directus 9.2.1 → 9.2.2

package/dist/auth/drivers/ldap.js

@@ -87,6 +87,12 @@ class LDAPAuthDriver extends auth_1.AuthDriver {
                         }
                     });
                 });
+                res.on('end', (result) => {
+                    if ((result === null || result === void 0 ? void 0 : result.status) === 0) {
+                        // Handle edge case with IBM systems where authenticated bind user could not fetch their DN
+                        reject(new exceptions_1.UnexpectedResponseException('Failed to find bind user record'));
+                    }
+                });
             });
         });
     }

package/dist/exceptions/index.d.ts

@@ -15,3 +15,4 @@ export * from './route-not-found';
 export * from './service-unavailable';
 export * from './unprocessable-entity';
 export * from './user-suspended';
+export * from './unexpected-response';

package/dist/exceptions/index.js

@@ -27,3 +27,4 @@ __exportStar(require("./route-not-found"), exports);
 __exportStar(require("./service-unavailable"), exports);
 __exportStar(require("./unprocessable-entity"), exports);
 __exportStar(require("./user-suspended"), exports);
+__exportStar(require("./unexpected-response"), exports);

package/dist/exceptions/unexpected-response.d.ts

@@ -0,0 +1,4 @@
+import { BaseException } from '@directus/shared/exceptions';
+export declare class UnexpectedResponseException extends BaseException {
+    constructor(message: string);
+}

package/dist/exceptions/unexpected-response.js

@@ -0,0 +1,10 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.UnexpectedResponseException = void 0;
+const exceptions_1 = require("@directus/shared/exceptions");
+class UnexpectedResponseException extends exceptions_1.BaseException {
+    constructor(message) {
+        super(message, 503, 'UNEXPECTED_RESPONSE');
+    }
+}
+exports.UnexpectedResponseException = UnexpectedResponseException;

package/dist/services/users.js

@@ -19,6 +19,7 @@ const mail_1 = require("./mail");
 const settings_1 = require("./settings");
 const stall_1 = require("../utils/stall");
 const perf_hooks_1 = require("perf_hooks");
+const utils_2 = require("@directus/shared/utils");
 class UsersService extends items_1.ItemsService {
     constructor(options) {
         super('directus_users', options);
@@ -251,7 +252,7 @@ class UsersService extends items_1.ItemsService {
         }
         const STALL_TIME = 500;
         const timeStart = perf_hooks_1.performance.now();
-        const user = await this.knex.select('status').from('directus_users').where({ email }).first();
+        const user = await this.knex.select('status', 'password').from('directus_users').where({ email }).first();
         if ((user === null || user === void 0 ? void 0 : user.status) !== 'active') {
             await (0, stall_1.stall)(STALL_TIME, timeStart);
             throw new exceptions_2.ForbiddenException();
@@ -261,7 +262,7 @@ class UsersService extends items_1.ItemsService {
             knex: this.knex,
             accountability: this.accountability,
         });
-        const payload = { email, scope: 'password-reset' };
+        const payload = { email, scope: 'password-reset', hash: (0, utils_2.getSimpleHash)('' + user.password) };
         const token = jsonwebtoken_1.default.sign(payload, env_1.default.SECRET, { expiresIn: '1d', issuer: 'directus' });
         const acceptURL = url ? `${url}?token=${token}` : `${env_1.default.PUBLIC_URL}/admin/reset-password?token=${token}`;
         const subjectLine = subject ? subject : 'Password Reset Request';
@@ -279,11 +280,12 @@ class UsersService extends items_1.ItemsService {
         await (0, stall_1.stall)(STALL_TIME, timeStart);
     }
     async resetPassword(token, password) {
-        const { email, scope } = jsonwebtoken_1.default.verify(token, env_1.default.SECRET, { issuer: 'directus' });
-        if (scope !== 'password-reset')
+        const { email, scope, hash } = jsonwebtoken_1.default.verify(token, env_1.default.SECRET, { issuer: 'directus' });
+        if (scope !== 'password-reset' || !hash)
             throw new exceptions_2.ForbiddenException();
-        const user = await this.knex.select('id', 'status').from('directus_users').where({ email }).first();
-        if ((user === null || user === void 0 ? void 0 : user.status) !== 'active') {
+        await this.checkPasswordPolicy([password]);
+        const user = await this.knex.select('id', 'status', 'password').from('directus_users').where({ email }).first();
+        if ((user === null || user === void 0 ? void 0 : user.status) !== 'active' || hash !== (0, utils_2.getSimpleHash)('' + user.password)) {
             throw new exceptions_2.ForbiddenException();
         }
         // Allow unauthenticated update

package/dist/tests/database/migrations/run.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/tests/database/migrations/run.test.js

@@ -0,0 +1,29 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const knex_1 = __importDefault(require("knex"));
+const knex_mock_client_1 = require("knex-mock-client");
+const run_1 = __importDefault(require("../../../database/migrations/run"));
+describe('run', () => {
+    let db;
+    let tracker;
+    beforeAll(() => {
+        db = (0, knex_1.default)({ client: knex_mock_client_1.MockClient });
+        tracker = (0, knex_mock_client_1.getTracker)();
+    });
+    afterEach(() => {
+        tracker.reset();
+    });
+    describe('when passed the argument up', () => {
+        it('returns "Nothing To Updage" if no directus_migrations', async () => {
+            // note the difference between an empty array and ['Empty']
+            tracker.on.select('directus_migrations').response(['Empty']);
+            await (0, run_1.default)(db, 'up').catch((e) => {
+                expect(e).toBeInstanceOf(Error);
+                expect(e.message).toBe('Nothing to upgrade');
+            });
+        });
+    });
+});

package/dist/utils/get-permissions.d.ts

@@ -1,3 +1,3 @@
-import { Accountability } from '@directus/shared/types';
+import { Permission, Accountability } from '@directus/shared/types';
 import { SchemaOverview } from '../types';
-export declare function getPermissions(accountability: Accountability, schema: SchemaOverview): Promise<any>;
+export declare function getPermissions(accountability: Accountability, schema: SchemaOverview): Promise<Permission[]>;

package/dist/utils/get-permissions.js

@@ -16,14 +16,31 @@ const object_hash_1 = __importDefault(require("object-hash"));
 const env_1 = __importDefault(require("../env"));
 async function getPermissions(accountability, schema) {
     const database = (0, database_1.default)();
-    const { systemCache } = (0, cache_1.getCache)();
+    const { systemCache, cache } = (0, cache_1.getCache)();
     let permissions = [];
     const { user, role, app, admin } = accountability;
     const cacheKey = `permissions-${(0, object_hash_1.default)({ user, role, app, admin })}`;
     if (env_1.default.CACHE_PERMISSIONS !== false) {
         const cachedPermissions = await systemCache.get(cacheKey);
         if (cachedPermissions) {
-            return cachedPermissions;
+            if (!cachedPermissions.containDynamicData) {
+                return processPermissions(accountability, cachedPermissions.permissions, {});
+            }
+            const cachedFilterContext = await (cache === null || cache === void 0 ? void 0 : cache.get(`filterContext-${(0, object_hash_1.default)({ user, role, permissions: cachedPermissions.permissions })}`));
+            if (cachedFilterContext) {
+                return processPermissions(accountability, cachedPermissions.permissions, cachedFilterContext);
+            }
+            else {
+                const { permissions: parsedPermissions, requiredPermissionData, containDynamicData, } = parsePermissions(cachedPermissions.permissions);
+                permissions = parsedPermissions;
+                const filterContext = containDynamicData
+                    ? await getFilterContext(schema, accountability, requiredPermissionData)
+                    : {};
+                if (containDynamicData && env_1.default.CACHE_ENABLED !== false) {
+                    await (cache === null || cache === void 0 ? void 0 : cache.set(`filterContext-${(0, object_hash_1.default)({ user, role, permissions })}`, filterContext));
+                }
+                return processPermissions(accountability, permissions, filterContext);
+            }
         }
     }
     if (accountability.admin !== true) {
@@ -31,76 +48,96 @@ async function getPermissions(accountability, schema) {
             .select('*')
             .from('directus_permissions')
             .where({ role: accountability.role });
-        const requiredPermissionData = {
-            $CURRENT_USER: [],
-            $CURRENT_ROLE: [],
-        };
-        permissions = permissionsForRole.map((permissionRaw) => {
-            const permission = (0, lodash_1.cloneDeep)(permissionRaw);
-            if (permission.permissions && typeof permission.permissions === 'string') {
-                permission.permissions = JSON.parse(permission.permissions);
-            }
-            else if (permission.permissions === null) {
-                permission.permissions = {};
-            }
-            if (permission.validation && typeof permission.validation === 'string') {
-                permission.validation = JSON.parse(permission.validation);
-            }
-            else if (permission.validation === null) {
-                permission.validation = {};
-            }
-            if (permission.presets && typeof permission.presets === 'string') {
-                permission.presets = JSON.parse(permission.presets);
-            }
-            else if (permission.presets === null) {
-                permission.presets = {};
-            }
-            if (permission.fields && typeof permission.fields === 'string') {
-                permission.fields = permission.fields.split(',');
-            }
-            else if (permission.fields === null) {
-                permission.fields = [];
-            }
-            const extractPermissionData = (val) => {
-                if (typeof val === 'string' && val.startsWith('$CURRENT_USER.')) {
-                    requiredPermissionData.$CURRENT_USER.push(val.replace('$CURRENT_USER.', ''));
-                }
-                if (typeof val === 'string' && val.startsWith('$CURRENT_ROLE.')) {
-                    requiredPermissionData.$CURRENT_ROLE.push(val.replace('$CURRENT_ROLE.', ''));
-                }
-                return val;
-            };
-            (0, utils_1.deepMap)(permission.permissions, extractPermissionData);
-            (0, utils_1.deepMap)(permission.validation, extractPermissionData);
-            (0, utils_1.deepMap)(permission.presets, extractPermissionData);
-            return permission;
-        });
+        const { permissions: parsedPermissions, requiredPermissionData, containDynamicData, } = parsePermissions(permissionsForRole);
+        permissions = parsedPermissions;
         if (accountability.app === true) {
             permissions = (0, merge_permissions_1.mergePermissions)(permissions, app_access_permissions_1.appAccessMinimalPermissions.map((perm) => ({ ...perm, role: accountability.role })));
         }
-        const usersService = new users_1.UsersService({ schema });
-        const rolesService = new roles_1.RolesService({ schema });
-        const filterContext = {};
-        if (accountability.user && requiredPermissionData.$CURRENT_USER.length > 0) {
-            filterContext.$CURRENT_USER = await usersService.readOne(accountability.user, {
-                fields: requiredPermissionData.$CURRENT_USER,
-            });
-        }
-        if (accountability.role && requiredPermissionData.$CURRENT_ROLE.length > 0) {
-            filterContext.$CURRENT_ROLE = await rolesService.readOne(accountability.role, {
-                fields: requiredPermissionData.$CURRENT_ROLE,
-            });
-        }
-        permissions = permissions.map((permission) => {
-            permission.permissions = (0, utils_1.parseFilter)(permission.permissions, accountability, filterContext);
-            permission.validation = (0, utils_1.parseFilter)(permission.validation, accountability, filterContext);
-            permission.presets = (0, utils_1.parseFilter)(permission.presets, accountability, filterContext);
-            return permission;
-        });
+        const filterContext = containDynamicData
+            ? await getFilterContext(schema, accountability, requiredPermissionData)
+            : {};
         if (env_1.default.CACHE_PERMISSIONS !== false) {
-            await systemCache.set(cacheKey, permissions);
+            await systemCache.set(cacheKey, { permissions, containDynamicData });
+            if (containDynamicData && env_1.default.CACHE_ENABLED !== false) {
+                await (cache === null || cache === void 0 ? void 0 : cache.set(`filterContext-${(0, object_hash_1.default)({ user, role, permissions })}`, filterContext));
+            }
         }
+        return processPermissions(accountability, permissions, filterContext);
     }
     return permissions;
 }
 exports.getPermissions = getPermissions;
+function parsePermissions(permissions) {
+    const requiredPermissionData = {
+        $CURRENT_USER: [],
+        $CURRENT_ROLE: [],
+    };
+    let containDynamicData = false;
+    permissions = permissions.map((permissionRaw) => {
+        const permission = (0, lodash_1.cloneDeep)(permissionRaw);
+        if (permission.permissions && typeof permission.permissions === 'string') {
+            permission.permissions = JSON.parse(permission.permissions);
+        }
+        else if (permission.permissions === null) {
+            permission.permissions = {};
+        }
+        if (permission.validation && typeof permission.validation === 'string') {
+            permission.validation = JSON.parse(permission.validation);
+        }
+        else if (permission.validation === null) {
+            permission.validation = {};
+        }
+        if (permission.presets && typeof permission.presets === 'string') {
+            permission.presets = JSON.parse(permission.presets);
+        }
+        else if (permission.presets === null) {
+            permission.presets = {};
+        }
+        if (permission.fields && typeof permission.fields === 'string') {
+            permission.fields = permission.fields.split(',');
+        }
+        else if (permission.fields === null) {
+            permission.fields = [];
+        }
+        const extractPermissionData = (val) => {
+            if (typeof val === 'string' && val.startsWith('$CURRENT_USER.')) {
+                requiredPermissionData.$CURRENT_USER.push(val.replace('$CURRENT_USER.', ''));
+                containDynamicData = true;
+            }
+            if (typeof val === 'string' && val.startsWith('$CURRENT_ROLE.')) {
+                requiredPermissionData.$CURRENT_ROLE.push(val.replace('$CURRENT_ROLE.', ''));
+                containDynamicData = true;
+            }
+            return val;
+        };
+        (0, utils_1.deepMap)(permission.permissions, extractPermissionData);
+        (0, utils_1.deepMap)(permission.validation, extractPermissionData);
+        (0, utils_1.deepMap)(permission.presets, extractPermissionData);
+        return permission;
+    });
+    return { permissions, requiredPermissionData, containDynamicData };
+}
+async function getFilterContext(schema, accountability, requiredPermissionData) {
+    const usersService = new users_1.UsersService({ schema });
+    const rolesService = new roles_1.RolesService({ schema });
+    const filterContext = {};
+    if (accountability.user && requiredPermissionData.$CURRENT_USER.length > 0) {
+        filterContext.$CURRENT_USER = await usersService.readOne(accountability.user, {
+            fields: requiredPermissionData.$CURRENT_USER,
+        });
+    }
+    if (accountability.role && requiredPermissionData.$CURRENT_ROLE.length > 0) {
+        filterContext.$CURRENT_ROLE = await rolesService.readOne(accountability.role, {
+            fields: requiredPermissionData.$CURRENT_ROLE,
+        });
+    }
+    return filterContext;
+}
+function processPermissions(accountability, permissions, filterContext) {
+    return permissions.map((permission) => {
+        permission.permissions = (0, utils_1.parseFilter)(permission.permissions, accountability, filterContext);
+        permission.validation = (0, utils_1.parseFilter)(permission.validation, accountability, filterContext);
+        permission.presets = (0, utils_1.parseFilter)(permission.presets, accountability, filterContext);
+        return permission;
+    });
+}

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "directus",
-	"version": "9.2.1",
+	"version": "9.2.2",
 	"license": "GPL-3.0-only",
 	"homepage": "https://github.com/directus/directus#readme",
 	"description": "Directus is a real-time API and App dashboard for managing SQL database content.",
@@ -76,16 +76,16 @@
 	],
 	"dependencies": {
 		"@aws-sdk/client-ses": "^3.40.0",
-		"@directus/app": "9.2.1",
-		"@directus/drive": "9.2.1",
-		"@directus/drive-azure": "9.2.1",
-		"@directus/drive-gcs": "9.2.1",
-		"@directus/drive-s3": "9.2.1",
-		"@directus/extensions-sdk": "9.2.1",
-		"@directus/format-title": "9.2.1",
-		"@directus/schema": "9.2.1",
-		"@directus/shared": "9.2.1",
-		"@directus/specs": "9.2.1",
+		"@directus/app": "9.2.2",
+		"@directus/drive": "9.2.2",
+		"@directus/drive-azure": "9.2.2",
+		"@directus/drive-gcs": "9.2.2",
+		"@directus/drive-s3": "9.2.2",
+		"@directus/extensions-sdk": "9.2.2",
+		"@directus/format-title": "9.2.2",
+		"@directus/schema": "9.2.2",
+		"@directus/shared": "9.2.2",
+		"@directus/specs": "9.2.2",
 		"@godaddy/terminus": "^4.9.0",
 		"@rollup/plugin-alias": "^3.1.2",
 		"@rollup/plugin-virtual": "^2.0.3",
@@ -169,7 +169,7 @@
 		"sqlite3": "^5.0.2",
 		"tedious": "^13.0.0"
 	},
-	"gitHead": "1d4e9c425c10bcdc5831ae63c1bd03649648eb5e",
+	"gitHead": "546d525175c7ecc6ac9c235b4ebf77a1ae209e10",
 	"devDependencies": {
 		"@types/async": "3.2.10",
 		"@types/atob": "2.1.2",
@@ -209,6 +209,7 @@
 		"copyfiles": "2.4.1",
 		"cross-env": "7.0.3",
 		"jest": "27.3.1",
+		"knex-mock-client": "^1.6.1",
 		"ts-jest": "27.0.7",
 		"ts-node-dev": "1.1.8",
 		"typescript": "4.5.2"