@directus/api 32.1.1 → 32.2.0

package/dist/extensions/manager.js

@@ -13,7 +13,7 @@ import ivm from 'isolated-vm';
 import { clone, debounce, isPlainObject } from 'lodash-es';
 import { readFile, readdir } from 'node:fs/promises';
 import os from 'node:os';
-import { dirname, join } from 'node:path';
+import { dirname, join, relative, resolve, sep } from 'node:path';
 import { fileURLToPath } from 'node:url';
 import path from 'path';
 import { rolldown } from 'rolldown';
@@ -37,9 +37,9 @@ import { getSharedDepsMapping } from './lib/get-shared-deps-mapping.js';
 import { getInstallationManager } from './lib/installation/index.js';
 import { generateApiExtensionsSandboxEntrypoint } from './lib/sandbox/generate-api-extensions-sandbox-entrypoint.js';
 import { instantiateSandboxSdk } from './lib/sandbox/sdk/instantiate.js';
-import { syncExtensions } from './lib/sync-extensions.js';
 import { wrapEmbeds } from './lib/wrap-embeds.js';
 import DriverLocal from '@directus/storage-driver-local';
+import { syncExtensions } from './lib/sync/sync.js';
 // Workaround for https://github.com/rollup/plugins/issues/1329
 const virtual = virtualDefault;
 const alias = aliasDefault;
@@ -99,6 +99,10 @@ export class ExtensionManager {
      * sequence.
      */
     reloadQueue = new JobQueue();
+    /**
+     * Used to prevent race condition when reading extension data while reloading extensions
+     */
+    reloadPromise = Promise.resolve();
     /**
      * Optional file system watcher to auto-reload extensions when the local file system changes
      */
@@ -148,7 +152,7 @@ export class ExtensionManager {
             await this.closeWatcher();
         }
         if (!this.isLoaded) {
-            await this.load();
+            await this.load({ forceSync: true });
             if (this.extensions.length > 0) {
                 logger.info(`Loaded extensions: ${this.extensions.map((ext) => ext.name).join(', ')}`);
             }
@@ -160,7 +164,13 @@ export class ExtensionManager {
             // Ignore requests for reloading that were published by the current process
             if (isPlainObject(payload) && 'origin' in payload && payload['origin'] === this.processId)
                 return;
-            this.reload();
+            // Reload extensions with event options
+            const options = {};
+            if (typeof payload['forceSync'] === 'boolean')
+                options.forceSync = payload['forceSync'];
+            if (typeof payload['partialSync'] === 'string')
+                options.partialSync = payload['partialSync'];
+            this.reload(options);
         });
     }
     /**
@@ -169,27 +179,31 @@ export class ExtensionManager {
     async install(versionId) {
         const logger = useLogger();
         await this.installationManager.install(versionId);
-        await this.reload({ forceSync: true });
+        const resolvedFolder = relative(sep, resolve(sep, versionId));
+        const syncFolder = join('.registry', resolvedFolder);
+        await this.broadcastReloadNotification({ partialSync: syncFolder });
+        await this.reload({ skipSync: true });
         emitter.emitAction('extensions.installed', {
             extensions: this.extensions,
             versionId,
         });
         logger.info(`Installed extension: ${versionId}`);
-        await this.broadcastReloadNotification();
     }
     async uninstall(folder) {
         const logger = useLogger();
         await this.installationManager.uninstall(folder);
-        await this.reload({ forceSync: true });
+        const resolvedFolder = relative(sep, resolve(sep, folder));
+        const syncFolder = join('.registry', resolvedFolder);
+        await this.broadcastReloadNotification({ partialSync: syncFolder });
+        await this.reload({ skipSync: true });
         emitter.emitAction('extensions.uninstalled', {
             extensions: this.extensions,
             folder,
         });
         logger.info(`Uninstalled extension: ${folder}`);
-        await this.broadcastReloadNotification();
     }
-    async broadcastReloadNotification() {
-        await this.messenger.publish(this.reloadChannel, { origin: this.processId });
+    async broadcastReloadNotification(options) {
+        await this.messenger.publish(this.reloadChannel, { ...options, origin: this.processId });
     }
     /**
      * Load all extensions from disk and register them in their respective places
@@ -198,7 +212,7 @@ export class ExtensionManager {
         const logger = useLogger();
         if (env['EXTENSIONS_LOCATION']) {
             try {
-                await syncExtensions({ force: options?.forceSync ?? false });
+                await syncExtensions(options);
             }
             catch (error) {
                 logger.error(`Failed to sync extensions`);
@@ -250,7 +264,7 @@ export class ExtensionManager {
         const logger = useLogger();
         let resolve;
         let reject;
-        const promise = new Promise((res, rej) => {
+        this.reloadPromise = new Promise((res, rej) => {
             resolve = res;
             reject = rej;
         });
@@ -283,7 +297,10 @@ export class ExtensionManager {
                 reject(new Error('Extensions have to be loaded before they can be reloaded'));
             }
         });
-        return promise;
+        return this.reloadPromise;
+    }
+    isReloading() {
+        return this.reloadPromise;
     }
     /**
      * Return the previously generated app extension bundle chunk by name.

package/dist/middleware/respond.js

@@ -1,4 +1,5 @@
 import { useEnv } from '@directus/env';
+import { getDateTimeFormatted } from '@directus/utils';
 import { parse as parseBytesConfiguration } from 'bytes';
 import { getCache, setCacheValue } from '../cache.js';
 import getDatabase from '../database/index.js';
@@ -7,7 +8,6 @@ import { ExportService } from '../services/import-export.js';
 import asyncHandler from '../utils/async-handler.js';
 import { getCacheControlHeader } from '../utils/get-cache-headers.js';
 import { getCacheKey } from '../utils/get-cache-key.js';
-import { getDateFormatted } from '../utils/get-date-formatted.js';
 import { getMilliseconds } from '../utils/get-milliseconds.js';
 import { stringByteSize } from '../utils/get-string-byte-size.js';
 import { permissionsCacheable } from '../utils/permissions-cacheable.js';
@@ -58,7 +58,7 @@ export const respond = asyncHandler(async (req, res) => {
         else {
             filename += 'Export';
         }
-        filename += ' ' + getDateFormatted();
+        filename += ' ' + getDateTimeFormatted();
         if (req.sanitizedQuery.export === 'json') {
             res.attachment(`${filename}.json`);
             res.set('Content-Type', 'application/json');

package/dist/permissions/lib/fetch-policies.d.ts

@@ -7,7 +7,7 @@ export interface AccessRow {
     };
     role: string | null;
 }
-export declare const fetchPolicies: typeof _fetchPolicies;
+export declare const fetchPolicies: (args_0: Pick<Accountability, "user" | "roles" | "ip">, context: Context) => Promise<string[]>;
 /**
  * Fetch the policies associated with the current user accountability
  */

package/dist/permissions/lib/fetch-roles-tree.d.ts

@@ -1,3 +1,6 @@
-import type { Knex } from 'knex';
-export declare const fetchRolesTree: typeof _fetchRolesTree;
-export declare function _fetchRolesTree(start: string | null, knex: Knex): Promise<string[]>;
+/**
+ * Fetches the roles tree starting from a specific role.
+ */
+export declare const fetchRolesTree: (start: string | null, context: {
+    knex: import("knex").Knex;
+}) => Promise<string[]>;

package/dist/permissions/lib/fetch-roles-tree.js

@@ -1,28 +1,6 @@
+import { fetchRolesTree as _fetchRolesTree } from '@directus/utils/node';
 import { withCache } from '../utils/with-cache.js';
-export const fetchRolesTree = withCache('roles-tree', _fetchRolesTree);
-export async function _fetchRolesTree(start, knex) {
-    if (!start)
-        return [];
-    let parent = start;
-    const roles = [];
-    while (parent) {
-        const role = await knex
-            .select('id', 'parent')
-            .from('directus_roles')
-            .where({ id: parent })
-            .first();
-        if (!role) {
-            break;
-        }
-        roles.push(role.id);
-        // Prevent infinite recursion loops
-        if (role.parent && roles.includes(role.parent) === true) {
-            roles.reverse();
-            const rolesStr = roles.map((role) => `"${role}"`).join('->');
-            throw new Error(`Recursion encountered: role "${role.id}" already exists in tree path ${rolesStr}`);
-        }
-        parent = role.parent;
-    }
-    roles.reverse();
-    return roles;
-}
+/**
+ * Fetches the roles tree starting from a specific role.
+ */
+export const fetchRolesTree = withCache('roles-tree', _fetchRolesTree, (start) => ({ start }));

package/dist/permissions/modules/fetch-global-access/fetch-global-access.d.ts

@@ -1,10 +1,12 @@
-import type { Accountability } from '@directus/types';
+import type { Accountability, GlobalAccess } from '@directus/types';
 import type { Knex } from 'knex';
-import type { GlobalAccess } from './types.js';
-export declare const fetchGlobalAccess: typeof _fetchGlobalAccess;
+interface FetchGlobalAccessContext {
+    knex: Knex;
+    ip?: Accountability['ip'];
+}
+export declare const fetchGlobalAccess: (accountability: Pick<Accountability, "user" | "roles" | "ip">, context: FetchGlobalAccessContext) => Promise<GlobalAccess>;
 /**
- * Fetch the global access (eg admin/app access) rules for the given roles, or roles+user combination
- *
- * Will fetch roles and user info separately so they can be cached and reused individually
+ * Re-implements fetchGlobalAccess to add caching, fetches roles and user info separately so they can be cached and reused individually
  */
-export declare function _fetchGlobalAccess(accountability: Pick<Accountability, 'user' | 'roles' | 'ip'>, knex: Knex): Promise<GlobalAccess>;
+export declare function _fetchGlobalAccess(accountability: Pick<Accountability, 'user' | 'roles' | 'ip'>, context: FetchGlobalAccessContext): Promise<GlobalAccess>;
+export {};

package/dist/permissions/modules/fetch-global-access/fetch-global-access.js

@@ -1,20 +1,28 @@
+import { fetchGlobalAccessForRoles as _fetchGlobalAccessForRoles, fetchGlobalAccessForUser as _fetchGlobalAccessForUser, } from '@directus/utils/node';
 import { withCache } from '../../utils/with-cache.js';
-import { fetchGlobalAccessForRoles } from './lib/fetch-global-access-for-roles.js';
-import { fetchGlobalAccessForUser } from './lib/fetch-global-access-for-user.js';
-export const fetchGlobalAccess = withCache('global-access', _fetchGlobalAccess, ({ user, roles, ip }) => ({
+export const fetchGlobalAccess = withCache('global-access', _fetchGlobalAccess, ({ user, roles }, { ip }) => ({
     user,
     roles,
     ip,
 }));
+const fetchGlobalAccessForRoles = withCache('global-access-roles', _fetchGlobalAccessForRoles, (roles, { ip }) => ({
+    roles,
+    ip,
+}));
+const fetchGlobalAccessForUser = withCache('global-access-user', _fetchGlobalAccessForUser, (user, { ip }) => ({
+    user,
+    ip,
+}));
 /**
- * Fetch the global access (eg admin/app access) rules for the given roles, or roles+user combination
- *
- * Will fetch roles and user info separately so they can be cached and reused individually
+ * Re-implements fetchGlobalAccess to add caching, fetches roles and user info separately so they can be cached and reused individually
  */
-export async function _fetchGlobalAccess(accountability, knex) {
-    const access = await fetchGlobalAccessForRoles(accountability, knex);
+export async function _fetchGlobalAccess(accountability, context) {
+    const access = await fetchGlobalAccessForRoles(accountability.roles, { knex: context.knex, ip: accountability.ip });
     if (accountability.user !== undefined) {
-        const userAccess = await fetchGlobalAccessForUser(accountability, knex);
+        const userAccess = await fetchGlobalAccessForUser(accountability.user, {
+            knex: context.knex,
+            ip: accountability.ip,
+        });
         // If app/admin is already true, keep it true
         access.app ||= userAccess.app;
         access.admin ||= userAccess.admin;

package/dist/permissions/modules/fetch-policies-ip-access/fetch-policies-ip-access.d.ts

@@ -1,4 +1,4 @@
 import type { Accountability } from '@directus/types';
 import type { Knex } from 'knex';
-export declare const fetchPoliciesIpAccess: typeof _fetchPoliciesIpAccess;
+export declare const fetchPoliciesIpAccess: (accountability: Pick<Accountability, "user" | "roles">, knex: Knex<any, any[]>) => Promise<string[][]>;
 export declare function _fetchPoliciesIpAccess(accountability: Pick<Accountability, 'user' | 'roles'>, knex: Knex): Promise<string[][]>;

package/dist/permissions/utils/fetch-raw-permissions.d.ts

@@ -1,6 +1,6 @@
 import type { Accountability, Permission, PermissionsAction } from '@directus/types';
 import type { Context } from '../types.js';
-export declare const fetchRawPermissions: typeof _fetchRawPermissions;
+export declare const fetchRawPermissions: (options: FetchRawPermissionsOptions, context: Context) => Promise<Permission[]>;
 export interface FetchRawPermissionsOptions {
     action?: PermissionsAction;
     policies: string[];

package/dist/permissions/utils/fetch-share-info.d.ts

@@ -8,5 +8,5 @@ export interface ShareInfo {
         role: string;
     };
 }
-export declare const fetchShareInfo: typeof _fetchShareInfo;
+export declare const fetchShareInfo: (shareId: string, context: AbstractServiceOptions) => Promise<ShareInfo>;
 export declare function _fetchShareInfo(shareId: string, context: AbstractServiceOptions): Promise<ShareInfo>;

package/dist/permissions/utils/fetch-share-info.js

@@ -1,5 +1,5 @@
 import { withCache } from './with-cache.js';
-export const fetchShareInfo = withCache('share-info', _fetchShareInfo);
+export const fetchShareInfo = withCache('share-info', _fetchShareInfo, (shareId) => ({ shareId }));
 export async function _fetchShareInfo(shareId, context) {
     const { SharesService } = await import('../../services/shares.js');
     const sharesService = new SharesService(context);

package/dist/permissions/utils/filter-policies-by-ip.js

@@ -1,4 +1,4 @@
-import { ipInNetworks } from '../../utils/ip-in-networks.js';
+import { ipInNetworks } from '@directus/utils/node';
 export function filterPoliciesByIp(policies, ip) {
     return policies.filter(({ policy }) => {
         // Keep policies that don't have an ip address allow list configured

package/dist/permissions/utils/get-permissions-for-share.js

@@ -1,13 +1,13 @@
 import { schemaPermissions } from '@directus/system-data';
 import { set, uniq } from 'lodash-es';
-import { fetchAllowedFieldMap } from '../modules/fetch-allowed-field-map/fetch-allowed-field-map.js';
-import { fetchShareInfo } from './fetch-share-info.js';
-import { mergePermissions } from './merge-permissions.js';
+import { reduceSchema } from '../../utils/reduce-schema.js';
 import { fetchPermissions } from '../lib/fetch-permissions.js';
 import { fetchPolicies } from '../lib/fetch-policies.js';
 import { fetchRolesTree } from '../lib/fetch-roles-tree.js';
-import { reduceSchema } from '../../utils/reduce-schema.js';
+import { fetchAllowedFieldMap } from '../modules/fetch-allowed-field-map/fetch-allowed-field-map.js';
 import { fetchGlobalAccess } from '../modules/fetch-global-access/fetch-global-access.js';
+import { fetchShareInfo } from './fetch-share-info.js';
+import { mergePermissions } from './merge-permissions.js';
 export async function getPermissionsForShare(accountability, collections, context) {
     const defaults = {
         action: 'read',
@@ -22,7 +22,7 @@ export async function getPermissionsForShare(accountability, collections, contex
     const userAccountability = {
         user: user_created.id,
         role: user_created.role,
-        roles: await fetchRolesTree(user_created.role, context.knex),
+        roles: await fetchRolesTree(user_created.role, { knex: context.knex }),
         admin: false,
         app: false,
         ip: accountability.ip,
@@ -31,14 +31,14 @@ export async function getPermissionsForShare(accountability, collections, contex
     const shareAccountability = {
         user: null,
         role: role,
-        roles: await fetchRolesTree(role, context.knex),
+        roles: await fetchRolesTree(role, { knex: context.knex }),
         admin: false,
         app: false,
         ip: accountability.ip,
     };
     const [{ admin: shareIsAdmin }, { admin: userIsAdmin }, userPermissions, sharePermissions, shareFieldMap, userFieldMap,] = await Promise.all([
-        fetchGlobalAccess(shareAccountability, context.knex),
-        fetchGlobalAccess(userAccountability, context.knex),
+        fetchGlobalAccess(shareAccountability, { knex: context.knex }),
+        fetchGlobalAccess(userAccountability, { knex: context.knex }),
         getPermissionsForAccountability(userAccountability, context),
         getPermissionsForAccountability(shareAccountability, context),
         fetchAllowedFieldMap({

package/dist/permissions/utils/with-cache.d.ts

@@ -1,10 +1,12 @@
 /**
- * The `pick` parameter can be used to stabilize cache keys, by only using a subset of the available parameters and
- * ensuring key order.
+ * Wraps a function with caching capabilities.
  *
- * If the `pick` function is provided, we pass the picked result to the handler, in order for TypeScript to ensure that
- * the function only relies on the parameters that are used for generating the cache key.
+ * @param namespace - A unique namespace for the cache key.
+ * @param handler - The function to be wrapped.
+ * @param prepareArg - Optional function to prepare arguments for hashing.
+ * @returns A new function that caches the results of the original function.
  *
- * @NOTE only uses the first parameter for memoization
+ * @NOTE Ensure that the `namespace` is unique to avoid cache key collisions.
+ * @NOTE Ensure that the `prepareArg` function returns a JSON stringifiable representation of the arguments.
  */
-export declare function withCache<F extends (arg0: Arg0, ...args: any[]) => R, R, Arg0 = Parameters<F>[0]>(namespace: string, handler: F, prepareArg?: (arg0: Arg0) => Arg0): F;
+export declare function withCache<F extends (...args: any) => any>(namespace: string, handler: F, prepareArg?: (...args: Parameters<F>) => Record<string, unknown>): (...args: Parameters<F>) => Promise<Awaited<ReturnType<F>>>;

package/dist/permissions/utils/with-cache.js

@@ -1,25 +1,27 @@
 import { getSimpleHash } from '@directus/utils';
 import { useCache } from '../cache.js';
 /**
- * The `pick` parameter can be used to stabilize cache keys, by only using a subset of the available parameters and
- * ensuring key order.
+ * Wraps a function with caching capabilities.
  *
- * If the `pick` function is provided, we pass the picked result to the handler, in order for TypeScript to ensure that
- * the function only relies on the parameters that are used for generating the cache key.
+ * @param namespace - A unique namespace for the cache key.
+ * @param handler - The function to be wrapped.
+ * @param prepareArg - Optional function to prepare arguments for hashing.
+ * @returns A new function that caches the results of the original function.
  *
- * @NOTE only uses the first parameter for memoization
+ * @NOTE Ensure that the `namespace` is unique to avoid cache key collisions.
+ * @NOTE Ensure that the `prepareArg` function returns a JSON stringifiable representation of the arguments.
  */
 export function withCache(namespace, handler, prepareArg) {
     const cache = useCache();
-    return (async (arg0, ...args) => {
-        arg0 = prepareArg ? prepareArg(arg0) : arg0;
-        const key = namespace + '-' + getSimpleHash(JSON.stringify(arg0));
+    return async (...args) => {
+        const hashArgs = prepareArg ? prepareArg(...args) : args;
+        const key = namespace + '-' + getSimpleHash(JSON.stringify(hashArgs));
         const cached = await cache.get(key);
         if (cached !== undefined) {
             return cached;
         }
-        const res = await handler(arg0, ...args);
+        const res = await handler(...args);
         cache.set(key, res);
         return res;
-    });
+    };
 }

package/dist/request/is-denied-ip.js

@@ -1,8 +1,8 @@
 import { useEnv } from '@directus/env';
-import os from 'node:os';
+import { ipInNetworks } from '@directus/utils/node';
 import { matches } from 'ip-matching';
+import os from 'node:os';
 import { useLogger } from '../logger/index.js';
-import { ipInNetworks } from '../utils/ip-in-networks.js';
 export function isDeniedIp(ip) {
     const env = useEnv();
     const logger = useLogger();

package/dist/services/assets/name-deduper.d.ts

@@ -0,0 +1,7 @@
+export declare class NameDeduper {
+    private map;
+    add(name?: string | null, options?: {
+        group?: string | null;
+        fallback?: string;
+    }): string;
+}

package/dist/services/assets/name-deduper.js

@@ -0,0 +1,23 @@
+import sanitize from 'sanitize-filename';
+const DEFAULT_GROUP = Symbol('undefined');
+export class NameDeduper {
+    map = {};
+    add(name, options) {
+        name = sanitize(name ?? '') || options?.fallback;
+        if (!name) {
+            throw Error('Invalid "name" provided');
+        }
+        const groupKey = options?.group ?? DEFAULT_GROUP;
+        const match = this.map[groupKey]?.[name];
+        if (match) {
+            const dedupedName = `${name} (${match})`;
+            this.map[groupKey][name] += 1;
+            return dedupedName;
+        }
+        if (!this.map[groupKey]) {
+            this.map[groupKey] = {};
+        }
+        this.map[groupKey][name] = 1;
+        return name;
+    }
+}

package/dist/services/assets.d.ts

@@ -1,4 +1,5 @@
-import type { AbstractServiceOptions, Accountability, Range, Stat, SchemaOverview, TransformationSet } from '@directus/types';
+import type { AbstractServiceOptions, Accountability, Range, SchemaOverview, Stat, TransformationSet } from '@directus/types';
+import archiver from 'archiver';
 import type { Knex } from 'knex';
 import type { Readable } from 'node:stream';
 import { FilesService } from './files.js';
@@ -6,8 +7,20 @@ export declare class AssetsService {
     knex: Knex;
     accountability: Accountability | null;
     schema: SchemaOverview;
-    filesService: FilesService;
+    sudoFilesService: FilesService;
     constructor(options: AbstractServiceOptions);
+    private zip;
+    zipFiles(files: string[]): Promise<{
+        archive: archiver.Archiver;
+        complete: () => Promise<void>;
+    }>;
+    zipFolder(root: string): Promise<{
+        archive: archiver.Archiver;
+        complete: () => Promise<void>;
+        metadata: {
+            name: string | undefined;
+        };
+    }>;
     getAsset(id: string, transformation?: TransformationSet, range?: Range, deferStream?: false): Promise<{
         stream: Readable;
         file: any;

package/dist/services/assets.js

@@ -1,7 +1,8 @@
 import { useEnv } from '@directus/env';
-import { ForbiddenError, IllegalAssetTransformationError, InvalidQueryError, RangeNotSatisfiableError, ServiceUnavailableError, } from '@directus/errors';
+import { ForbiddenError, IllegalAssetTransformationError, InvalidPayloadError, InvalidQueryError, RangeNotSatisfiableError, ServiceUnavailableError, } from '@directus/errors';
+import archiver from 'archiver';
 import { clamp } from 'lodash-es';
-import { contentType } from 'mime-types';
+import { contentType, extension } from 'mime-types';
 import hash from 'object-hash';
 import path from 'path';
 import sharp from 'sharp';
@@ -13,20 +14,112 @@ import { getStorage } from '../storage/index.js';
 import { getMilliseconds } from '../utils/get-milliseconds.js';
 import { isValidUuid } from '../utils/is-valid-uuid.js';
 import * as TransformationUtils from '../utils/transformations.js';
+import { NameDeduper } from './assets/name-deduper.js';
 import { FilesService } from './files.js';
 import { getSharpInstance } from './files/lib/get-sharp-instance.js';
+import { FoldersService } from './folders.js';
 const env = useEnv();
 const logger = useLogger();
 export class AssetsService {
     knex;
     accountability;
     schema;
-    filesService;
+    sudoFilesService;
     constructor(options) {
         this.knex = options.knex || getDatabase();
         this.accountability = options.accountability || null;
         this.schema = options.schema;
-        this.filesService = new FilesService({ ...options, accountability: null });
+        this.sudoFilesService = new FilesService({ ...options, accountability: null });
+    }
+    zip(options) {
+        if (options.files.length === 0) {
+            throw new InvalidPayloadError({ reason: 'No files found in the selected folders tree' });
+        }
+        const archive = archiver('zip');
+        const complete = async () => {
+            const deduper = new NameDeduper();
+            const storage = await getStorage();
+            for (const { id, folder, filename_download } of options.files) {
+                const file = await this.sudoFilesService.readOne(id, {
+                    fields: ['id', 'storage', 'filename_disk', 'filename_download', 'modified_on', 'type'],
+                });
+                const exists = await storage.location(file.storage).exists(file.filename_disk);
+                if (!exists)
+                    throw new ForbiddenError();
+                const version = file.modified_on ? (new Date(file.modified_on).getTime() / 1000).toFixed() : undefined;
+                const assetStream = await storage.location(file.storage).read(file.filename_disk, { version });
+                const fileExtension = path.extname(file.filename_download) || (file.type && '.' + extension(file.type)) || '';
+                const dedupedFileName = deduper.add(filename_download, { group: folder, fallback: file.id + fileExtension });
+                const folderName = folder ? options.folders?.get(folder) : undefined;
+                archive.append(assetStream, { name: dedupedFileName, prefix: folderName });
+            }
+            // add any empty folders, does not override already filled folder
+            if (options.folders) {
+                for (const [, folder] of options.folders) {
+                    archive.append('', { name: folder + '/' });
+                }
+            }
+            await archive.finalize();
+        };
+        return { archive, complete };
+    }
+    async zipFiles(files) {
+        const filesService = new FilesService({
+            schema: this.schema,
+            knex: this.knex,
+            accountability: this.accountability,
+        });
+        const filesToZip = await filesService.readByQuery({
+            filter: {
+                id: {
+                    _in: files,
+                },
+            },
+            limit: -1,
+        });
+        return this.zip({
+            files: filesToZip.map((file) => ({
+                id: file['id'],
+                folder: file['folder'],
+                filename_download: file['filename_download'],
+            })),
+        });
+    }
+    async zipFolder(root) {
+        const foldersService = new FoldersService({
+            schema: this.schema,
+            knex: this.knex,
+            accountability: this.accountability,
+        });
+        const folderTree = await foldersService.buildTree(root);
+        const filesService = new FilesService({
+            schema: this.schema,
+            knex: this.knex,
+            accountability: this.accountability,
+        });
+        const filesToZip = await filesService.readByQuery({
+            filter: {
+                folder: {
+                    _in: Array.from(folderTree.keys()),
+                },
+            },
+            limit: -1,
+        });
+        const { archive, complete } = this.zip({
+            folders: folderTree,
+            files: filesToZip.map((file) => ({
+                id: file['id'],
+                folder: file['folder'],
+                filename_download: file['filename_download'],
+            })),
+        });
+        return {
+            archive,
+            complete,
+            metadata: {
+                name: folderTree.get(root),
+            },
+        };
     }
     async getAsset(id, transformation, range, deferStream = false) {
         const storage = await getStorage();
@@ -50,7 +143,7 @@ export class AssetsService {
                 primaryKeys: [id],
             }, { knex: this.knex, schema: this.schema });
         }
-        const file = (await this.filesService.readOne(id, { limit: 1 }));
+        const file = (await this.sudoFilesService.readOne(id, { limit: 1 }));
         const exists = await storage.location(file.storage).exists(file.filename_disk);
         if (!exists)
             throw new ForbiddenError();

package/dist/services/authentication.js

@@ -149,8 +149,8 @@ export class AuthenticationService {
                 throw new InvalidOtpError();
             }
         }
-        const roles = await fetchRolesTree(user.role, this.knex);
-        const globalAccess = await fetchGlobalAccess({ roles, user: user.id, ip: this.accountability?.ip ?? null }, this.knex);
+        const roles = await fetchRolesTree(user.role, { knex: this.knex });
+        const globalAccess = await fetchGlobalAccess({ roles, user: user.id, ip: this.accountability?.ip ?? null }, { knex: this.knex });
         const tokenPayload = {
             id: user.id,
             role: user.role,
@@ -277,8 +277,8 @@ export class AuthenticationService {
                 throw new InvalidCredentialsError();
             }
         }
-        const roles = await fetchRolesTree(record.user_role, this.knex);
-        const globalAccess = await fetchGlobalAccess({ user: record.user_id, roles, ip: this.accountability?.ip ?? null }, this.knex);
+        const roles = await fetchRolesTree(record.user_role, { knex: this.knex });
+        const globalAccess = await fetchGlobalAccess({ user: record.user_id, roles, ip: this.accountability?.ip ?? null }, { knex: this.knex });
         if (record.user_id) {
             const provider = getAuthProvider(record.user_provider);
             await provider.refresh({