@directus/api 32.2.0 → 33.1.0

package/dist/metrics/lib/create-metrics.js

@@ -1,8 +1,8 @@
-import { useEnv } from '@directus/env';
-import { toArray } from '@directus/utils';
 import { randomUUID } from 'node:crypto';
 import { Readable } from 'node:stream';
 import { promisify } from 'node:util';
+import { useEnv } from '@directus/env';
+import { toArray } from '@directus/utils';
 import pm2 from 'pm2';
 import { AggregatorRegistry, Counter, Histogram, register } from 'prom-client';
 import { getCache } from '../../cache.js';

package/dist/middleware/authenticate.js

@@ -1,13 +1,13 @@
+import { useEnv } from '@directus/env';
+import { ErrorCode, isDirectusError } from '@directus/errors';
 import { isEqual } from 'lodash-es';
+import { SESSION_COOKIE_OPTIONS } from '../constants.js';
 import getDatabase from '../database/index.js';
 import emitter from '../emitter.js';
 import { createDefaultAccountability } from '../permissions/utils/create-default-accountability.js';
 import asyncHandler from '../utils/async-handler.js';
 import { getAccountabilityForToken } from '../utils/get-accountability-for-token.js';
 import { getIPFromReq } from '../utils/get-ip-from-req.js';
-import { ErrorCode, isDirectusError } from '@directus/errors';
-import { useEnv } from '@directus/env';
-import { SESSION_COOKIE_OPTIONS } from '../constants.js';
 /**
  * Verify the passed JWT and assign the user ID and role to `req`
  */

package/dist/middleware/collection-exists.js

@@ -2,8 +2,8 @@
  * Check if requested collection exists, and save it to req.collection
  */
 import { systemCollectionRows } from '@directus/system-data';
-import asyncHandler from '../utils/async-handler.js';
 import { createCollectionForbiddenError } from '../permissions/modules/process-ast/utils/validate-path/create-error.js';
+import asyncHandler from '../utils/async-handler.js';
 const collectionExists = asyncHandler(async (req, _res, next) => {
     if (!req.params['collection'])
         return next();

package/dist/middleware/extract-token.js

@@ -1,5 +1,5 @@
-import { InvalidPayloadError } from '@directus/errors';
 import { useEnv } from '@directus/env';
+import { InvalidPayloadError } from '@directus/errors';
 /**
  * Extract access token from
  *

package/dist/middleware/graphql.js

@@ -1,9 +1,9 @@
+import { useEnv } from '@directus/env';
+import { InvalidPayloadError, InvalidQueryError, MethodNotAllowedError } from '@directus/errors';
 import { parseJSON } from '@directus/utils';
 import { getOperationAST, parse, Source } from 'graphql';
-import { InvalidPayloadError, InvalidQueryError, MethodNotAllowedError } from '@directus/errors';
 import { GraphQLValidationError } from '../services/graphql/errors/validation.js';
 import asyncHandler from '../utils/async-handler.js';
-import { useEnv } from '@directus/env';
 export const parseGraphQL = asyncHandler(async (req, res, next) => {
     if (req.method !== 'GET' && req.method !== 'POST') {
         throw new MethodNotAllowedError({ allowed: ['GET', 'POST'], current: req.method });

package/dist/middleware/respond.js

@@ -15,6 +15,10 @@ export const respond = asyncHandler(async (req, res) => {
     const env = useEnv();
     const logger = useLogger();
     const { cache } = getCache();
+    // Support custom cache instance and TTL via res.locals
+    const cacheInstance = res.locals['cacheInstance'] || cache;
+    const cacheTTL = res.locals['cacheTTL'] ?? getMilliseconds(env['CACHE_TTL']);
+    const hasCustomCache = !!res.locals['cacheInstance'];
     let exceedsMaxSize = false;
     if (env['CACHE_VALUE_MAX_SIZE'] !== false) {
         const valueSize = res.locals['payload'] ? stringByteSize(JSON.stringify(res.locals['payload'])) : 0;
@@ -22,26 +26,35 @@ export const respond = asyncHandler(async (req, res) => {
         if (maxSize !== null)
             exceedsMaxSize = valueSize > maxSize;
     }
-    if ((req.method.toLowerCase() === 'get' || req.originalUrl?.startsWith('/graphql')) &&
-        req.originalUrl?.startsWith('/auth') === false &&
-        env['CACHE_ENABLED'] === true &&
-        cache &&
-        !req.sanitizedQuery.export &&
-        res.locals['cache'] !== false &&
-        exceedsMaxSize === false &&
-        (await permissionsCacheable(req.collection, {
-            knex: getDatabase(),
-            schema: req.schema,
-        }, req.accountability))) {
+    // Custom cache bypasses global cache settings (CACHE_ENABLED, permissionsCacheable)
+    const shouldCache = hasCustomCache
+        ? res.locals['cache'] !== false && cacheInstance && !req.sanitizedQuery.export && exceedsMaxSize === false
+        : (req.method.toLowerCase() === 'get' || req.originalUrl?.startsWith('/graphql')) &&
+            req.originalUrl?.startsWith('/auth') === false &&
+            env['CACHE_ENABLED'] === true &&
+            cache &&
+            !req.sanitizedQuery.export &&
+            res.locals['cache'] !== false &&
+            exceedsMaxSize === false &&
+            (await permissionsCacheable(req.collection, {
+                knex: getDatabase(),
+                schema: req.schema,
+            }, req.accountability));
+    if (shouldCache) {
         const key = await getCacheKey(req);
         try {
-            await setCacheValue(cache, key, res.locals['payload'], getMilliseconds(env['CACHE_TTL']));
-            await setCacheValue(cache, `${key}__expires_at`, { exp: Date.now() + getMilliseconds(env['CACHE_TTL'], 0) });
+            await setCacheValue(cacheInstance, key, res.locals['payload'], cacheTTL);
+            await setCacheValue(cacheInstance, `${key}__expires_at`, { exp: Date.now() + cacheTTL });
         }
         catch (err) {
             logger.warn(err, `[cache] Couldn't set key ${key}. ${err}`);
         }
-        res.setHeader('Cache-Control', getCacheControlHeader(req, getMilliseconds(env['CACHE_TTL']), true, true));
+        res.setHeader('Cache-Control', getCacheControlHeader(req, cacheTTL, !hasCustomCache, true));
+        res.setHeader('Vary', 'Origin, Cache-Control');
+    }
+    else if (res.locals['cacheTTL'] !== undefined) {
+        // Custom TTL for headers only (no storage) - useful when caching is handled elsewhere
+        res.setHeader('Cache-Control', getCacheControlHeader(req, cacheTTL, false, true));
         res.setHeader('Vary', 'Origin, Cache-Control');
     }
     else {

package/dist/middleware/validate-batch.js

@@ -1,5 +1,5 @@
-import Joi from 'joi';
 import { InvalidPayloadError } from '@directus/errors';
+import Joi from 'joi';
 import asyncHandler from '../utils/async-handler.js';
 import { sanitizeQuery } from '../utils/sanitize-query.js';
 import { validateQuery } from '../utils/validate-query.js';

package/dist/operations/exec/index.js

@@ -1,5 +1,6 @@
-import { defineOperationApi } from '@directus/extensions';
 import { createRequire } from 'node:module';
+import { defineOperationApi } from '@directus/extensions';
+// eslint-disable-next-line import/order
 import { sieveFunctions } from '@directus/utils';
 const require = createRequire(import.meta.url);
 const ivm = require('isolated-vm');

package/dist/operations/mail/index.js

@@ -1,7 +1,7 @@
 import { defineOperationApi } from '@directus/extensions';
+import { useLogger } from '../../logger/index.js';
 import { MailService } from '../../services/mail/index.js';
 import { md } from '../../utils/md.js';
-import { useLogger } from '../../logger/index.js';
 import { useFlowsEmailRateLimiter } from './rate-limiter.js';
 const logger = useLogger();
 export default defineOperationApi({

package/dist/operations/mail/rate-limiter.js

@@ -1,8 +1,8 @@
 import { useEnv } from '@directus/env';
+import { EmailLimitExceededError } from '@directus/errors';
+import { toBoolean } from '@directus/utils';
 import { RateLimiterMemory, RateLimiterRedis, RateLimiterRes } from 'rate-limiter-flexible';
 import { createRateLimiter } from '../../rate-limiter.js';
-import { toBoolean } from '@directus/utils';
-import { EmailLimitExceededError } from '@directus/errors';
 let emailRateLimiter;
 const env = useEnv();
 if (toBoolean(env['RATE_LIMITER_EMAIL_FLOWS_ENABLED']) === true) {

package/dist/permissions/cache.js

@@ -1,6 +1,10 @@
+import { useEnv } from '@directus/env';
 import { defineCache } from '@directus/memory';
 import { redisConfigAvailable, useRedis } from '../redis/index.js';
+import { getMilliseconds } from '../utils/get-milliseconds.js';
 const localOnly = redisConfigAvailable() === false;
+const env = useEnv();
+const ttl = getMilliseconds(env['CACHE_SYSTEM_TTL']);
 const config = localOnly
     ? {
         type: 'local',
@@ -11,6 +15,7 @@ const config = localOnly
         redis: {
             namespace: 'permissions',
             redis: useRedis(),
+            ...(ttl !== undefined ? { ttl } : {}),
         },
         local: {
             maxKeys: 100,

package/dist/permissions/modules/fetch-allowed-collections/fetch-allowed-collections.js

@@ -1,6 +1,6 @@
 import { uniq } from 'lodash-es';
-import { fetchPolicies } from '../../lib/fetch-policies.js';
 import { fetchPermissions } from '../../lib/fetch-permissions.js';
+import { fetchPolicies } from '../../lib/fetch-policies.js';
 export async function fetchAllowedCollections({ action, accountability }, { knex, schema }) {
     if (accountability.admin) {
         return Object.keys(schema.collections);

package/dist/permissions/modules/fetch-allowed-field-map/fetch-allowed-field-map.js

@@ -1,6 +1,6 @@
 import { uniq } from 'lodash-es';
-import { fetchPolicies } from '../../lib/fetch-policies.js';
 import { fetchPermissions } from '../../lib/fetch-permissions.js';
+import { fetchPolicies } from '../../lib/fetch-policies.js';
 export async function fetchAllowedFieldMap({ accountability, action }, { knex, schema }) {
     const fieldMap = {};
     if (accountability.admin) {

package/dist/permissions/modules/fetch-inconsistent-field-map/fetch-inconsistent-field-map.js

@@ -1,6 +1,6 @@
-import { uniq, intersection, difference } from 'lodash-es';
-import { fetchPolicies } from '../../lib/fetch-policies.js';
+import { difference, intersection, uniq } from 'lodash-es';
 import { fetchPermissions } from '../../lib/fetch-permissions.js';
+import { fetchPolicies } from '../../lib/fetch-policies.js';
 /**
  * Fetch a field map for fields that may or may not be null based on item-by-item permissions.
  */

package/dist/permissions/modules/process-ast/lib/inject-cases.js

@@ -1,5 +1,5 @@
-import { getUnaliasedFieldKey } from '../../../utils/get-unaliased-field-key.js';
 import { uniq } from 'lodash-es';
+import { getUnaliasedFieldKey } from '../../../utils/get-unaliased-field-key.js';
 import { getCases } from './get-cases.js';
 /**
  * Mutates passed AST

package/dist/permissions/modules/process-ast/process-ast.js

@@ -3,8 +3,8 @@ import { fetchPolicies } from '../../lib/fetch-policies.js';
 import { fieldMapFromAst } from './lib/field-map-from-ast.js';
 import { injectCases } from './lib/inject-cases.js';
 import { collectionsInFieldMap } from './utils/collections-in-field-map.js';
-import { validatePathPermissions } from './utils/validate-path/validate-path-permissions.js';
 import { validatePathExistence } from './utils/validate-path/validate-path-existence.js';
+import { validatePathPermissions } from './utils/validate-path/validate-path-permissions.js';
 export async function processAst(options, context) {
     // FieldMap is a Map of paths in the AST, with each path containing the collection and fields in
     // that collection that the AST path tries to access

package/dist/permissions/modules/process-ast/utils/find-related-collection.js

@@ -1,4 +1,4 @@
-import { getRelationInfo } from '../../../../utils/get-relation-info.js';
+import { getRelationInfo } from '@directus/utils';
 export function findRelatedCollection(collection, field, schema) {
     const { relation } = getRelationInfo(schema.relations, collection, field);
     if (!relation)

package/dist/permissions/modules/process-payload/process-payload.js

@@ -6,8 +6,8 @@ import { fetchPolicies } from '../../lib/fetch-policies.js';
 import { extractRequiredDynamicVariableContext } from '../../utils/extract-required-dynamic-variable-context.js';
 import { fetchDynamicVariableData } from '../../utils/fetch-dynamic-variable-data.js';
 import { contextHasDynamicVariables } from '../process-ast/utils/context-has-dynamic-variables.js';
-import { isFieldNullable } from './lib/is-field-nullable.js';
 import { createCollectionForbiddenError, createFieldsForbiddenError, } from '../process-ast/utils/validate-path/create-error.js';
+import { isFieldNullable } from './lib/is-field-nullable.js';
 /**
  * @note this only validates the top-level fields. The expectation is that this function is called
  * for each level of nested insert separately

package/dist/permissions/modules/validate-access/lib/validate-item-access.d.ts

@@ -4,7 +4,19 @@ export interface ValidateItemAccessOptions {
     accountability: Accountability;
     action: PermissionsAction;
     collection: string;
-    primaryKeys: PrimaryKey[];
+    primaryKeys?: PrimaryKey[];
     fields?: string[];
+    returnAllowedRootFields?: boolean;
 }
-export declare function validateItemAccess(options: ValidateItemAccessOptions, context: Context): Promise<any>;
+export interface ValidateItemAccessOptionsWithRootFields extends ValidateItemAccessOptions {
+    returnAllowedRootFields: true;
+}
+export interface ValidateItemAccessResult {
+    accessAllowed: boolean;
+    allowedRootFields?: string[];
+}
+export interface ValidateItemAccessResultWithRootFields extends ValidateItemAccessResult {
+    allowedRootFields: string[];
+}
+export declare function validateItemAccess(options: ValidateItemAccessOptionsWithRootFields, context: Context): Promise<ValidateItemAccessResultWithRootFields>;
+export declare function validateItemAccess(options: ValidateItemAccessOptions, context: Context): Promise<ValidateItemAccessResult>;

package/dist/permissions/modules/validate-access/lib/validate-item-access.js

@@ -1,17 +1,28 @@
 import { toBoolean } from '@directus/utils';
 import { fetchPermittedAstRootFields } from '../../../../database/run-ast/modules/fetch-permitted-ast-root-fields.js';
+import { fetchPermissions } from '../../../lib/fetch-permissions.js';
+import { fetchPolicies } from '../../../lib/fetch-policies.js';
+import { fetchAllowedFields } from '../../fetch-allowed-fields/fetch-allowed-fields.js';
+import { injectCases } from '../../process-ast/lib/inject-cases.js';
 import { processAst } from '../../process-ast/process-ast.js';
 export async function validateItemAccess(options, context) {
-    const primaryKeyField = context.schema.collections[options.collection]?.primary;
+    const collectionInfo = context.schema.collections[options.collection];
+    const primaryKeyField = collectionInfo?.primary;
     if (!primaryKeyField) {
         throw new Error(`Cannot find primary key for collection "${options.collection}"`);
     }
+    const isSingleton = collectionInfo?.singleton === true;
+    const hasPrimaryKeys = options.primaryKeys && options.primaryKeys.length > 0;
+    // For non-singletons, we must have PKs to validate against
+    if (!isSingleton && !hasPrimaryKeys) {
+        throw new Error(`Primary keys are required for non-singleton collection "${options.collection}"`);
+    }
     // When we're looking up access to specific items, we have to read them from the database to
     // make sure you are allowed to access them.
     const ast = {
         type: 'root',
         name: options.collection,
-        query: { limit: options.primaryKeys.length },
+        query: { limit: isSingleton && !hasPrimaryKeys ? 1 : options.primaryKeys.length },
         // Act as if every field was a "normal" field
         children: options.fields?.map((field) => ({ type: 'field', name: field, fieldKey: field, whenCase: [], alias: false })) ??
             [],
@@ -19,23 +30,71 @@ export async function validateItemAccess(options, context) {
     };
     await processAst({ ast, ...options }, context);
     // Inject the filter after the permissions have been processed, as to not require access to the primary key
-    ast.query.filter = {
-        [primaryKeyField]: {
-            _in: options.primaryKeys,
-        },
-    };
+    // Skip adding filter for singletons without explicit PKs
+    if (hasPrimaryKeys) {
+        ast.query.filter = {
+            [primaryKeyField]: {
+                _in: options.primaryKeys,
+            },
+        };
+    }
+    let hasItemRules;
+    let permissionedFields;
+    // Inject the root fields after the permissions have been processed, as to not require access to all collection fields
+    if (options.returnAllowedRootFields) {
+        const allowedFields = await fetchAllowedFields({ accountability: options.accountability, action: options.action, collection: options.collection }, context);
+        const schemaFields = Object.keys(context.schema.collections[options.collection].fields);
+        const hasWildcard = allowedFields.includes('*');
+        permissionedFields = hasWildcard ? schemaFields : allowedFields;
+        const policies = await fetchPolicies(options.accountability, context);
+        const permissions = await fetchPermissions({ action: options.action, policies, collections: [options.collection], accountability: options.accountability }, context);
+        // Only inject cases if there are item-level permission rules
+        hasItemRules = permissions.some((p) => p.permissions && Object.keys(p.permissions).length > 0);
+        if (hasItemRules) {
+            // Create children only for fields that exist in schema and are allowed by permissions
+            ast.children = permissionedFields.map((field) => ({
+                type: 'field',
+                name: field,
+                fieldKey: field,
+                whenCase: [],
+                alias: false,
+            }));
+            injectCases(ast, permissions);
+        }
+    }
     const items = await fetchPermittedAstRootFields(ast, {
         schema: context.schema,
         accountability: options.accountability,
         knex: context.knex,
         action: options.action,
     });
-    if (items && items.length === options.primaryKeys.length) {
-        const { fields } = options;
-        if (fields) {
-            return items.every((item) => fields.every((field) => toBoolean(item[field])));
+    const expectedCount = isSingleton && !hasPrimaryKeys ? 1 : options.primaryKeys.length;
+    const hasAccess = items && items.length === expectedCount;
+    if (!hasAccess) {
+        if (options.returnAllowedRootFields) {
+            return { accessAllowed: false, allowedRootFields: [] };
+        }
+        return { accessAllowed: false };
+    }
+    let accessAllowed = true;
+    // If specific fields were requested, verify they are all accessible
+    if (options.fields) {
+        accessAllowed = items.every((item) => options.fields.every((field) => toBoolean(item[field])));
+    }
+    // If returnAllowedRootFields, return intersection of allowed fields across all items
+    if (options.returnAllowedRootFields) {
+        // If there are no item-level rules, return the permissioned fields directly
+        if (!hasItemRules) {
+            return {
+                accessAllowed,
+                allowedRootFields: permissionedFields,
+            };
         }
-        return true;
+        const allowedRootFields = items.length > 0 ? Object.keys(items[0]).filter((field) => items.every((item) => item[field] === 1)) : [];
+        return {
+            accessAllowed,
+            allowedRootFields,
+        };
     }
-    return false;
+    return { accessAllowed };
 }

package/dist/permissions/modules/validate-access/validate-access.js

@@ -1,7 +1,7 @@
 import { ForbiddenError } from '@directus/errors';
+import { createCollectionForbiddenError } from '../process-ast/utils/validate-path/create-error.js';
 import { validateCollectionAccess } from './lib/validate-collection-access.js';
 import { validateItemAccess } from './lib/validate-item-access.js';
-import { createCollectionForbiddenError } from '../process-ast/utils/validate-path/create-error.js';
 /**
  * Validate if the current user has access to perform action against the given collection and
  * optional primary keys. This is done by reading the item from the database using the access
@@ -20,7 +20,8 @@ export async function validateAccess(options, context) {
     // from the database. If no keys are passed, we can simply check if the collection+action combo
     // exists within permissions
     if (options.primaryKeys) {
-        access = await validateItemAccess(options, context);
+        const result = await validateItemAccess(options, context);
+        access = result.accessAllowed;
     }
     else {
         access = await validateCollectionAccess(options, context);

package/dist/rate-limiter.js

@@ -1,8 +1,8 @@
+import { createRequire } from 'node:module';
 import { useEnv } from '@directus/env';
 import { merge } from 'lodash-es';
 import { RateLimiterMemory, RateLimiterRedis, RateLimiterRes } from 'rate-limiter-flexible';
 import { getConfigFromEnv } from './utils/get-config-from-env.js';
-import { createRequire } from 'node:module';
 const require = createRequire(import.meta.url);
 export function createRateLimiter(configPrefix = 'RATE_LIMITER', configOverrides) {
     const env = useEnv();

package/dist/request/is-denied-ip.js

@@ -1,7 +1,7 @@
+import os from 'node:os';
 import { useEnv } from '@directus/env';
 import { ipInNetworks } from '@directus/utils/node';
 import { matches } from 'ip-matching';
-import os from 'node:os';
 import { useLogger } from '../logger/index.js';
 export function isDeniedIp(ip) {
     const env = useEnv();

package/dist/schedules/project.js

@@ -1,8 +1,8 @@
+import { version } from 'directus/version';
 import { random } from 'lodash-es';
 import getDatabase from '../database/index.js';
 import { sendReport } from '../telemetry/index.js';
 import { scheduleSynchronizedJob } from '../utils/schedule.js';
-import { version } from 'directus/version';
 /**
  * Schedule the project status job
  */

package/dist/schedules/telemetry.js

@@ -1,8 +1,8 @@
 import { useEnv } from '@directus/env';
 import { toBoolean } from '@directus/utils';
 import { getCache } from '../cache.js';
-import { scheduleSynchronizedJob } from '../utils/schedule.js';
 import { track } from '../telemetry/index.js';
+import { scheduleSynchronizedJob } from '../utils/schedule.js';
 /**
  * Exported to be able to test the anonymous callback function
  */

package/dist/schedules/tus.js

@@ -1,6 +1,6 @@
 import { RESUMABLE_UPLOADS } from '../constants.js';
-import { getSchema } from '../utils/get-schema.js';
 import { createTusServer } from '../services/tus/index.js';
+import { getSchema } from '../utils/get-schema.js';
 import { scheduleSynchronizedJob, validateCron } from '../utils/schedule.js';
 /**
  * Schedule the tus cleanup

package/dist/server.js

@@ -1,21 +1,21 @@
+import * as http from 'http';
+import * as https from 'https';
+import url from 'url';
 import { useEnv } from '@directus/env';
 import { toBoolean } from '@directus/utils';
 import { getNodeEnv } from '@directus/utils/node';
 import { createTerminus } from '@godaddy/terminus';
-import * as http from 'http';
-import * as https from 'https';
 import { once } from 'lodash-es';
 import qs from 'qs';
-import url from 'url';
 import createApp from './app.js';
 import getDatabase from './database/index.js';
 import emitter from './emitter.js';
 import { useLogger } from './logger/index.js';
+import { getAddress } from './utils/get-address.js';
 import { getConfigFromEnv } from './utils/get-config-from-env.js';
 import { getIPFromReq } from './utils/get-ip-from-req.js';
-import { getAddress } from './utils/get-address.js';
 import { createLogsController, createSubscriptionController, createWebSocketController, getLogsController, getSubscriptionController, getWebSocketController, } from './websocket/controllers/index.js';
-import { startWebSocketHandlers } from './websocket/handlers/index.js';
+import { getCollabHandler, startWebSocketHandlers } from './websocket/handlers/index.js';
 export let SERVER_ONLINE = true;
 const env = useEnv();
 const logger = useLogger();
@@ -101,6 +101,7 @@ export async function createServer() {
         getSubscriptionController()?.terminate();
         getWebSocketController()?.terminate();
         getLogsController()?.terminate();
+        await getCollabHandler()?.terminate();
         const database = getDatabase();
         await database.destroy();
         logger.info('Database connections destroyed');

package/dist/services/assets.d.ts

@@ -1,7 +1,7 @@
+import type { Readable } from 'node:stream';
 import type { AbstractServiceOptions, Accountability, Range, SchemaOverview, Stat, TransformationSet } from '@directus/types';
 import archiver from 'archiver';
 import type { Knex } from 'knex';
-import type { Readable } from 'node:stream';
 import { FilesService } from './files.js';
 export declare class AssetsService {
     knex: Knex;
@@ -9,6 +9,7 @@ export declare class AssetsService {
     schema: SchemaOverview;
     sudoFilesService: FilesService;
     constructor(options: AbstractServiceOptions);
+    private sanitizeFields;
     private zip;
     zipFiles(files: string[]): Promise<{
         archive: archiver.Archiver;

package/dist/services/assets.js

@@ -1,22 +1,22 @@
+import path from 'path';
 import { useEnv } from '@directus/env';
 import { ForbiddenError, IllegalAssetTransformationError, InvalidPayloadError, InvalidQueryError, RangeNotSatisfiableError, ServiceUnavailableError, } from '@directus/errors';
 import archiver from 'archiver';
 import { clamp } from 'lodash-es';
 import { contentType, extension } from 'mime-types';
 import hash from 'object-hash';
-import path from 'path';
 import sharp from 'sharp';
 import { SUPPORTED_IMAGE_TRANSFORM_FORMATS } from '../constants.js';
 import getDatabase from '../database/index.js';
 import { useLogger } from '../logger/index.js';
-import { validateAccess } from '../permissions/modules/validate-access/validate-access.js';
+import { validateItemAccess } from '../permissions/modules/validate-access/lib/validate-item-access.js';
 import { getStorage } from '../storage/index.js';
 import { getMilliseconds } from '../utils/get-milliseconds.js';
 import { isValidUuid } from '../utils/is-valid-uuid.js';
 import * as TransformationUtils from '../utils/transformations.js';
 import { NameDeduper } from './assets/name-deduper.js';
-import { FilesService } from './files.js';
 import { getSharpInstance } from './files/lib/get-sharp-instance.js';
+import { FilesService } from './files.js';
 import { FoldersService } from './folders.js';
 const env = useEnv();
 const logger = useLogger();
@@ -31,6 +31,20 @@ export class AssetsService {
         this.schema = options.schema;
         this.sudoFilesService = new FilesService({ ...options, accountability: null });
     }
+    sanitizeFields(file, allowedFields) {
+        if (allowedFields.includes('*')) {
+            return file;
+        }
+        const bypassFields = ['type', 'filesize'];
+        const fieldsToKeep = new Set([...allowedFields, ...bypassFields]);
+        const filteredFile = {};
+        for (const field of fieldsToKeep) {
+            if (field in file) {
+                filteredFile[field] = file[field];
+            }
+        }
+        return filteredFile;
+    }
     zip(options) {
         if (options.files.length === 0) {
             throw new InvalidPayloadError({ reason: 'No files found in the selected folders tree' });
@@ -135,13 +149,22 @@ export class AssetsService {
          */
         if (!isValidUuid(id))
             throw new ForbiddenError();
-        if (systemPublicKeys.includes(id) === false && this.accountability) {
-            await validateAccess({
+        let allowedFields = ['*'];
+        if (!systemPublicKeys.includes(id) && this.accountability && this.accountability.admin !== true) {
+            // Use validateItemAccess to check access and get allowed fields
+            const { allowedRootFields, accessAllowed } = await validateItemAccess({
                 accountability: this.accountability,
                 action: 'read',
                 collection: 'directus_files',
                 primaryKeys: [id],
+                returnAllowedRootFields: true,
             }, { knex: this.knex, schema: this.schema });
+            if (!accessAllowed) {
+                throw new ForbiddenError({
+                    reason: `You don't have permission to perform "read" for collection "directus_files" or it does not exist.`,
+                });
+            }
+            allowedFields = allowedRootFields;
         }
         const file = (await this.sudoFilesService.readOne(id, { limit: 1 }));
         const exists = await storage.location(file.storage).exists(file.filename_disk);
@@ -195,7 +218,7 @@ export class AssetsService {
                 const assetStream = () => storage.location(file.storage).read(assetFilename, { range });
                 return {
                     stream: deferStream ? assetStream : await assetStream(),
-                    file,
+                    file: this.sanitizeFields(file, allowedFields),
                     stat: await storage.location(file.storage).stat(assetFilename),
                 };
             }
@@ -260,13 +283,17 @@ export class AssetsService {
             return {
                 stream: deferStream ? assetStream : await assetStream(),
                 stat: await storage.location(file.storage).stat(assetFilename),
-                file,
+                file: this.sanitizeFields(file, allowedFields),
             };
         }
         else {
             const assetStream = () => storage.location(file.storage).read(file.filename_disk, { range, version });
             const stat = await storage.location(file.storage).stat(file.filename_disk);
-            return { stream: deferStream ? assetStream : await assetStream(), file, stat };
+            return {
+                stream: deferStream ? assetStream : await assetStream(),
+                file: this.sanitizeFields(file, allowedFields),
+                stat,
+            };
         }
     }
 }

package/dist/services/authentication.js

@@ -1,16 +1,16 @@
+import { performance } from 'perf_hooks';
 import { Action } from '@directus/constants';
 import { useEnv } from '@directus/env';
 import { InvalidCredentialsError, InvalidOtpError, ServiceUnavailableError, UserSuspendedError, } from '@directus/errors';
 import jwt from 'jsonwebtoken';
 import { clone, cloneDeep } from 'lodash-es';
-import { performance } from 'perf_hooks';
 import { getAuthProvider } from '../auth.js';
 import { DEFAULT_AUTH_PROVIDER } from '../constants.js';
 import getDatabase from '../database/index.js';
 import emitter from '../emitter.js';
 import { fetchRolesTree } from '../permissions/lib/fetch-roles-tree.js';
 import { fetchGlobalAccess } from '../permissions/modules/fetch-global-access/fetch-global-access.js';
-import { RateLimiterRes, createRateLimiter } from '../rate-limiter.js';
+import { createRateLimiter, RateLimiterRes } from '../rate-limiter.js';
 import { getMilliseconds } from '../utils/get-milliseconds.js';
 import { getSecret } from '../utils/get-secret.js';
 import { stall } from '../utils/stall.js';