directus 9.2.0 → 9.4.0

package/dist/utils/merge-permissions-for-share.js

@@ -0,0 +1,116 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getFilterForPath = exports.traverse = exports.mergePermissionsForShare = void 0;
+const lodash_1 = require("lodash");
+const merge_permissions_1 = require("./merge-permissions");
+const app_access_permissions_1 = require("../database/system-data/app-access-permissions");
+const reduce_schema_1 = require("./reduce-schema");
+function mergePermissionsForShare(currentPermissions, accountability, schema) {
+    const defaults = {
+        action: 'read',
+        role: accountability.role,
+        collection: '',
+        permissions: {},
+        validation: null,
+        presets: null,
+        fields: null,
+    };
+    const { collection, item } = accountability.share_scope;
+    const parentPrimaryKeyField = schema.collections[collection].primary;
+    const reducedSchema = (0, reduce_schema_1.reduceSchema)(schema, currentPermissions, ['read']);
+    const relationalPermissions = traverse(reducedSchema, parentPrimaryKeyField, item, collection);
+    const parentCollectionPermission = (0, lodash_1.assign)({}, defaults, {
+        collection,
+        permissions: {
+            [parentPrimaryKeyField]: {
+                _eq: item,
+            },
+        },
+    });
+    // All permissions that will be merged into the original permissions set
+    const allGeneratedPermissions = [
+        parentCollectionPermission,
+        ...relationalPermissions.map((generated) => (0, lodash_1.assign)({}, defaults, generated)),
+        ...app_access_permissions_1.schemaPermissions,
+    ];
+    // All the collections that are touched through the relational tree from the current root collection, and the schema collections
+    const allowedCollections = (0, lodash_1.uniq)(allGeneratedPermissions.map(({ collection }) => collection));
+    const generatedPermissions = [];
+    // Merge all the permissions that relate to the same collection with an _or (this allows you to properly retrieve)
+    // the items of a collection if you entered that collection from multiple angles
+    for (const collection of allowedCollections) {
+        const permissionsForCollection = allGeneratedPermissions.filter((permission) => permission.collection === collection);
+        if (permissionsForCollection.length > 0) {
+            generatedPermissions.push(...(0, merge_permissions_1.mergePermissions)('or', permissionsForCollection));
+        }
+        else {
+            generatedPermissions.push(...permissionsForCollection);
+        }
+    }
+    // Explicitly filter out permissions to collections unrelated to the root parent item.
+    const limitedPermissions = currentPermissions.filter(({ collection }) => allowedCollections.includes(collection));
+    return (0, merge_permissions_1.mergePermissions)('and', limitedPermissions, generatedPermissions);
+}
+exports.mergePermissionsForShare = mergePermissionsForShare;
+function traverse(schema, rootItemPrimaryKeyField, rootItemPrimaryKey, currentCollection, parentCollections = [], path = []) {
+    var _a, _b, _c;
+    const permissions = [];
+    // If there's already a permissions rule for the collection we're currently checking, we'll shortcircuit.
+    // This prevents infinite loop in recursive relationships, like articles->related_articles->articles, or
+    // articles.author->users.avatar->files.created_by->users.avatar->files.created_by->🔁
+    if (parentCollections.includes(currentCollection)) {
+        return permissions;
+    }
+    const relationsInCollection = schema.relations.filter((relation) => {
+        return relation.collection === currentCollection || relation.related_collection === currentCollection;
+    });
+    for (const relation of relationsInCollection) {
+        let type;
+        if (relation.related_collection === currentCollection) {
+            type = 'o2m';
+        }
+        else if (!relation.related_collection) {
+            type = 'a2o';
+        }
+        else {
+            type = 'm2o';
+        }
+        if (type === 'o2m') {
+            permissions.push({
+                collection: relation.collection,
+                permissions: getFilterForPath(type, [...path, relation.field], rootItemPrimaryKeyField, rootItemPrimaryKey),
+            });
+            permissions.push(...traverse(schema, rootItemPrimaryKeyField, rootItemPrimaryKey, relation.collection, [...parentCollections, currentCollection], [...path, relation.field]));
+        }
+        if (type === 'a2o' && ((_a = relation.meta) === null || _a === void 0 ? void 0 : _a.one_allowed_collections)) {
+            for (const collection of relation.meta.one_allowed_collections) {
+                permissions.push({
+                    collection,
+                    permissions: getFilterForPath(type, [...path, `$FOLLOW(${relation.collection},${relation.field},${relation.meta.one_collection_field})`], rootItemPrimaryKeyField, rootItemPrimaryKey),
+                });
+            }
+        }
+        if (type === 'm2o') {
+            permissions.push({
+                collection: relation.related_collection,
+                permissions: getFilterForPath(type, [...path, `$FOLLOW(${relation.collection},${relation.field})`], rootItemPrimaryKeyField, rootItemPrimaryKey),
+            });
+            if ((_b = relation.meta) === null || _b === void 0 ? void 0 : _b.one_field) {
+                permissions.push(...traverse(schema, rootItemPrimaryKeyField, rootItemPrimaryKey, relation.related_collection, [...parentCollections, currentCollection], [...path, (_c = relation.meta) === null || _c === void 0 ? void 0 : _c.one_field]));
+            }
+        }
+    }
+    return permissions;
+}
+exports.traverse = traverse;
+function getFilterForPath(type, path, rootPrimaryKeyField, rootPrimaryKey) {
+    const filter = {};
+    if (type === 'm2o' || type === 'a2o') {
+        (0, lodash_1.set)(filter, path.reverse(), { [rootPrimaryKeyField]: { _eq: rootPrimaryKey } });
+    }
+    else {
+        (0, lodash_1.set)(filter, path.reverse(), { _eq: rootPrimaryKey });
+    }
+    return filter;
+}
+exports.getFilterForPath = getFilterForPath;

package/dist/utils/merge-permissions.d.ts

@@ -1,2 +1,14 @@
+/// <reference types="lodash" />
 import { Permission } from '@directus/shared/types';
-export declare function mergePermissions(...permissions: Permission[][]): Permission[];
+export declare function mergePermissions(strategy: 'and' | 'or', ...permissions: Permission[][]): Permission[];
+export declare function mergePermission(strategy: 'and' | 'or', currentPerm: Permission, newPerm: Permission): import("lodash").Omit<{
+    permissions: import("@directus/shared/types").Filter | null;
+    validation: import("@directus/shared/types").Filter | null;
+    fields: string[] | null;
+    presets: Record<string, any> | null;
+    id?: number | undefined;
+    role: string | null;
+    collection: string;
+    action: import("@directus/shared/types").PermissionsAction;
+    system?: true | undefined;
+}, "id" | "system">;

package/dist/utils/merge-permissions.js

@@ -1,66 +1,73 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.mergePermissions = void 0;
+exports.mergePermission = exports.mergePermissions = void 0;
 const lodash_1 = require("lodash");
-function mergePermissions(...permissions) {
+function mergePermissions(strategy, ...permissions) {
     const allPermissions = (0, lodash_1.flatten)(permissions);
     const mergedPermissions = allPermissions
         .reduce((acc, val) => {
         const key = `${val.collection}__${val.action}__${val.role || '$PUBLIC'}`;
         const current = acc.get(key);
-        acc.set(key, current ? mergePerm(current, val) : val);
+        acc.set(key, current ? mergePermission(strategy, current, val) : val);
         return acc;
     }, new Map())
         .values();
-    const result = Array.from(mergedPermissions).map((perm) => {
-        return (0, lodash_1.omit)(perm, ['id', 'system']);
-    });
-    return result;
+    return Array.from(mergedPermissions);
 }
 exports.mergePermissions = mergePermissions;
-function mergePerm(currentPerm, newPerm) {
+function mergePermission(strategy, currentPerm, newPerm) {
+    const logicalKey = `_${strategy}`;
     let permissions = currentPerm.permissions;
     let validation = currentPerm.validation;
     let fields = currentPerm.fields;
     let presets = currentPerm.presets;
-    if (newPerm.permissions && !(0, lodash_1.isEmpty)(newPerm.permissions)) {
-        if (currentPerm.permissions && Object.keys(currentPerm.permissions)[0] === '_or') {
+    if (newPerm.permissions) {
+        if (currentPerm.permissions && Object.keys(currentPerm.permissions)[0] === logicalKey) {
             permissions = {
-                _or: [...currentPerm.permissions._or, newPerm.permissions],
+                [logicalKey]: [
+                    ...currentPerm.permissions[logicalKey],
+                    newPerm.permissions,
+                ],
             };
         }
-        else if (currentPerm.permissions && !(0, lodash_1.isEmpty)(currentPerm.permissions)) {
+        else if (currentPerm.permissions) {
             permissions = {
-                _or: [currentPerm.permissions, newPerm.permissions],
+                [logicalKey]: [currentPerm.permissions, newPerm.permissions],
             };
         }
         else {
             permissions = {
-                _or: [newPerm.permissions],
+                [logicalKey]: [newPerm.permissions],
             };
         }
     }
     if (newPerm.validation) {
-        if (currentPerm.validation && Object.keys(currentPerm.validation)[0] === '_or') {
+        if (currentPerm.validation && Object.keys(currentPerm.validation)[0] === logicalKey) {
             validation = {
-                _or: [...currentPerm.validation._or, newPerm.validation],
+                [logicalKey]: [
+                    ...currentPerm.validation[logicalKey],
+                    newPerm.validation,
+                ],
             };
         }
         else if (currentPerm.validation) {
             validation = {
-                _or: [currentPerm.validation, newPerm.validation],
+                [logicalKey]: [currentPerm.validation, newPerm.validation],
             };
         }
         else {
             validation = {
-                _or: [newPerm.validation],
+                [logicalKey]: [newPerm.validation],
             };
         }
     }
     if (newPerm.fields) {
-        if (Array.isArray(currentPerm.fields)) {
+        if (Array.isArray(currentPerm.fields) && strategy === 'or') {
             fields = [...new Set([...currentPerm.fields, ...newPerm.fields])];
         }
+        else if (Array.isArray(currentPerm.fields) && strategy === 'and') {
+            fields = (0, lodash_1.intersection)(currentPerm.fields, newPerm.fields);
+        }
         else {
             fields = newPerm.fields;
         }
@@ -70,11 +77,12 @@ function mergePerm(currentPerm, newPerm) {
     if (newPerm.presets) {
         presets = (0, lodash_1.merge)({}, presets, newPerm.presets);
     }
-    return {
+    return (0, lodash_1.omit)({
         ...currentPerm,
         permissions,
         validation,
         fields,
         presets,
-    };
+    }, ['id', 'system']);
 }
+exports.mergePermission = mergePermission;

package/dist/utils/reduce-schema.d.ts

@@ -1,5 +1,5 @@
 import { SchemaOverview } from '../types';
-import { Accountability, PermissionsAction } from '@directus/shared/types';
+import { Permission, PermissionsAction } from '@directus/shared/types';
 /**
  * Reduces the schema based on the included permissions. The resulting object is the schema structure, but with only
  * the allowed collections/fields/relations included based on the permissions.
@@ -7,4 +7,4 @@ import { Accountability, PermissionsAction } from '@directus/shared/types';
  * @param actions Array of permissions actions (crud)
  * @returns Reduced schema
  */
-export declare function reduceSchema(schema: SchemaOverview, accountability: Accountability | null, actions?: PermissionsAction[]): SchemaOverview;
+export declare function reduceSchema(schema: SchemaOverview, permissions: Permission[] | null, actions?: PermissionsAction[]): SchemaOverview;

package/dist/utils/reduce-schema.js

@@ -9,13 +9,13 @@ const lodash_1 = require("lodash");
  * @param actions Array of permissions actions (crud)
  * @returns Reduced schema
  */
-function reduceSchema(schema, accountability, actions = ['create', 'read', 'update', 'delete']) {
-    var _a, _b, _c, _d, _e;
+function reduceSchema(schema, permissions, actions = ['create', 'read', 'update', 'delete']) {
+    var _a, _b, _c;
     const reduced = {
         collections: {},
         relations: [],
     };
-    const allowedFieldsInCollection = (_b = (_a = accountability === null || accountability === void 0 ? void 0 : accountability.permissions) === null || _a === void 0 ? void 0 : _a.filter((permission) => actions.includes(permission.action)).reduce((acc, permission) => {
+    const allowedFieldsInCollection = (_a = permissions === null || permissions === void 0 ? void 0 : permissions.filter((permission) => actions.includes(permission.action)).reduce((acc, permission) => {
         if (!acc[permission.collection]) {
             acc[permission.collection] = [];
         }
@@ -23,13 +23,13 @@ function reduceSchema(schema, accountability, actions = ['create', 'read', 'upda
             acc[permission.collection] = (0, lodash_1.uniq)([...acc[permission.collection], ...permission.fields]);
         }
         return acc;
-    }, {})) !== null && _b !== void 0 ? _b : {};
+    }, {})) !== null && _a !== void 0 ? _a : {};
     for (const [collectionName, collection] of Object.entries(schema.collections)) {
-        if ((_c = accountability === null || accountability === void 0 ? void 0 : accountability.permissions) === null || _c === void 0 ? void 0 : _c.some((permission) => permission.collection === collectionName && actions.includes(permission.action))) {
+        if (permissions === null || permissions === void 0 ? void 0 : permissions.some((permission) => permission.collection === collectionName && actions.includes(permission.action))) {
             const fields = {};
             for (const [fieldName, field] of Object.entries(schema.collections[collectionName].fields)) {
-                if (((_d = allowedFieldsInCollection[collectionName]) === null || _d === void 0 ? void 0 : _d.includes('*')) ||
-                    ((_e = allowedFieldsInCollection[collectionName]) === null || _e === void 0 ? void 0 : _e.includes(fieldName))) {
+                if (((_b = allowedFieldsInCollection[collectionName]) === null || _b === void 0 ? void 0 : _b.includes('*')) ||
+                    ((_c = allowedFieldsInCollection[collectionName]) === null || _c === void 0 ? void 0 : _c.includes(fieldName))) {
                     fields[fieldName] = field;
                 }
             }

package/dist/utils/user-name.js

@@ -2,6 +2,9 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.userName = void 0;
 function userName(user) {
+    if (!user) {
+        return 'Unknown User';
+    }
     if (user.first_name && user.last_name) {
         return `${user.first_name} ${user.last_name}`;
     }

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "directus",
-	"version": "9.2.0",
+	"version": "9.4.0",
 	"license": "GPL-3.0-only",
 	"homepage": "https://github.com/directus/directus#readme",
 	"description": "Directus is a real-time API and App dashboard for managing SQL database content.",
@@ -76,16 +76,16 @@
 	],
 	"dependencies": {
 		"@aws-sdk/client-ses": "^3.40.0",
-		"@directus/app": "9.2.0",
-		"@directus/drive": "9.2.0",
-		"@directus/drive-azure": "9.2.0",
-		"@directus/drive-gcs": "9.2.0",
-		"@directus/drive-s3": "9.2.0",
-		"@directus/extensions-sdk": "9.2.0",
-		"@directus/format-title": "9.2.0",
-		"@directus/schema": "9.2.0",
-		"@directus/shared": "9.2.0",
-		"@directus/specs": "9.2.0",
+		"@directus/app": "9.4.0",
+		"@directus/drive": "9.4.0",
+		"@directus/drive-azure": "9.4.0",
+		"@directus/drive-gcs": "9.4.0",
+		"@directus/drive-s3": "9.4.0",
+		"@directus/extensions-sdk": "9.4.0",
+		"@directus/format-title": "9.4.0",
+		"@directus/schema": "9.4.0",
+		"@directus/shared": "9.4.0",
+		"@directus/specs": "9.4.0",
 		"@godaddy/terminus": "^4.9.0",
 		"@rollup/plugin-alias": "^3.1.2",
 		"@rollup/plugin-virtual": "^2.0.3",
@@ -169,7 +169,7 @@
 		"sqlite3": "^5.0.2",
 		"tedious": "^13.0.0"
 	},
-	"gitHead": "776c105aacfda559a1ebf49cb2220599652f6c48",
+	"gitHead": "a47b9cec0f24a7585108744b3c816bfc620297c4",
 	"devDependencies": {
 		"@types/async": "3.2.10",
 		"@types/atob": "2.1.2",
@@ -199,7 +199,7 @@
 		"@types/nodemailer": "6.4.4",
 		"@types/object-hash": "2.2.1",
 		"@types/qs": "6.9.7",
-		"@types/sanitize-html": "^2.5.0",
+		"@types/sanitize-html": "2.5.0",
 		"@types/sharp": "0.29.4",
 		"@types/stream-json": "1.7.1",
 		"@types/supertest": "2.0.11",
@@ -209,6 +209,7 @@
 		"copyfiles": "2.4.1",
 		"cross-env": "7.0.3",
 		"jest": "27.3.1",
+		"knex-mock-client": "1.6.1",
 		"ts-jest": "27.0.7",
 		"ts-node-dev": "1.1.8",
 		"typescript": "4.5.2"