@directus/api 33.3.1 → 34.0.0

package/dist/services/deployment.js

@@ -1,13 +1,18 @@
 import { useEnv } from '@directus/env';
 import { InvalidPayloadError, InvalidProviderConfigError } from '@directus/errors';
-import { mergeFilters, parseJSON } from '@directus/utils';
+import { mergeFilters } from '@directus/utils';
 import { has, isEmpty } from 'lodash-es';
 import { getCache, getCacheValueWithTTL, setCacheValueWithExpiry } from '../cache.js';
 import { getDeploymentDriver } from '../deployment.js';
+import { useLogger } from '../logger/index.js';
 import { getMilliseconds } from '../utils/get-milliseconds.js';
+import { parseValue } from '../utils/parse-value.js';
+import { DeploymentProjectsService } from './deployment-projects.js';
+import { DeploymentRunsService } from './deployment-runs.js';
 import { ItemsService } from './items.js';
 const env = useEnv();
 const DEPLOYMENT_CACHE_TTL = getMilliseconds(env['CACHE_DEPLOYMENT_TTL']) || 5000; // Default 5s
+const SYNC_THRESHOLD_MS = 60 * 60 * 1000; // 1 hour
 export class DeploymentService extends ItemsService {
     constructor(options) {
         super('directus_deployments', options);
@@ -22,14 +27,14 @@ export class DeploymentService extends ItemsService {
         }
         let credentials;
         try {
-            credentials = this.parseValue(data.credentials, {});
+            credentials = parseValue(data.credentials, {});
         }
         catch {
             throw new InvalidPayloadError({ reason: 'Credentials must be valid JSON' });
         }
         let options;
         try {
-            options = this.parseValue(data.options, undefined);
+            options = parseValue(data.options, undefined);
         }
         catch {
             throw new InvalidPayloadError({ reason: 'Options must be valid JSON' });
@@ -61,10 +66,10 @@ export class DeploymentService extends ItemsService {
         const existing = await this.readOne(key);
         const provider = existing.provider;
         const internal = await this.readConfig(provider);
-        let credentials = this.parseValue(internal.credentials, {});
+        let credentials = parseValue(internal.credentials, {});
         if (hasCredentials) {
             try {
-                const parsed = this.parseValue(data.credentials, {});
+                const parsed = parseValue(data.credentials, {});
                 credentials = { ...credentials, ...parsed };
             }
             catch {
@@ -74,7 +79,7 @@ export class DeploymentService extends ItemsService {
         let options = existing.options ?? undefined;
         if (hasOptions) {
             try {
-                options = this.parseValue(data.options, undefined);
+                options = parseValue(data.options, undefined);
             }
             catch {
                 throw new InvalidPayloadError({ reason: 'Options must be valid JSON' });
@@ -122,6 +127,17 @@ export class DeploymentService extends ItemsService {
      */
     async deleteByProvider(provider) {
         const deployment = await this.readByProvider(provider);
+        // Webhook cleanup
+        if (deployment.webhook_ids && deployment.webhook_ids.length > 0) {
+            try {
+                const driver = await this.getDriver(provider);
+                await driver.unregisterWebhook(deployment.webhook_ids);
+            }
+            catch (err) {
+                const logger = useLogger();
+                logger.error(`Failed to unregister webhook for ${provider}: ${err}`);
+            }
+        }
         return this.deleteOne(deployment.id);
     }
     /**
@@ -143,24 +159,77 @@ export class DeploymentService extends ItemsService {
         return results[0];
     }
     /**
-     * Parse JSON string or return value as-is
+     * Get webhook config for a provider
      */
-    parseValue(value, fallback) {
-        if (!value)
-            return fallback;
-        if (typeof value === 'string')
-            return parseJSON(value);
-        return value;
+    async getWebhookConfig(provider) {
+        const config = await this.readConfig(provider);
+        return {
+            webhook_secret: config.webhook_secret ?? null,
+            credentials: parseValue(config.credentials, {}),
+            options: parseValue(config.options, {}),
+        };
     }
     /**
      * Get a deployment driver instance with decrypted credentials
      */
     async getDriver(provider) {
         const deployment = await this.readConfig(provider);
-        const credentials = this.parseValue(deployment.credentials, {});
-        const options = this.parseValue(deployment.options, {});
+        const credentials = parseValue(deployment.credentials, {});
+        const options = parseValue(deployment.options, {});
         return getDeploymentDriver(deployment.provider, credentials, options);
     }
+    /**
+     * Sync webhook registration with current tracked projects.
+     */
+    async syncWebhook(provider) {
+        const logger = useLogger();
+        logger.debug(`[webhook:${provider}] Starting webhook sync`);
+        const config = await this.readConfig(provider);
+        const projectsService = new ItemsService('directus_deployment_projects', {
+            knex: this.knex,
+            schema: this.schema,
+            accountability: null,
+        });
+        const projects = await projectsService.readByQuery({
+            filter: { deployment: { _eq: config.id } },
+            limit: -1,
+        });
+        const projectExternalIds = projects.map((p) => p.external_id);
+        const driver = await this.getDriver(provider);
+        // No projects → unregister webhooks if any exist
+        if (projectExternalIds.length === 0) {
+            if (config.webhook_ids && config.webhook_ids.length > 0) {
+                logger.debug(`[webhook:${provider}] No projects, unregistering ${config.webhook_ids.length} webhook(s)`);
+                try {
+                    await driver.unregisterWebhook(config.webhook_ids);
+                }
+                catch (err) {
+                    logger.warn(`[webhook:${provider}] Failed to unregister: ${err}`);
+                }
+                await super.updateOne(config.id, { webhook_ids: null, webhook_secret: null });
+            }
+            return;
+        }
+        // Unregister existing webhooks before re-registering
+        if (config.webhook_ids && config.webhook_ids.length > 0) {
+            logger.debug(`[webhook:${provider}] Unregistering ${config.webhook_ids.length} existing webhook(s)`);
+            try {
+                await driver.unregisterWebhook(config.webhook_ids);
+            }
+            catch (err) {
+                logger.warn(`[webhook:${provider}] Failed to unregister: ${err}`);
+            }
+        }
+        const publicUrl = env['PUBLIC_URL'];
+        const webhookUrl = `${publicUrl}/deployments/webhooks/${provider}`;
+        logger.debug(`[webhook:${provider}] Registering webhook → ${webhookUrl} for ${projectExternalIds.length} project(s)`);
+        const result = await driver.registerWebhook(webhookUrl, projectExternalIds);
+        await super.updateOne(config.id, {
+            webhook_ids: result.webhook_ids,
+            webhook_secret: result.webhook_secret,
+        });
+        logger.info(`[webhook:${provider}] Registered ${result.webhook_ids.length} webhook(s): [${result.webhook_ids.join(', ')}]`);
+    }
     /**
      * List projects from provider with caching
      */
@@ -199,4 +268,183 @@ export class DeploymentService extends ItemsService {
         // Return with full TTL (just cached)
         return { data: project, remainingTTL: DEPLOYMENT_CACHE_TTL };
     }
+    /**
+     * Dashboard: projects + latest run status + stats
+     */
+    async getDashboard(provider, sinceDate) {
+        const projectsService = new DeploymentProjectsService({
+            accountability: this.accountability,
+            schema: this.schema,
+        });
+        const runsService = new DeploymentRunsService({
+            accountability: this.accountability,
+            schema: this.schema,
+        });
+        const deployment = await this.readByProvider(provider);
+        const selectedProjects = await projectsService.readByQuery({
+            filter: { deployment: { _eq: deployment.id } },
+            limit: -1,
+        });
+        if (selectedProjects.length === 0) {
+            return {
+                projects: [],
+                stats: { active_deployments: 0, successful_builds: 0, failed_builds: 0 },
+            };
+        }
+        const projectIds = selectedProjects.map((p) => p.id);
+        // Latest run per project + aggregated stats
+        const [latestRuns, activeResult, statusCounts] = await Promise.all([
+            Promise.all(projectIds.map(async (projectId) => {
+                const runs = await runsService.readByQuery({
+                    filter: { project: { _eq: projectId } },
+                    sort: ['-date_created'],
+                    limit: 1,
+                });
+                return { projectId, run: runs?.[0] ?? null };
+            })),
+            runsService.readByQuery({
+                filter: { project: { _in: projectIds }, status: { _eq: 'building' } },
+                aggregate: { count: ['*'] },
+            }),
+            runsService.readByQuery({
+                filter: {
+                    _and: [
+                        { project: { _in: projectIds } },
+                        { status: { _in: ['ready', 'error'] } },
+                        { date_created: { _gte: sinceDate.toISOString() } },
+                    ],
+                },
+                aggregate: { count: ['*'] },
+                group: ['status'],
+            }),
+        ]);
+        const latestRunMap = new Map(latestRuns.map((r) => [r.projectId, r.run]));
+        const countByStatus = (status) => Number(statusCounts.find((r) => r['status'] === status)?.['count'] ?? 0);
+        // Background sync of project metadata if stale
+        this.syncProjectMetadataIfStale(provider, deployment).catch((err) => {
+            const logger = useLogger();
+            logger.error(`Failed to sync project metadata for ${provider}: ${err}`);
+        });
+        return {
+            projects: selectedProjects.map((p) => {
+                const latestRun = latestRunMap.get(p.id);
+                return {
+                    id: p.id,
+                    external_id: p.external_id,
+                    name: p.name,
+                    url: p.url,
+                    framework: p.framework,
+                    deployable: p.deployable,
+                    ...(latestRun && {
+                        latest_deployment: {
+                            status: latestRun.status,
+                            created_at: latestRun.started_at ?? latestRun.date_created,
+                            finished_at: latestRun.completed_at ?? null,
+                        },
+                    }),
+                };
+            }),
+            stats: {
+                active_deployments: Number(activeResult[0]?.['count'] ?? 0),
+                successful_builds: countByStatus('ready'),
+                failed_builds: countByStatus('error'),
+            },
+        };
+    }
+    /**
+     * Refresh project metadata (name, url, framework, deployable) if stale.
+     */
+    async syncProjectMetadataIfStale(provider, deployment) {
+        if (deployment.last_synced_at) {
+            const lastSync = new Date(deployment.last_synced_at).getTime();
+            if (Date.now() - lastSync < SYNC_THRESHOLD_MS)
+                return;
+        }
+        const logger = useLogger();
+        logger.debug(`[metadata:${provider}] Syncing project metadata`);
+        const projectsService = new DeploymentProjectsService({
+            accountability: null,
+            schema: this.schema,
+        });
+        const driver = await this.getDriver(provider);
+        const selectedProjects = await projectsService.readByQuery({
+            filter: { deployment: { _eq: deployment.id } },
+            limit: -1,
+        });
+        // Fetch details per project
+        const updates = await Promise.all(selectedProjects.map(async (p) => {
+            const details = await driver.getProject(p.external_id);
+            return {
+                id: p.id,
+                name: details.name,
+                url: details.url ?? null,
+                framework: details.framework ?? null,
+                deployable: details.deployable,
+            };
+        }));
+        if (updates.length > 0) {
+            await projectsService.updateBatch(updates);
+        }
+        // Mark sync timestamp
+        const internalService = new DeploymentService({
+            accountability: null,
+            schema: this.schema,
+        });
+        await internalService.updateOne(deployment.id, { last_synced_at: new Date().toISOString() });
+    }
+    /**
+     * Trigger a deployment for a project
+     */
+    async triggerDeployment(provider, projectId, options) {
+        const projectsService = new DeploymentProjectsService({
+            accountability: this.accountability,
+            schema: this.schema,
+        });
+        const runsService = new DeploymentRunsService({
+            accountability: this.accountability,
+            schema: this.schema,
+        });
+        const project = await projectsService.readOne(projectId);
+        const driver = await this.getDriver(provider);
+        const result = await driver.triggerDeployment(project.external_id, {
+            preview: options.preview,
+            clearCache: options.clearCache,
+        });
+        const runId = await runsService.createOne({
+            project: projectId,
+            external_id: result.deployment_id,
+            target: options.preview ? 'preview' : 'production',
+            status: result.status,
+            started_at: result.created_at.toISOString(),
+            ...(result.url ? { url: result.url } : {}),
+        });
+        return runsService.readOne(runId);
+    }
+    /**
+     * Cancel a deployment run
+     */
+    async cancelDeployment(provider, runId) {
+        const runsService = new DeploymentRunsService({
+            accountability: this.accountability,
+            schema: this.schema,
+        });
+        const run = await runsService.readOne(runId);
+        const driver = await this.getDriver(provider);
+        const status = await driver.cancelDeployment(run.external_id);
+        await runsService.updateOne(runId, { status });
+        return runsService.readOne(runId);
+    }
+    /**
+     * Get a run with its logs from the provider
+     */
+    async getRunWithLogs(provider, runId, since) {
+        const runsService = new DeploymentRunsService({
+            accountability: this.accountability,
+            schema: this.schema,
+        });
+        const run = await runsService.readOne(runId);
+        const driver = await this.getDriver(provider);
+        const logs = await driver.getDeploymentLogs(run.external_id, since ? { since } : undefined);
+        return { ...run, logs };
+    }
 }

package/dist/services/files/utils/get-metadata.js

@@ -78,14 +78,14 @@ export async function getMetadata(stream, allowList = env['FILE_METADATA_ALLOW_L
                     logger.warn(err);
                 }
             }
-            if (fullMetadata?.iptc?.['Caption'] && typeof fullMetadata.iptc['Caption'] === 'string') {
-                metadata.description = fullMetadata.iptc?.['Caption'];
+            if (fullMetadata?.iptc?.['caption'] && typeof fullMetadata.iptc['caption'] === 'string') {
+                metadata.description = fullMetadata.iptc['caption'];
             }
-            if (fullMetadata?.iptc?.['Headline'] && typeof fullMetadata.iptc['Headline'] === 'string') {
-                metadata.title = fullMetadata.iptc['Headline'];
+            if (fullMetadata?.iptc?.['headline'] && typeof fullMetadata.iptc['headline'] === 'string') {
+                metadata.title = fullMetadata.iptc['headline'];
             }
-            if (fullMetadata?.iptc?.['Keywords']) {
-                metadata.tags = fullMetadata.iptc['Keywords'];
+            if (fullMetadata?.iptc?.['keywords']) {
+                metadata.tags = fullMetadata.iptc['keywords'];
             }
             if (allowList === '*' || allowList?.[0] === '*') {
                 metadata.metadata = fullMetadata;

package/dist/services/files.d.ts

@@ -15,7 +15,9 @@ export declare class FilesService extends ItemsService<File> {
     /**
      * Import a single file from an external URL
      */
-    importOne(importURL: string, body: Partial<File>): Promise<PrimaryKey>;
+    importOne(importURL: string, body: Partial<File>, options?: {
+        filterMimeType?: string[];
+    }): Promise<PrimaryKey>;
     /**
      * Create a file (only applicable when it is not a multipart/data POST request)
      * Useful for associating metadata with existing file in storage

package/dist/services/files.js

@@ -3,12 +3,13 @@ import zlib from 'node:zlib';
 import path from 'path';
 import url from 'url';
 import { useEnv } from '@directus/env';
-import { ContentTooLargeError, InvalidPayloadError, ServiceUnavailableError } from '@directus/errors';
+import { ContentTooLargeError, InternalServerError, InvalidPayloadError, ServiceUnavailableError, } from '@directus/errors';
 import formatTitle from '@directus/format-title';
 import { toArray } from '@directus/utils';
 import encodeURL from 'encodeurl';
 import { clone, cloneDeep } from 'lodash-es';
 import { extension } from 'mime-types';
+import { minimatch } from 'minimatch';
 import { RESUMABLE_UPLOADS } from '../constants.js';
 import emitter from '../emitter.js';
 import { useLogger } from '../logger/index.js';
@@ -114,6 +115,9 @@ export class FilesService extends ItemsService {
             if (err instanceof ContentTooLargeError) {
                 throw err;
             }
+            else if (err?.code && ['EROFS', 'EACCES', 'EPERM'].includes(err.code)) {
+                throw new InternalServerError();
+            }
             else {
                 throw new ServiceUnavailableError({ service: 'files', reason: `Couldn't save file ${payload.filename_disk}` });
             }
@@ -164,7 +168,7 @@ export class FilesService extends ItemsService {
     /**
      * Import a single file from an external URL
      */
-    async importOne(importURL, body) {
+    async importOne(importURL, body, options = {}) {
         if (this.accountability) {
             await validateAccess({
                 accountability: this.accountability,
@@ -193,10 +197,29 @@ export class FilesService extends ItemsService {
         }
         const parsedURL = url.parse(fileResponse.request.res.responseUrl);
         const filename = decodeURI(path.basename(parsedURL.pathname));
+        const mimeType = fileResponse.headers['content-type']?.split(';')[0]?.trim() || 'application/octet-stream';
+        // Check against global MIME type allow list from env
+        const globalAllowedPatterns = toArray(env['FILES_MIME_TYPE_ALLOW_LIST']);
+        const globalMimeTypeAllowed = globalAllowedPatterns.some((pattern) => minimatch(mimeType, pattern));
+        if (globalMimeTypeAllowed === false) {
+            throw new InvalidPayloadError({
+                reason: `File content type "${mimeType}" is not allowed for upload by your global file type restrictions`,
+            });
+        }
+        const { filterMimeType } = options;
+        // Check against interface-level MIME type restrictions if provided
+        if (filterMimeType && filterMimeType.length > 0) {
+            const interfaceMimeTypeAllowed = filterMimeType.some((pattern) => minimatch(mimeType, pattern));
+            if (interfaceMimeTypeAllowed === false) {
+                throw new InvalidPayloadError({
+                    reason: `File content type "${mimeType}" is not allowed for upload by this field's file type restrictions`,
+                });
+            }
+        }
         const payload = {
             filename_download: filename,
             storage: toArray(env['STORAGE_LOCATIONS'])[0],
-            type: fileResponse.headers['content-type'],
+            type: mimeType,
             title: formatTitle(filename),
             ...(body || {}),
         };

package/dist/services/graphql/resolvers/query.js

@@ -1,4 +1,5 @@
 import { parseFilterFunctionPath } from '@directus/utils';
+import { omit } from 'lodash-es';
 import { parseArgs } from '../schema/parse-args.js';
 import { getQuery } from '../schema/parse-query.js';
 import { getAggregateQuery } from '../utils/aggregate-query.js';
@@ -40,13 +41,29 @@ export async function resolveQuery(gql, info) {
     const result = await gql.read(collection, query, args['id']);
     if (args['id'])
         return result;
+    /**
+     * Since grouped fields are returned at the top level, we duplicate those fields
+     * into the expected `group` property on the payload, excluding any non-group
+     * fields (i.e. aggregate keys).
+     *
+     * The payload can only contain grouped fields and aggregate keys, as the
+     * aggregate selection is restricted to those fields. Therefore, the original
+     * grouped fields can safely remain at the top level.
+     *
+     * We cannot iterate over `query.group`, because grouped fields that use
+     * functions are normalized (e.g. function(field) → function_field), which would
+     * result in them being skipped.
+     *
+     * Before:
+     * { year_date: 2023, count: { id: 42 } }
+     *
+     * After:
+     * { year_date: 2023, count: { id: 42 }, group: { year_date: 2023 } }
+     */
     if (query.group) {
-        result['map']((field) => {
-            const groupValues = {};
-            for (const key of query.group) {
-                groupValues[key] = field[key];
-            }
-            field['group'] = groupValues;
+        const aggregateKeys = Object.keys(query.aggregate ?? {});
+        result['map']((payload) => {
+            payload['group'] = omit(payload, aggregateKeys);
         });
     }
     return result;

package/dist/services/payload.d.ts

@@ -41,6 +41,12 @@ export declare class PayloadService {
      * to check if the value is a raw instance before stringifying it in the next step.
      */
     processGeometries<T extends Partial<Record<string, any>>[]>(fieldEntries: [string, FieldOverview][], payloads: T, action: PayloadAction): T;
+    /**
+     * When accessing JSON paths that contain objects or arrays, certain databases return stringified
+     * JSON (MySQL, SQLite, MSSQL, Oracle). The fn helper's parseJsonResult handles this per-dialect —
+     * vendors whose drivers already deserialize the result (e.g. pg for PostgreSQL) use a no-op.
+     */
+    processJsonFunctionResults<T extends Partial<Record<string, any>>[]>(payloads: T, aliasMap?: Record<string, string>): void;
     /**
      * Knex returns `datetime` and `date` columns as Date.. This is wrong for date / datetime, as those
      * shouldn't return with time / timezone info respectively

package/dist/services/payload.js

@@ -7,8 +7,9 @@ import { unflatten } from 'flat';
 import Joi from 'joi';
 import { clone, cloneDeep, isNil, isObject, isPlainObject, pick } from 'lodash-es';
 import { parse as wktToGeoJSON } from 'wellknown';
-import { getHelpers } from '../database/helpers/index.js';
+import { getFunctions, getHelpers } from '../database/helpers/index.js';
 import getDatabase from '../database/index.js';
+import { useLogger } from '../logger/index.js';
 import { decrypt, encrypt } from '../utils/encrypt.js';
 import { generateHash } from '../utils/generate-hash.js';
 import { getSecret } from '../utils/get-secret.js';
@@ -133,7 +134,13 @@ export class PayloadService {
                 // In-system calls can still get the decrypted value
                 if (accountability === null) {
                     const key = getSecret();
-                    return await decrypt(value, key);
+                    try {
+                        return await decrypt(value, key);
+                    }
+                    catch (err) {
+                        useLogger().warn(`Failed to decrypt field value: ${err.message}`);
+                        return null;
+                    }
                 }
                 // Requests from the API entrypoints have accountability and shouldn't get the raw value
                 return '**********';
@@ -177,6 +184,9 @@ export class PayloadService {
         }
         this.processGeometries(fieldEntries, processedPayload, action);
         this.processDates(fieldEntries, processedPayload, action, aliasMap, aggregate);
+        if (action === 'read') {
+            this.processJsonFunctionResults(processedPayload, aliasMap);
+        }
         if (['create', 'update'].includes(action)) {
             processedPayload.forEach((record) => {
                 for (const [key, value] of Object.entries(record)) {
@@ -260,6 +270,21 @@ export class PayloadService {
         }
         return payloads;
     }
+    /**
+     * When accessing JSON paths that contain objects or arrays, certain databases return stringified
+     * JSON (MySQL, SQLite, MSSQL, Oracle). The fn helper's parseJsonResult handles this per-dialect —
+     * vendors whose drivers already deserialize the result (e.g. pg for PostgreSQL) use a no-op.
+     */
+    processJsonFunctionResults(payloads, aliasMap = {}) {
+        const fn = getFunctions(this.knex, this.schema);
+        for (const [aliasField, originalField] of Object.entries(aliasMap)) {
+            if (!originalField.startsWith('json(') || !originalField.endsWith(')'))
+                continue;
+            for (const payload of payloads) {
+                payload[aliasField] = fn.parseJsonResult(payload[aliasField]);
+            }
+        }
+    }
     /**
      * Knex returns `datetime` and `date` columns as Date.. This is wrong for date / datetime, as those
      * shouldn't return with time / timezone info respectively

package/dist/services/server.js

@@ -62,7 +62,7 @@ export class ServerService {
             info['mcp_enabled'] = toBoolean(env['MCP_ENABLED'] ?? true);
             info['ai_enabled'] = toBoolean(env['AI_ENABLED'] ?? true);
             info['files'] = {
-                mimeTypeAllowList: env['FILES_MIME_TYPE_ALLOW_LIST'],
+                mimeTypeAllowList: toArray(env['FILES_MIME_TYPE_ALLOW_LIST']),
             };
             if (env['RATE_LIMITER_ENABLED']) {
                 info['rateLimit'] = {

package/dist/services/users.js

@@ -8,6 +8,7 @@ import Joi from 'joi';
 import jwt from 'jsonwebtoken';
 import { isEmpty } from 'lodash-es';
 import { clearSystemCache } from '../cache.js';
+import { DEFAULT_AUTH_PROVIDER } from '../constants.js';
 import getDatabase from '../database/index.js';
 import { useLogger } from '../logger/index.js';
 import { validateRemainingAdminUsers } from '../permissions/modules/validate-remaining-admin/validate-remaining-admin-users.js';
@@ -109,7 +110,7 @@ export class UsersService extends ItemsService {
      */
     async getUserByEmail(email) {
         return this.knex
-            .select('id', 'role', 'status', 'password', 'email')
+            .select('id', 'role', 'status', 'password', 'email', 'provider')
             .from('directus_users')
             .whereRaw(`LOWER(??) = ?`, ['email', email.toLowerCase()])
             .first();
@@ -459,6 +460,10 @@ export class UsersService extends ItemsService {
             await stall(STALL_TIME, timeStart);
             throw new ForbiddenError();
         }
+        if (user.provider !== DEFAULT_AUTH_PROVIDER) {
+            await stall(STALL_TIME, timeStart);
+            throw new ForbiddenError();
+        }
         const mailService = new MailService({
             schema: this.schema,
             knex: this.knex,

package/dist/utils/get-field-relational-depth.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Counts the number of relational segments in a field path. Handles function syntax
+ * (e.g. json(), year()) by counting relational segments in the prefix and in the first argument
+ * separately, while ignoring subsequent arguments (e.g. json paths).
+ *
+ * @example
+ * getFieldRelationalDepth('a.b.c')                              // 3
+ * getFieldRelationalDepth('year(user.date_created)')            // 2
+ * getFieldRelationalDepth('category_id.json(metadata, a.b.c)') // 2
+ * getFieldRelationalDepth('json(a.b.field, some.path)')         // 3
+ * getFieldRelationalDepth('json(metadata, path.to.value)')      // 1
+ */
+export declare function getFieldRelationalDepth(field: string): number;

package/dist/utils/get-field-relational-depth.js

@@ -0,0 +1,22 @@
+/**
+ * Counts the number of relational segments in a field path. Handles function syntax
+ * (e.g. json(), year()) by counting relational segments in the prefix and in the first argument
+ * separately, while ignoring subsequent arguments (e.g. json paths).
+ *
+ * @example
+ * getFieldRelationalDepth('a.b.c')                              // 3
+ * getFieldRelationalDepth('year(user.date_created)')            // 2
+ * getFieldRelationalDepth('category_id.json(metadata, a.b.c)') // 2
+ * getFieldRelationalDepth('json(a.b.field, some.path)')         // 3
+ * getFieldRelationalDepth('json(metadata, path.to.value)')      // 1
+ */
+export function getFieldRelationalDepth(field) {
+    const openParenIndex = field.indexOf('(');
+    if (openParenIndex === -1) {
+        return field.split('.').length;
+    }
+    const functionDepth = field.slice(0, openParenIndex).split('.').length - 1;
+    const commaIndex = field.indexOf(',', openParenIndex);
+    const fieldDepth = field.slice(openParenIndex, commaIndex).split('.').length;
+    return functionDepth + fieldDepth;
+}

package/dist/utils/parse-value.d.ts

@@ -0,0 +1,4 @@
+/**
+ * Parse a value that might be a JSON string, returning a typed result or fallback.
+ */
+export declare function parseValue<T>(value: unknown, fallback: T): T;

package/dist/utils/parse-value.js

@@ -0,0 +1,11 @@
+import { parseJSON } from '@directus/utils';
+/**
+ * Parse a value that might be a JSON string, returning a typed result or fallback.
+ */
+export function parseValue(value, fallback) {
+    if (!value)
+        return fallback;
+    if (typeof value === 'string')
+        return parseJSON(value);
+    return value;
+}