@directus/api 32.1.1 → 33.0.0

package/dist/permissions/modules/validate-access/lib/validate-item-access.js

@@ -1,5 +1,9 @@
 import { toBoolean } from '@directus/utils';
 import { fetchPermittedAstRootFields } from '../../../../database/run-ast/modules/fetch-permitted-ast-root-fields.js';
+import { fetchPermissions } from '../../../lib/fetch-permissions.js';
+import { fetchPolicies } from '../../../lib/fetch-policies.js';
+import { fetchAllowedFields } from '../../fetch-allowed-fields/fetch-allowed-fields.js';
+import { injectCases } from '../../process-ast/lib/inject-cases.js';
 import { processAst } from '../../process-ast/process-ast.js';
 export async function validateItemAccess(options, context) {
     const primaryKeyField = context.schema.collections[options.collection]?.primary;
@@ -24,18 +28,62 @@ export async function validateItemAccess(options, context) {
             _in: options.primaryKeys,
         },
     };
+    let hasItemRules;
+    let permissionedFields;
+    // Inject the root fields after the permissions have been processed, as to not require access to all collection fields
+    if (options.returnAllowedRootFields) {
+        const allowedFields = await fetchAllowedFields({ accountability: options.accountability, action: options.action, collection: options.collection }, context);
+        const schemaFields = Object.keys(context.schema.collections[options.collection].fields);
+        const hasWildcard = allowedFields.includes('*');
+        permissionedFields = hasWildcard ? schemaFields : allowedFields;
+        const policies = await fetchPolicies(options.accountability, context);
+        const permissions = await fetchPermissions({ action: options.action, policies, collections: [options.collection], accountability: options.accountability }, context);
+        // Only inject cases if there are item-level permission rules
+        hasItemRules = permissions.some((p) => p.permissions && Object.keys(p.permissions).length > 0);
+        if (hasItemRules) {
+            // Create children only for fields that exist in schema and are allowed by permissions
+            ast.children = permissionedFields.map((field) => ({
+                type: 'field',
+                name: field,
+                fieldKey: field,
+                whenCase: [],
+                alias: false,
+            }));
+            injectCases(ast, permissions);
+        }
+    }
     const items = await fetchPermittedAstRootFields(ast, {
         schema: context.schema,
         accountability: options.accountability,
         knex: context.knex,
         action: options.action,
     });
-    if (items && items.length === options.primaryKeys.length) {
-        const { fields } = options;
-        if (fields) {
-            return items.every((item) => fields.every((field) => toBoolean(item[field])));
+    const hasAccess = items && items.length === options.primaryKeys.length;
+    if (!hasAccess) {
+        if (options.returnAllowedRootFields) {
+            return { accessAllowed: false, allowedRootFields: [] };
+        }
+        return { accessAllowed: false };
+    }
+    let accessAllowed = true;
+    // If specific fields were requested, verify they are all accessible
+    if (options.fields) {
+        accessAllowed = items.every((item) => options.fields.every((field) => toBoolean(item[field])));
+    }
+    // If returnAllowedRootFields, return intersection of allowed fields across all items
+    if (options.returnAllowedRootFields) {
+        // If there are no item-level rules, return the permissioned fields directly
+        if (!hasItemRules) {
+            return {
+                accessAllowed,
+                allowedRootFields: permissionedFields,
+            };
         }
-        return true;
+        const allowedRootFields = items.length > 0 ? Object.keys(items[0]).filter((field) => items.every((item) => item[field] === 1)) : [];
+        return {
+            accessAllowed,
+            allowedRootFields,
+        };
     }
-    return false;
+    return { accessAllowed };
 }

package/dist/permissions/modules/validate-access/validate-access.js

@@ -1,7 +1,7 @@
 import { ForbiddenError } from '@directus/errors';
+import { createCollectionForbiddenError } from '../process-ast/utils/validate-path/create-error.js';
 import { validateCollectionAccess } from './lib/validate-collection-access.js';
 import { validateItemAccess } from './lib/validate-item-access.js';
-import { createCollectionForbiddenError } from '../process-ast/utils/validate-path/create-error.js';
 /**
  * Validate if the current user has access to perform action against the given collection and
  * optional primary keys. This is done by reading the item from the database using the access
@@ -20,7 +20,8 @@ export async function validateAccess(options, context) {
     // from the database. If no keys are passed, we can simply check if the collection+action combo
     // exists within permissions
     if (options.primaryKeys) {
-        access = await validateItemAccess(options, context);
+        const result = await validateItemAccess(options, context);
+        access = result.accessAllowed;
     }
     else {
         access = await validateCollectionAccess(options, context);

package/dist/permissions/utils/fetch-raw-permissions.d.ts

@@ -1,6 +1,6 @@
 import type { Accountability, Permission, PermissionsAction } from '@directus/types';
 import type { Context } from '../types.js';
-export declare const fetchRawPermissions: typeof _fetchRawPermissions;
+export declare const fetchRawPermissions: (options: FetchRawPermissionsOptions, context: Context) => Promise<Permission[]>;
 export interface FetchRawPermissionsOptions {
     action?: PermissionsAction;
     policies: string[];

package/dist/permissions/utils/fetch-share-info.d.ts

@@ -8,5 +8,5 @@ export interface ShareInfo {
         role: string;
     };
 }
-export declare const fetchShareInfo: typeof _fetchShareInfo;
+export declare const fetchShareInfo: (shareId: string, context: AbstractServiceOptions) => Promise<ShareInfo>;
 export declare function _fetchShareInfo(shareId: string, context: AbstractServiceOptions): Promise<ShareInfo>;

package/dist/permissions/utils/fetch-share-info.js

@@ -1,5 +1,5 @@
 import { withCache } from './with-cache.js';
-export const fetchShareInfo = withCache('share-info', _fetchShareInfo);
+export const fetchShareInfo = withCache('share-info', _fetchShareInfo, (shareId) => ({ shareId }));
 export async function _fetchShareInfo(shareId, context) {
     const { SharesService } = await import('../../services/shares.js');
     const sharesService = new SharesService(context);

package/dist/permissions/utils/filter-policies-by-ip.js

@@ -1,4 +1,4 @@
-import { ipInNetworks } from '../../utils/ip-in-networks.js';
+import { ipInNetworks } from '@directus/utils/node';
 export function filterPoliciesByIp(policies, ip) {
     return policies.filter(({ policy }) => {
         // Keep policies that don't have an ip address allow list configured

package/dist/permissions/utils/get-permissions-for-share.js

@@ -1,13 +1,13 @@
 import { schemaPermissions } from '@directus/system-data';
 import { set, uniq } from 'lodash-es';
-import { fetchAllowedFieldMap } from '../modules/fetch-allowed-field-map/fetch-allowed-field-map.js';
-import { fetchShareInfo } from './fetch-share-info.js';
-import { mergePermissions } from './merge-permissions.js';
+import { reduceSchema } from '../../utils/reduce-schema.js';
 import { fetchPermissions } from '../lib/fetch-permissions.js';
 import { fetchPolicies } from '../lib/fetch-policies.js';
 import { fetchRolesTree } from '../lib/fetch-roles-tree.js';
-import { reduceSchema } from '../../utils/reduce-schema.js';
+import { fetchAllowedFieldMap } from '../modules/fetch-allowed-field-map/fetch-allowed-field-map.js';
 import { fetchGlobalAccess } from '../modules/fetch-global-access/fetch-global-access.js';
+import { fetchShareInfo } from './fetch-share-info.js';
+import { mergePermissions } from './merge-permissions.js';
 export async function getPermissionsForShare(accountability, collections, context) {
     const defaults = {
         action: 'read',
@@ -22,7 +22,7 @@ export async function getPermissionsForShare(accountability, collections, contex
     const userAccountability = {
         user: user_created.id,
         role: user_created.role,
-        roles: await fetchRolesTree(user_created.role, context.knex),
+        roles: await fetchRolesTree(user_created.role, { knex: context.knex }),
         admin: false,
         app: false,
         ip: accountability.ip,
@@ -31,14 +31,14 @@ export async function getPermissionsForShare(accountability, collections, contex
     const shareAccountability = {
         user: null,
         role: role,
-        roles: await fetchRolesTree(role, context.knex),
+        roles: await fetchRolesTree(role, { knex: context.knex }),
         admin: false,
         app: false,
         ip: accountability.ip,
     };
     const [{ admin: shareIsAdmin }, { admin: userIsAdmin }, userPermissions, sharePermissions, shareFieldMap, userFieldMap,] = await Promise.all([
-        fetchGlobalAccess(shareAccountability, context.knex),
-        fetchGlobalAccess(userAccountability, context.knex),
+        fetchGlobalAccess(shareAccountability, { knex: context.knex }),
+        fetchGlobalAccess(userAccountability, { knex: context.knex }),
         getPermissionsForAccountability(userAccountability, context),
         getPermissionsForAccountability(shareAccountability, context),
         fetchAllowedFieldMap({

package/dist/permissions/utils/with-cache.d.ts

@@ -1,10 +1,12 @@
 /**
- * The `pick` parameter can be used to stabilize cache keys, by only using a subset of the available parameters and
- * ensuring key order.
+ * Wraps a function with caching capabilities.
  *
- * If the `pick` function is provided, we pass the picked result to the handler, in order for TypeScript to ensure that
- * the function only relies on the parameters that are used for generating the cache key.
+ * @param namespace - A unique namespace for the cache key.
+ * @param handler - The function to be wrapped.
+ * @param prepareArg - Optional function to prepare arguments for hashing.
+ * @returns A new function that caches the results of the original function.
  *
- * @NOTE only uses the first parameter for memoization
+ * @NOTE Ensure that the `namespace` is unique to avoid cache key collisions.
+ * @NOTE Ensure that the `prepareArg` function returns a JSON stringifiable representation of the arguments.
  */
-export declare function withCache<F extends (arg0: Arg0, ...args: any[]) => R, R, Arg0 = Parameters<F>[0]>(namespace: string, handler: F, prepareArg?: (arg0: Arg0) => Arg0): F;
+export declare function withCache<F extends (...args: any) => any>(namespace: string, handler: F, prepareArg?: (...args: Parameters<F>) => Record<string, unknown>): (...args: Parameters<F>) => Promise<Awaited<ReturnType<F>>>;

package/dist/permissions/utils/with-cache.js

@@ -1,25 +1,27 @@
 import { getSimpleHash } from '@directus/utils';
 import { useCache } from '../cache.js';
 /**
- * The `pick` parameter can be used to stabilize cache keys, by only using a subset of the available parameters and
- * ensuring key order.
+ * Wraps a function with caching capabilities.
  *
- * If the `pick` function is provided, we pass the picked result to the handler, in order for TypeScript to ensure that
- * the function only relies on the parameters that are used for generating the cache key.
+ * @param namespace - A unique namespace for the cache key.
+ * @param handler - The function to be wrapped.
+ * @param prepareArg - Optional function to prepare arguments for hashing.
+ * @returns A new function that caches the results of the original function.
  *
- * @NOTE only uses the first parameter for memoization
+ * @NOTE Ensure that the `namespace` is unique to avoid cache key collisions.
+ * @NOTE Ensure that the `prepareArg` function returns a JSON stringifiable representation of the arguments.
  */
 export function withCache(namespace, handler, prepareArg) {
     const cache = useCache();
-    return (async (arg0, ...args) => {
-        arg0 = prepareArg ? prepareArg(arg0) : arg0;
-        const key = namespace + '-' + getSimpleHash(JSON.stringify(arg0));
+    return async (...args) => {
+        const hashArgs = prepareArg ? prepareArg(...args) : args;
+        const key = namespace + '-' + getSimpleHash(JSON.stringify(hashArgs));
         const cached = await cache.get(key);
         if (cached !== undefined) {
             return cached;
         }
-        const res = await handler(arg0, ...args);
+        const res = await handler(...args);
         cache.set(key, res);
         return res;
-    });
+    };
 }

package/dist/rate-limiter.js

@@ -1,8 +1,8 @@
+import { createRequire } from 'node:module';
 import { useEnv } from '@directus/env';
 import { merge } from 'lodash-es';
 import { RateLimiterMemory, RateLimiterRedis, RateLimiterRes } from 'rate-limiter-flexible';
 import { getConfigFromEnv } from './utils/get-config-from-env.js';
-import { createRequire } from 'node:module';
 const require = createRequire(import.meta.url);
 export function createRateLimiter(configPrefix = 'RATE_LIMITER', configOverrides) {
     const env = useEnv();

package/dist/request/is-denied-ip.js

@@ -1,8 +1,8 @@
-import { useEnv } from '@directus/env';
 import os from 'node:os';
+import { useEnv } from '@directus/env';
+import { ipInNetworks } from '@directus/utils/node';
 import { matches } from 'ip-matching';
 import { useLogger } from '../logger/index.js';
-import { ipInNetworks } from '../utils/ip-in-networks.js';
 export function isDeniedIp(ip) {
     const env = useEnv();
     const logger = useLogger();

package/dist/schedules/project.js

@@ -1,8 +1,8 @@
+import { version } from 'directus/version';
 import { random } from 'lodash-es';
 import getDatabase from '../database/index.js';
 import { sendReport } from '../telemetry/index.js';
 import { scheduleSynchronizedJob } from '../utils/schedule.js';
-import { version } from 'directus/version';
 /**
  * Schedule the project status job
  */

package/dist/schedules/telemetry.js

@@ -1,8 +1,8 @@
 import { useEnv } from '@directus/env';
 import { toBoolean } from '@directus/utils';
 import { getCache } from '../cache.js';
-import { scheduleSynchronizedJob } from '../utils/schedule.js';
 import { track } from '../telemetry/index.js';
+import { scheduleSynchronizedJob } from '../utils/schedule.js';
 /**
  * Exported to be able to test the anonymous callback function
  */

package/dist/schedules/tus.js

@@ -1,6 +1,6 @@
 import { RESUMABLE_UPLOADS } from '../constants.js';
-import { getSchema } from '../utils/get-schema.js';
 import { createTusServer } from '../services/tus/index.js';
+import { getSchema } from '../utils/get-schema.js';
 import { scheduleSynchronizedJob, validateCron } from '../utils/schedule.js';
 /**
  * Schedule the tus cleanup

package/dist/server.js

@@ -1,19 +1,19 @@
+import * as http from 'http';
+import * as https from 'https';
+import url from 'url';
 import { useEnv } from '@directus/env';
 import { toBoolean } from '@directus/utils';
 import { getNodeEnv } from '@directus/utils/node';
 import { createTerminus } from '@godaddy/terminus';
-import * as http from 'http';
-import * as https from 'https';
 import { once } from 'lodash-es';
 import qs from 'qs';
-import url from 'url';
 import createApp from './app.js';
 import getDatabase from './database/index.js';
 import emitter from './emitter.js';
 import { useLogger } from './logger/index.js';
+import { getAddress } from './utils/get-address.js';
 import { getConfigFromEnv } from './utils/get-config-from-env.js';
 import { getIPFromReq } from './utils/get-ip-from-req.js';
-import { getAddress } from './utils/get-address.js';
 import { createLogsController, createSubscriptionController, createWebSocketController, getLogsController, getSubscriptionController, getWebSocketController, } from './websocket/controllers/index.js';
 import { startWebSocketHandlers } from './websocket/handlers/index.js';
 export let SERVER_ONLINE = true;

package/dist/services/assets/name-deduper.d.ts

@@ -0,0 +1,7 @@
+export declare class NameDeduper {
+    private map;
+    add(name?: string | null, options?: {
+        group?: string | null;
+        fallback?: string;
+    }): string;
+}

package/dist/services/assets/name-deduper.js

@@ -0,0 +1,23 @@
+import sanitize from 'sanitize-filename';
+const DEFAULT_GROUP = Symbol('undefined');
+export class NameDeduper {
+    map = {};
+    add(name, options) {
+        name = sanitize(name ?? '') || options?.fallback;
+        if (!name) {
+            throw Error('Invalid "name" provided');
+        }
+        const groupKey = options?.group ?? DEFAULT_GROUP;
+        const match = this.map[groupKey]?.[name];
+        if (match) {
+            const dedupedName = `${name} (${match})`;
+            this.map[groupKey][name] += 1;
+            return dedupedName;
+        }
+        if (!this.map[groupKey]) {
+            this.map[groupKey] = {};
+        }
+        this.map[groupKey][name] = 1;
+        return name;
+    }
+}

package/dist/services/assets.d.ts

@@ -1,13 +1,27 @@
-import type { AbstractServiceOptions, Accountability, Range, Stat, SchemaOverview, TransformationSet } from '@directus/types';
-import type { Knex } from 'knex';
 import type { Readable } from 'node:stream';
+import type { AbstractServiceOptions, Accountability, Range, SchemaOverview, Stat, TransformationSet } from '@directus/types';
+import archiver from 'archiver';
+import type { Knex } from 'knex';
 import { FilesService } from './files.js';
 export declare class AssetsService {
     knex: Knex;
     accountability: Accountability | null;
     schema: SchemaOverview;
-    filesService: FilesService;
+    sudoFilesService: FilesService;
     constructor(options: AbstractServiceOptions);
+    private sanitizeFields;
+    private zip;
+    zipFiles(files: string[]): Promise<{
+        archive: archiver.Archiver;
+        complete: () => Promise<void>;
+    }>;
+    zipFolder(root: string): Promise<{
+        archive: archiver.Archiver;
+        complete: () => Promise<void>;
+        metadata: {
+            name: string | undefined;
+        };
+    }>;
     getAsset(id: string, transformation?: TransformationSet, range?: Range, deferStream?: false): Promise<{
         stream: Readable;
         file: any;

package/dist/services/assets.js

@@ -1,32 +1,139 @@
+import path from 'path';
 import { useEnv } from '@directus/env';
-import { ForbiddenError, IllegalAssetTransformationError, InvalidQueryError, RangeNotSatisfiableError, ServiceUnavailableError, } from '@directus/errors';
+import { ForbiddenError, IllegalAssetTransformationError, InvalidPayloadError, InvalidQueryError, RangeNotSatisfiableError, ServiceUnavailableError, } from '@directus/errors';
+import archiver from 'archiver';
 import { clamp } from 'lodash-es';
-import { contentType } from 'mime-types';
+import { contentType, extension } from 'mime-types';
 import hash from 'object-hash';
-import path from 'path';
 import sharp from 'sharp';
 import { SUPPORTED_IMAGE_TRANSFORM_FORMATS } from '../constants.js';
 import getDatabase from '../database/index.js';
 import { useLogger } from '../logger/index.js';
-import { validateAccess } from '../permissions/modules/validate-access/validate-access.js';
+import { validateItemAccess } from '../permissions/modules/validate-access/lib/validate-item-access.js';
 import { getStorage } from '../storage/index.js';
 import { getMilliseconds } from '../utils/get-milliseconds.js';
 import { isValidUuid } from '../utils/is-valid-uuid.js';
 import * as TransformationUtils from '../utils/transformations.js';
-import { FilesService } from './files.js';
+import { NameDeduper } from './assets/name-deduper.js';
 import { getSharpInstance } from './files/lib/get-sharp-instance.js';
+import { FilesService } from './files.js';
+import { FoldersService } from './folders.js';
 const env = useEnv();
 const logger = useLogger();
 export class AssetsService {
     knex;
     accountability;
     schema;
-    filesService;
+    sudoFilesService;
     constructor(options) {
         this.knex = options.knex || getDatabase();
         this.accountability = options.accountability || null;
         this.schema = options.schema;
-        this.filesService = new FilesService({ ...options, accountability: null });
+        this.sudoFilesService = new FilesService({ ...options, accountability: null });
+    }
+    sanitizeFields(file, allowedFields) {
+        if (allowedFields.includes('*')) {
+            return file;
+        }
+        const bypassFields = ['type', 'filesize'];
+        const fieldsToKeep = new Set([...allowedFields, ...bypassFields]);
+        const filteredFile = {};
+        for (const field of fieldsToKeep) {
+            if (field in file) {
+                filteredFile[field] = file[field];
+            }
+        }
+        return filteredFile;
+    }
+    zip(options) {
+        if (options.files.length === 0) {
+            throw new InvalidPayloadError({ reason: 'No files found in the selected folders tree' });
+        }
+        const archive = archiver('zip');
+        const complete = async () => {
+            const deduper = new NameDeduper();
+            const storage = await getStorage();
+            for (const { id, folder, filename_download } of options.files) {
+                const file = await this.sudoFilesService.readOne(id, {
+                    fields: ['id', 'storage', 'filename_disk', 'filename_download', 'modified_on', 'type'],
+                });
+                const exists = await storage.location(file.storage).exists(file.filename_disk);
+                if (!exists)
+                    throw new ForbiddenError();
+                const version = file.modified_on ? (new Date(file.modified_on).getTime() / 1000).toFixed() : undefined;
+                const assetStream = await storage.location(file.storage).read(file.filename_disk, { version });
+                const fileExtension = path.extname(file.filename_download) || (file.type && '.' + extension(file.type)) || '';
+                const dedupedFileName = deduper.add(filename_download, { group: folder, fallback: file.id + fileExtension });
+                const folderName = folder ? options.folders?.get(folder) : undefined;
+                archive.append(assetStream, { name: dedupedFileName, prefix: folderName });
+            }
+            // add any empty folders, does not override already filled folder
+            if (options.folders) {
+                for (const [, folder] of options.folders) {
+                    archive.append('', { name: folder + '/' });
+                }
+            }
+            await archive.finalize();
+        };
+        return { archive, complete };
+    }
+    async zipFiles(files) {
+        const filesService = new FilesService({
+            schema: this.schema,
+            knex: this.knex,
+            accountability: this.accountability,
+        });
+        const filesToZip = await filesService.readByQuery({
+            filter: {
+                id: {
+                    _in: files,
+                },
+            },
+            limit: -1,
+        });
+        return this.zip({
+            files: filesToZip.map((file) => ({
+                id: file['id'],
+                folder: file['folder'],
+                filename_download: file['filename_download'],
+            })),
+        });
+    }
+    async zipFolder(root) {
+        const foldersService = new FoldersService({
+            schema: this.schema,
+            knex: this.knex,
+            accountability: this.accountability,
+        });
+        const folderTree = await foldersService.buildTree(root);
+        const filesService = new FilesService({
+            schema: this.schema,
+            knex: this.knex,
+            accountability: this.accountability,
+        });
+        const filesToZip = await filesService.readByQuery({
+            filter: {
+                folder: {
+                    _in: Array.from(folderTree.keys()),
+                },
+            },
+            limit: -1,
+        });
+        const { archive, complete } = this.zip({
+            folders: folderTree,
+            files: filesToZip.map((file) => ({
+                id: file['id'],
+                folder: file['folder'],
+                filename_download: file['filename_download'],
+            })),
+        });
+        return {
+            archive,
+            complete,
+            metadata: {
+                name: folderTree.get(root),
+            },
+        };
     }
     async getAsset(id, transformation, range, deferStream = false) {
         const storage = await getStorage();
@@ -42,15 +149,24 @@ export class AssetsService {
          */
         if (!isValidUuid(id))
             throw new ForbiddenError();
-        if (systemPublicKeys.includes(id) === false && this.accountability) {
-            await validateAccess({
+        let allowedFields = ['*'];
+        if (!systemPublicKeys.includes(id) && this.accountability && this.accountability.admin !== true) {
+            // Use validateItemAccess to check access and get allowed fields
+            const { allowedRootFields, accessAllowed } = await validateItemAccess({
                 accountability: this.accountability,
                 action: 'read',
                 collection: 'directus_files',
                 primaryKeys: [id],
+                returnAllowedRootFields: true,
             }, { knex: this.knex, schema: this.schema });
+            if (!accessAllowed) {
+                throw new ForbiddenError({
+                    reason: `You don't have permission to perform "read" for collection "directus_files" or it does not exist.`,
+                });
+            }
+            allowedFields = allowedRootFields;
         }
-        const file = (await this.filesService.readOne(id, { limit: 1 }));
+        const file = (await this.sudoFilesService.readOne(id, { limit: 1 }));
         const exists = await storage.location(file.storage).exists(file.filename_disk);
         if (!exists)
             throw new ForbiddenError();
@@ -102,7 +218,7 @@ export class AssetsService {
                 const assetStream = () => storage.location(file.storage).read(assetFilename, { range });
                 return {
                     stream: deferStream ? assetStream : await assetStream(),
-                    file,
+                    file: this.sanitizeFields(file, allowedFields),
                     stat: await storage.location(file.storage).stat(assetFilename),
                 };
             }
@@ -167,13 +283,17 @@ export class AssetsService {
             return {
                 stream: deferStream ? assetStream : await assetStream(),
                 stat: await storage.location(file.storage).stat(assetFilename),
-                file,
+                file: this.sanitizeFields(file, allowedFields),
             };
         }
         else {
             const assetStream = () => storage.location(file.storage).read(file.filename_disk, { range, version });
             const stat = await storage.location(file.storage).stat(file.filename_disk);
-            return { stream: deferStream ? assetStream : await assetStream(), file, stat };
+            return {
+                stream: deferStream ? assetStream : await assetStream(),
+                file: this.sanitizeFields(file, allowedFields),
+                stat,
+            };
         }
     }
 }

package/dist/services/authentication.js

@@ -1,16 +1,16 @@
+import { performance } from 'perf_hooks';
 import { Action } from '@directus/constants';
 import { useEnv } from '@directus/env';
 import { InvalidCredentialsError, InvalidOtpError, ServiceUnavailableError, UserSuspendedError, } from '@directus/errors';
 import jwt from 'jsonwebtoken';
 import { clone, cloneDeep } from 'lodash-es';
-import { performance } from 'perf_hooks';
 import { getAuthProvider } from '../auth.js';
 import { DEFAULT_AUTH_PROVIDER } from '../constants.js';
 import getDatabase from '../database/index.js';
 import emitter from '../emitter.js';
 import { fetchRolesTree } from '../permissions/lib/fetch-roles-tree.js';
 import { fetchGlobalAccess } from '../permissions/modules/fetch-global-access/fetch-global-access.js';
-import { RateLimiterRes, createRateLimiter } from '../rate-limiter.js';
+import { createRateLimiter, RateLimiterRes } from '../rate-limiter.js';
 import { getMilliseconds } from '../utils/get-milliseconds.js';
 import { getSecret } from '../utils/get-secret.js';
 import { stall } from '../utils/stall.js';
@@ -149,8 +149,8 @@ export class AuthenticationService {
                 throw new InvalidOtpError();
             }
         }
-        const roles = await fetchRolesTree(user.role, this.knex);
-        const globalAccess = await fetchGlobalAccess({ roles, user: user.id, ip: this.accountability?.ip ?? null }, this.knex);
+        const roles = await fetchRolesTree(user.role, { knex: this.knex });
+        const globalAccess = await fetchGlobalAccess({ roles, user: user.id, ip: this.accountability?.ip ?? null }, { knex: this.knex });
         const tokenPayload = {
             id: user.id,
             role: user.role,
@@ -277,8 +277,8 @@ export class AuthenticationService {
                 throw new InvalidCredentialsError();
             }
         }
-        const roles = await fetchRolesTree(record.user_role, this.knex);
-        const globalAccess = await fetchGlobalAccess({ user: record.user_id, roles, ip: this.accountability?.ip ?? null }, this.knex);
+        const roles = await fetchRolesTree(record.user_role, { knex: this.knex });
+        const globalAccess = await fetchGlobalAccess({ user: record.user_id, roles, ip: this.accountability?.ip ?? null }, { knex: this.knex });
         if (record.user_id) {
             const provider = getAuthProvider(record.user_provider);
             await provider.refresh({

package/dist/services/collections.js

@@ -14,10 +14,10 @@ import { validateAccess } from '../permissions/modules/validate-access/validate-
 import { getSchema } from '../utils/get-schema.js';
 import { shouldClearCache } from '../utils/should-clear-cache.js';
 import { transaction } from '../utils/transaction.js';
-import { FieldsService } from './fields.js';
 import { buildCollectionAndFieldRelations } from './fields/build-collection-and-field-relations.js';
 import { getCollectionMetaUpdates } from './fields/get-collection-meta-updates.js';
 import { getCollectionRelationList } from './fields/get-collection-relation-list.js';
+import { FieldsService } from './fields.js';
 import { ItemsService } from './items.js';
 export class CollectionsService {
     knex;