum.js';
 import { getItemCount } from '../utils/get-item-count.js';
 import { getUserItemCount } from '../utils/get-user-item-count.js';
+import { getProjectId } from '../utils/get-project-id.js';
 const basicCountTasks = [
     { collection: 'directus_dashboards' },
     { collection: 'directus_files' },
@@ -25,7 +26,7 @@ export const getReport = async () => {
     const db = getDatabase();
     const env = useEnv();
     const helpers = getHelpers(db);
-    const [basicCounts, userCounts, userItemCount, fieldsCounts, extensionsCounts, databaseSize, filesizes] = await Promise.all([
+    const [basicCounts, userCounts, userItemCount, fieldsCounts, extensionsCounts, databaseSize, filesizes, projectId] = await Promise.all([
         getItemCount(db, basicCountTasks),
         fetchUserCount({ knex: db }),
         getUserItemCount(db),
@@ -33,6 +34,7 @@ export const getReport = async () => {
         getExtensionCount(db),
         helpers.schema.getDatabaseSize(),
         getFilesizeSum(db),
+        getProjectId(db),
     ]);
     return {
         url: env['PUBLIC_URL'],
@@ -53,5 +55,6 @@ export const getReport = async () => {
         extensions: extensionsCounts.totalEnabled,
         database_size: databaseSize ?? 0,
         files_size_total: filesizes.total,
+        project_id: projectId,
     };
 };

package/dist/telemetry/types/report.d.ts

@@ -71,4 +71,8 @@ export interface TelemetryReport {
      * Total size of the files in bytes
      */
     files_size_total: number;
+    /**
+     * Unique project identifier
+     */
+    project_id?: string | null;
 }

package/dist/telemetry/utils/get-project-id.d.ts

@@ -0,0 +1,2 @@
+import type { Knex } from 'knex';
+export declare const getProjectId: (db: Knex) => Promise<string>;

package/dist/telemetry/utils/get-project-id.js

@@ -0,0 +1,4 @@
+export const getProjectId = async (db) => {
+    const projectId = await db.select('project_id').from('directus_settings').first();
+    return projectId?.project_id || null;
+};

package/dist/utils/is-url-allowed.js

@@ -16,7 +16,7 @@ export default function isUrlAllowed(url, allowList) {
             return origin + pathname;
         }
         catch {
-            logger.warn(`Invalid URL used "${url}"`);
+            logger.warn(`Invalid URL used "${allowedURL}"`);
         }
         return null;
     })

package/dist/utils/sanitize-query.js

@@ -71,6 +71,9 @@ export async function sanitizeQuery(rawQuery, schema, accountability) {
     if (rawQuery['alias']) {
         query.alias = sanitizeAlias(rawQuery['alias']);
     }
+    if ('backlink' in rawQuery) {
+        query.backlink = sanitizeBacklink(rawQuery['backlink']);
+    }
     return query;
 }
 function sanitizeFields(rawFields) {
@@ -171,6 +174,9 @@ function sanitizeMeta(rawMeta) {
     }
     return [rawMeta];
 }
+function sanitizeBacklink(rawBacklink) {
+    return rawBacklink !== false && rawBacklink !== 'false';
+}
 async function sanitizeDeep(deep, schema, accountability) {
     const logger = useLogger();
     const result = {};