directus 9.2.1 → 9.4.1

package/dist/services/activity.js

@@ -5,7 +5,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.ActivityService = void 0;
 const types_1 = require("../types");
-const index_1 = require("./index");
+const items_1 = require("./items");
 const notifications_1 = require("./notifications");
 const users_1 = require("./users");
 const authorization_1 = require("./authorization");
@@ -16,7 +16,7 @@ const user_name_1 = require("../utils/user-name");
 const lodash_1 = require("lodash");
 const env_1 = __importDefault(require("../env"));
 const uuid_validate_1 = __importDefault(require("uuid-validate"));
-class ActivityService extends index_1.ItemsService {
+class ActivityService extends items_1.ItemsService {
     constructor(options) {
         super('directus_activity', options);
         this.notificationsService = new notifications_1.NotificationsService({ schema: this.schema });

package/dist/services/authentication.d.ts

@@ -1,6 +1,6 @@
 import { Knex } from 'knex';
 import { ActivityService } from './activity';
-import { AbstractServiceOptions, SchemaOverview } from '../types';
+import { AbstractServiceOptions, SchemaOverview, LoginResult } from '../types';
 import { Accountability } from '@directus/shared/types';
 export declare class AuthenticationService {
     knex: Knex;
@@ -14,12 +14,7 @@ export declare class AuthenticationService {
      * Password is optional to allow usage of this function within the SSO flow and extensions. Make sure
      * to handle password existence checks elsewhere
      */
-    login(providerName: string | undefined, payload: Record<string, any>, otp?: string): Promise<{
-        accessToken: any;
-        refreshToken: any;
-        expires: any;
-        id?: any;
-    }>;
+    login(providerName: string | undefined, payload: Record<string, any>, otp?: string): Promise<LoginResult>;
     refresh(refreshToken: string): Promise<Record<string, any>>;
     logout(refreshToken: string): Promise<void>;
     verifyPassword(userID: string, password: string): Promise<void>;

package/dist/services/authentication.js

@@ -21,7 +21,6 @@ const settings_1 = require("./settings");
 const lodash_1 = require("lodash");
 const perf_hooks_1 = require("perf_hooks");
 const stall_1 = require("../utils/stall");
-const logger_1 = __importDefault(require("../logger"));
 const loginAttemptsLimiter = (0, rate_limiter_1.createRateLimiter)({ duration: 0 });
 class AuthenticationService {
     constructor(options) {
@@ -42,10 +41,11 @@ class AuthenticationService {
         const timeStart = perf_hooks_1.performance.now();
         const provider = (0, auth_1.getAuthProvider)(providerName);
         const user = await this.knex
-            .select('id', 'first_name', 'last_name', 'email', 'password', 'status', 'role', 'tfa_secret', 'provider', 'external_identifier', 'auth_data')
-            .from('directus_users')
-            .where('id', await provider.getUserID((0, lodash_1.cloneDeep)(payload)))
-            .andWhere('provider', providerName)
+            .select('u.id', 'u.first_name', 'u.last_name', 'u.email', 'u.password', 'u.status', 'u.role', 'r.admin_access', 'r.app_access', 'u.tfa_secret', 'u.provider', 'u.external_identifier', 'u.auth_data')
+            .from('directus_users as u')
+            .innerJoin('directus_roles as r', 'u.role', 'r.id')
+            .where('u.id', await provider.getUserID((0, lodash_1.cloneDeep)(payload)))
+            .andWhere('u.provider', providerName)
             .first();
         const updatedPayload = await emitter_1.default.emitFilter('auth.login', payload, {
             status: 'pending',
@@ -98,9 +98,8 @@ class AuthenticationService {
                 await loginAttemptsLimiter.set(user.id, 0, 0);
             }
         }
-        let sessionData = null;
         try {
-            sessionData = await provider.login((0, lodash_1.clone)(user), (0, lodash_1.cloneDeep)(updatedPayload));
+            await provider.login((0, lodash_1.clone)(user), (0, lodash_1.cloneDeep)(updatedPayload));
         }
         catch (e) {
             emitStatus('fail');
@@ -123,6 +122,9 @@ class AuthenticationService {
         }
         const tokenPayload = {
             id: user.id,
+            role: user.role,
+            app_access: user.app_access,
+            admin_access: user.admin_access,
         };
         const customClaims = await emitter_1.default.emitFilter('auth.jwt', tokenPayload, {
             status: 'pending',
@@ -146,7 +148,6 @@ class AuthenticationService {
             expires: refreshTokenExpiration,
             ip: (_a = this.accountability) === null || _a === void 0 ? void 0 : _a.ip,
             user_agent: (_b = this.accountability) === null || _b === void 0 ? void 0 : _b.userAgent,
-            data: sessionData && JSON.stringify(sessionData),
         });
         await this.knex('directus_sessions').delete().where('expires', '<', new Date());
         if (this.accountability) {
@@ -177,33 +178,80 @@ class AuthenticationService {
             throw new exceptions_1.InvalidCredentialsException();
         }
         const record = await this.knex
-            .select('s.expires', 's.data', 'u.id', 'u.first_name', 'u.last_name', 'u.email', 'u.password', 'u.status', 'u.role', 'u.provider', 'u.external_identifier', 'u.auth_data')
-            .from('directus_sessions as s')
-            .innerJoin('directus_users as u', 's.user', 'u.id')
+            .select({
+            session_expires: 's.expires',
+            user_id: 'u.id',
+            user_first_name: 'u.first_name',
+            user_last_name: 'u.last_name',
+            user_email: 'u.email',
+            user_password: 'u.password',
+            user_status: 'u.status',
+            user_provider: 'u.provider',
+            user_external_identifier: 'u.external_identifier',
+            user_auth_data: 'u.auth_data',
+            role_id: 'r.id',
+            role_admin_access: 'r.admin_access',
+            role_app_access: 'r.app_access',
+            share_id: 'd.id',
+            share_item: 'd.item',
+            share_role: 'd.role',
+            share_collection: 'd.collection',
+            share_start: 'd.date_start',
+            share_end: 'd.date_end',
+            share_times_used: 'd.times_used',
+            share_max_uses: 'd.max_uses',
+        })
+            .from('directus_sessions AS s')
+            .leftJoin('directus_users AS u', 's.user', 'u.id')
+            .leftJoin('directus_shares AS d', 's.share', 'd.id')
+            .joinRaw('LEFT JOIN directus_roles AS r ON r.id IN (u.role, d.role)')
             .where('s.token', refreshToken)
+            .andWhere('s.expires', '>=', new Date())
+            .andWhere((subQuery) => {
+            subQuery.whereNull('d.date_end').orWhere('d.date_end', '>=', new Date());
+        })
+            .andWhere((subQuery) => {
+            subQuery.whereNull('d.date_start').orWhere('d.date_start', '<=', new Date());
+        })
             .first();
-        if (!record || record.expires < new Date()) {
+        if (!record || (!record.share_id && !record.user_id)) {
             throw new exceptions_1.InvalidCredentialsException();
         }
-        let { data: sessionData } = record;
-        const user = (0, lodash_1.omit)(record, 'data');
-        if (typeof sessionData === 'string') {
-            try {
-                sessionData = JSON.parse(sessionData);
-            }
-            catch {
-                logger_1.default.warn(`Session data isn't valid JSON: ${sessionData}`);
-            }
+        if (record.user_id) {
+            const provider = (0, auth_1.getAuthProvider)(record.user_provider);
+            await provider.refresh({
+                id: record.user_id,
+                first_name: record.user_first_name,
+                last_name: record.user_last_name,
+                email: record.user_email,
+                password: record.user_password,
+                status: record.user_status,
+                provider: record.user_provider,
+                external_identifier: record.user_external_identifier,
+                auth_data: record.user_auth_data,
+                role: record.role_id,
+                app_access: record.role_app_access,
+                admin_access: record.role_admin_access,
+            });
         }
-        const provider = (0, auth_1.getAuthProvider)(user.provider);
-        const newSessionData = await provider.refresh((0, lodash_1.clone)(user), sessionData);
         const tokenPayload = {
-            id: user.id,
+            id: record.user_id,
+            role: record.role_id,
+            app_access: record.role_app_access,
+            admin_access: record.role_admin_access,
         };
+        if (record.share_id) {
+            tokenPayload.share = record.share_id;
+            tokenPayload.role = record.share_role;
+            tokenPayload.share_scope = {
+                collection: record.share_collection,
+                item: record.share_item,
+            };
+        }
         const customClaims = await emitter_1.default.emitFilter('auth.jwt', tokenPayload, {
             status: 'pending',
-            user: user === null || user === void 0 ? void 0 : user.id,
-            provider: user.provider,
+            user: record.user_id,
+            provider: record.user_provider,
             type: 'refresh',
         }, {
             database: this.knex,
@@ -220,37 +268,29 @@ class AuthenticationService {
             .update({
             token: newRefreshToken,
             expires: refreshTokenExpiration,
-            data: newSessionData && JSON.stringify(newSessionData),
         })
             .where({ token: refreshToken });
-        await this.knex('directus_users').update({ last_access: new Date() }).where({ id: user.id });
+        if (record.user_id) {
+            await this.knex('directus_users').update({ last_access: new Date() }).where({ id: record.user_id });
+        }
         return {
             accessToken,
             refreshToken: newRefreshToken,
             expires: (0, ms_1.default)(env_1.default.ACCESS_TOKEN_TTL),
-            id: user.id,
+            id: record.user_id,
         };
     }
     async logout(refreshToken) {
         const record = await this.knex
-            .select('u.id', 'u.first_name', 'u.last_name', 'u.email', 'u.password', 'u.status', 'u.role', 'u.provider', 'u.external_identifier', 'u.auth_data', 's.data')
+            .select('u.id', 'u.first_name', 'u.last_name', 'u.email', 'u.password', 'u.status', 'u.role', 'u.provider', 'u.external_identifier', 'u.auth_data')
             .from('directus_sessions as s')
             .innerJoin('directus_users as u', 's.user', 'u.id')
             .where('s.token', refreshToken)
             .first();
         if (record) {
-            let { data: sessionData } = record;
-            const user = (0, lodash_1.omit)(record, 'data');
-            if (typeof sessionData === 'string') {
-                try {
-                    sessionData = JSON.parse(sessionData);
-                }
-                catch {
-                    logger_1.default.warn(`Session data isn't valid JSON: ${sessionData}`);
-                }
-            }
+            const user = record;
             const provider = (0, auth_1.getAuthProvider)(user.provider);
-            await provider.logout((0, lodash_1.clone)(user), sessionData);
+            await provider.logout((0, lodash_1.clone)(user));
             await this.knex.delete().from('directus_sessions').where('token', refreshToken);
         }
     }

package/dist/services/authorization.js

@@ -41,7 +41,7 @@ class AuthorizationService {
          */
         function getCollectionsFromAST(ast) {
             const collections = [];
-            if (ast.type === 'm2a') {
+            if (ast.type === 'a2o') {
                 collections.push(...ast.names.map((name) => ({ collection: name, field: ast.fieldKey })));
                 for (const children of Object.values(ast.children)) {
                     for (const nestedNode of children) {
@@ -67,7 +67,7 @@ class AuthorizationService {
         function validateFields(ast) {
             var _a, _b, _c;
             if (ast.type !== 'field') {
-                if (ast.type === 'm2a') {
+                if (ast.type === 'a2o') {
                     for (const [collection, children] of Object.entries(ast.children)) {
                         checkFields(collection, children, (_b = (_a = ast.query) === null || _a === void 0 ? void 0 : _a[collection]) === null || _b === void 0 ? void 0 : _b.aggregate);
                     }
@@ -106,7 +106,7 @@ class AuthorizationService {
         }
         function applyFilters(ast, accountability) {
             if (ast.type !== 'field') {
-                if (ast.type === 'm2a') {
+                if (ast.type === 'a2o') {
                     const collections = Object.keys(ast.children);
                     for (const collection of collections) {
                         updateFilterQuery(collection, ast.query[collection]);

package/dist/services/collections.d.ts

@@ -1,8 +1,7 @@
 import SchemaInspector from '@directus/schema';
 import { Knex } from 'knex';
-import { MutationOptions } from '../services/items';
 import Keyv from 'keyv';
-import { AbstractServiceOptions, Collection, CollectionMeta, SchemaOverview } from '../types';
+import { AbstractServiceOptions, Collection, CollectionMeta, SchemaOverview, MutationOptions } from '../types';
 import { Accountability, RawField } from '@directus/shared/types';
 import { Table } from 'knex-schema-inspector/dist/types/table';
 export declare type RawCollection = {

package/dist/services/collections.js

@@ -359,11 +359,11 @@ class CollectionsService {
                         await fieldsService.deleteField(relation.collection, relation.field);
                     }
                 }
-                const m2aRelationsThatIncludeThisCollection = this.schema.relations.filter((relation) => {
+                const a2oRelationsThatIncludeThisCollection = this.schema.relations.filter((relation) => {
                     var _a, _b;
                     return (_b = (_a = relation.meta) === null || _a === void 0 ? void 0 : _a.one_allowed_collections) === null || _b === void 0 ? void 0 : _b.includes(collectionKey);
                 });
-                for (const relation of m2aRelationsThatIncludeThisCollection) {
+                for (const relation of a2oRelationsThatIncludeThisCollection) {
                     const newAllowedCollections = relation
                         .meta.one_allowed_collections.filter((collection) => collectionKey !== collection)
                         .join(',');

package/dist/services/files.d.ts

@@ -1,6 +1,6 @@
 /// <reference types="node" />
-import { AbstractServiceOptions, File, PrimaryKey } from '../types';
-import { ItemsService, MutationOptions } from './items';
+import { AbstractServiceOptions, File, PrimaryKey, MutationOptions } from '../types';
+import { ItemsService } from './items';
 export declare class FilesService extends ItemsService {
     constructor(options: AbstractServiceOptions);
     /**

package/dist/services/files.js

@@ -64,14 +64,20 @@ class FilesService extends items_1.ItemsService {
         payload.filesize = size;
         if (['image/jpeg', 'image/png', 'image/webp', 'image/gif', 'image/tiff'].includes(payload.type)) {
             const buffer = await storage_1.default.disk(data.storage).getBuffer(payload.filename_disk);
-            const meta = await (0, sharp_1.default)(buffer.content, {}).metadata();
-            if (meta.orientation && meta.orientation >= 5) {
-                payload.height = meta.width;
-                payload.width = meta.height;
+            try {
+                const meta = await (0, sharp_1.default)(buffer.content, {}).metadata();
+                if (meta.orientation && meta.orientation >= 5) {
+                    payload.height = meta.width;
+                    payload.width = meta.height;
+                }
+                else {
+                    payload.width = meta.width;
+                    payload.height = meta.height;
+                }
             }
-            else {
-                payload.width = meta.width;
-                payload.height = meta.height;
+            catch (err) {
+                logger_1.default.warn(`Couldn't extract sharp metadata from file`);
+                logger_1.default.warn(err);
             }
             payload.metadata = {};
             try {
@@ -95,7 +101,7 @@ class FilesService extends items_1.ItemsService {
                 }
             }
             catch (err) {
-                logger_1.default.warn(`Couldn't extract metadata from file`);
+                logger_1.default.warn(`Couldn't extract EXIF metadata from file`);
                 logger_1.default.warn(err);
             }
         }

package/dist/services/graphql.js

@@ -34,6 +34,7 @@ const revisions_1 = require("./revisions");
 const roles_1 = require("./roles");
 const server_1 = require("./server");
 const settings_1 = require("./settings");
+const shares_1 = require("./shares");
 const specifications_1 = require("./specifications");
 const tfa_1 = require("./tfa");
 const users_1 = require("./users");
@@ -112,15 +113,23 @@ class GraphQLService {
         return formattedResult;
     }
     getSchema(type = 'schema') {
-        var _a, _b, _c, _d;
+        var _a, _b, _c, _d, _e, _f, _g, _h;
         // eslint-disable-next-line @typescript-eslint/no-this-alias
         const self = this;
         const schemaComposer = new graphql_compose_1.SchemaComposer();
         const schema = {
-            read: ((_a = this.accountability) === null || _a === void 0 ? void 0 : _a.admin) === true ? this.schema : (0, reduce_schema_1.reduceSchema)(this.schema, this.accountability, ['read']),
-            create: ((_b = this.accountability) === null || _b === void 0 ? void 0 : _b.admin) === true ? this.schema : (0, reduce_schema_1.reduceSchema)(this.schema, this.accountability, ['create']),
-            update: ((_c = this.accountability) === null || _c === void 0 ? void 0 : _c.admin) === true ? this.schema : (0, reduce_schema_1.reduceSchema)(this.schema, this.accountability, ['update']),
-            delete: ((_d = this.accountability) === null || _d === void 0 ? void 0 : _d.admin) === true ? this.schema : (0, reduce_schema_1.reduceSchema)(this.schema, this.accountability, ['delete']),
+            read: ((_a = this.accountability) === null || _a === void 0 ? void 0 : _a.admin) === true
+                ? this.schema
+                : (0, reduce_schema_1.reduceSchema)(this.schema, ((_b = this.accountability) === null || _b === void 0 ? void 0 : _b.permissions) || null, ['read']),
+            create: ((_c = this.accountability) === null || _c === void 0 ? void 0 : _c.admin) === true
+                ? this.schema
+                : (0, reduce_schema_1.reduceSchema)(this.schema, ((_d = this.accountability) === null || _d === void 0 ? void 0 : _d.permissions) || null, ['create']),
+            update: ((_e = this.accountability) === null || _e === void 0 ? void 0 : _e.admin) === true
+                ? this.schema
+                : (0, reduce_schema_1.reduceSchema)(this.schema, ((_f = this.accountability) === null || _f === void 0 ? void 0 : _f.permissions) || null, ['update']),
+            delete: ((_g = this.accountability) === null || _g === void 0 ? void 0 : _g.admin) === true
+                ? this.schema
+                : (0, reduce_schema_1.reduceSchema)(this.schema, ((_h = this.accountability) === null || _h === void 0 ? void 0 : _h.permissions) || null, ['delete']),
         };
         const { ReadCollectionTypes } = getReadableTypes();
         const { CreateCollectionTypes, UpdateCollectionTypes, DeleteCollectionTypes } = getWritableTypes();
@@ -325,6 +334,8 @@ class GraphQLService {
             }
             for (const relation of schema[action].relations) {
                 if (relation.related_collection) {
+                    if (SYSTEM_DENY_LIST.includes(relation.related_collection))
+                        continue;
                     (_a = CollectionTypes[relation.collection]) === null || _a === void 0 ? void 0 : _a.addFields({
                         [relation.field]: {
                             type: CollectionTypes[relation.related_collection],
@@ -759,6 +770,8 @@ class GraphQLService {
             }
             for (const relation of schema.read.relations) {
                 if (relation.related_collection) {
+                    if (SYSTEM_DENY_LIST.includes(relation.related_collection))
+                        continue;
                     (_a = ReadableCollectionFilterTypes[relation.collection]) === null || _a === void 0 ? void 0 : _a.addFields({
                         [relation.field]: ReadableCollectionFilterTypes[relation.related_collection],
                     });
@@ -1268,6 +1281,8 @@ class GraphQLService {
                 return new users_1.UsersService(opts);
             case 'directus_webhooks':
                 return new webhooks_1.WebhooksService(opts);
+            case 'directus_shares':
+                return new shares_1.SharesService(opts);
             default:
                 return new items_1.ItemsService(collection, opts);
         }

package/dist/services/index.d.ts

@@ -26,3 +26,4 @@ export * from './tfa';
 export * from './users';
 export * from './utils';
 export * from './webhooks';
+export * from './shares';

package/dist/services/index.js

@@ -39,3 +39,4 @@ __exportStar(require("./tfa"), exports);
 __exportStar(require("./users"), exports);
 __exportStar(require("./utils"), exports);
 __exportStar(require("./webhooks"), exports);
+__exportStar(require("./shares"), exports);

package/dist/services/items.d.ts

@@ -1,25 +1,11 @@
 import { Knex } from 'knex';
 import Keyv from 'keyv';
 import { Accountability, Query, PermissionsAction } from '@directus/shared/types';
-import { AbstractService, AbstractServiceOptions, Item as AnyItem, PrimaryKey, SchemaOverview } from '../types';
+import { AbstractService, AbstractServiceOptions, Item as AnyItem, PrimaryKey, SchemaOverview, MutationOptions } from '../types';
 export declare type QueryOptions = {
     stripNonRequested?: boolean;
     permissionsAction?: PermissionsAction;
 };
-export declare type MutationOptions = {
-    /**
-     * Callback function that's fired whenever a revision is made in the mutation
-     */
-    onRevisionCreate?: (pk: PrimaryKey) => void;
-    /**
-     * Flag to disable the auto purging of the cache. Is ignored when CACHE_AUTO_PURGE isn't enabled.
-     */
-    autoPurgeCache?: false;
-    /**
-     * Allow disabling the emitting of hooks. Useful if a custom hook is fired (like files.upload)
-     */
-    emitEvents?: boolean;
-};
 export declare class ItemsService<Item extends AnyItem = AnyItem> implements AbstractService {
     collection: string;
     knex: Knex;

package/dist/services/notifications.d.ts

@@ -1,6 +1,6 @@
 import { UsersService, MailService } from '.';
-import { AbstractServiceOptions, PrimaryKey } from '../types';
-import { ItemsService, MutationOptions } from './items';
+import { AbstractServiceOptions, PrimaryKey, MutationOptions } from '../types';
+import { ItemsService } from './items';
 import { Notification } from '@directus/shared/types';
 export declare class NotificationsService extends ItemsService {
     usersService: UsersService;

package/dist/services/permissions.d.ts

@@ -1,5 +1,5 @@
-import { ItemsService, QueryOptions, MutationOptions } from '../services/items';
-import { AbstractServiceOptions, Item, PrimaryKey } from '../types';
+import { ItemsService, QueryOptions } from '../services/items';
+import { AbstractServiceOptions, Item, PrimaryKey, MutationOptions } from '../types';
 import { Query, PermissionsAction } from '@directus/shared/types';
 import Keyv from 'keyv';
 export declare class PermissionsService extends ItemsService {

package/dist/services/roles.d.ts

@@ -1,6 +1,6 @@
-import { AbstractServiceOptions, PrimaryKey } from '../types';
+import { AbstractServiceOptions, MutationOptions, PrimaryKey } from '../types';
 import { Query } from '@directus/shared/types';
-import { ItemsService, MutationOptions } from './items';
+import { ItemsService } from './items';
 export declare class RolesService extends ItemsService {
     constructor(options: AbstractServiceOptions);
     private checkForOtherAdminRoles;

package/dist/services/shares.d.ts

@@ -0,0 +1,17 @@
+import { AbstractServiceOptions, LoginResult, Item, PrimaryKey, MutationOptions } from '../types';
+import { ItemsService } from './items';
+import { AuthorizationService } from './authorization';
+export declare class SharesService extends ItemsService {
+    authorizationService: AuthorizationService;
+    constructor(options: AbstractServiceOptions);
+    createOne(data: Partial<Item>, opts?: MutationOptions): Promise<PrimaryKey>;
+    login(payload: Record<string, any>): Promise<LoginResult>;
+    /**
+     * Send a link to the given share ID to the given email(s). Note: you can only send a link to a share
+     * if you have read access to that particular share
+     */
+    invite(payload: {
+        emails: string[];
+        share: PrimaryKey;
+    }): Promise<void>;
+}

package/dist/services/shares.js

@@ -0,0 +1,135 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SharesService = void 0;
+const items_1 = require("./items");
+const argon2_1 = __importDefault(require("argon2"));
+const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
+const ms_1 = __importDefault(require("ms"));
+const exceptions_1 = require("../exceptions");
+const env_1 = __importDefault(require("../env"));
+const nanoid_1 = require("nanoid");
+const authorization_1 = require("./authorization");
+const users_1 = require("./users");
+const mail_1 = require("./mail");
+const user_name_1 = require("../utils/user-name");
+const md_1 = require("../utils/md");
+class SharesService extends items_1.ItemsService {
+    constructor(options) {
+        super('directus_shares', options);
+        this.authorizationService = new authorization_1.AuthorizationService({
+            accountability: this.accountability,
+            knex: this.knex,
+            schema: this.schema,
+        });
+    }
+    async createOne(data, opts) {
+        await this.authorizationService.checkAccess('share', data.collection, data.item);
+        return super.createOne(data, opts);
+    }
+    async login(payload) {
+        var _a, _b;
+        const record = await this.knex
+            .select({
+            share_id: 'id',
+            share_role: 'role',
+            share_item: 'item',
+            share_collection: 'collection',
+            share_start: 'date_start',
+            share_end: 'date_end',
+            share_times_used: 'times_used',
+            share_max_uses: 'max_uses',
+            share_password: 'password',
+        })
+            .from('directus_shares')
+            .where('id', payload.share)
+            .andWhere((subQuery) => {
+            subQuery.whereNull('date_end').orWhere('date_end', '>=', new Date());
+        })
+            .andWhere((subQuery) => {
+            subQuery.whereNull('date_start').orWhere('date_start', '<=', new Date());
+        })
+            .andWhere((subQuery) => {
+            subQuery.whereNull('max_uses').orWhere('max_uses', '>=', this.knex.ref('times_used'));
+        })
+            .first();
+        if (!record) {
+            throw new exceptions_1.InvalidCredentialsException();
+        }
+        if (record.share_password && !(await argon2_1.default.verify(record.share_password, payload.password))) {
+            throw new exceptions_1.InvalidCredentialsException();
+        }
+        await this.knex('directus_shares')
+            .update({ times_used: record.share_times_used + 1 })
+            .where('id', record.share_id);
+        const tokenPayload = {
+            app_access: false,
+            admin_access: false,
+            role: record.share_role,
+            share: record.share_id,
+            share_scope: {
+                item: record.share_item,
+                collection: record.share_collection,
+            },
+        };
+        const accessToken = jsonwebtoken_1.default.sign(tokenPayload, env_1.default.SECRET, {
+            expiresIn: env_1.default.ACCESS_TOKEN_TTL,
+            issuer: 'directus',
+        });
+        const refreshToken = (0, nanoid_1.nanoid)(64);
+        const refreshTokenExpiration = new Date(Date.now() + (0, ms_1.default)(env_1.default.REFRESH_TOKEN_TTL));
+        await this.knex('directus_sessions').insert({
+            token: refreshToken,
+            expires: refreshTokenExpiration,
+            ip: (_a = this.accountability) === null || _a === void 0 ? void 0 : _a.ip,
+            user_agent: (_b = this.accountability) === null || _b === void 0 ? void 0 : _b.userAgent,
+            share: record.share_id,
+        });
+        await this.knex('directus_sessions').delete().where('expires', '<', new Date());
+        return {
+            accessToken,
+            refreshToken,
+            expires: (0, ms_1.default)(env_1.default.ACCESS_TOKEN_TTL),
+        };
+    }
+    /**
+     * Send a link to the given share ID to the given email(s). Note: you can only send a link to a share
+     * if you have read access to that particular share
+     */
+    async invite(payload) {
+        var _a;
+        if (!((_a = this.accountability) === null || _a === void 0 ? void 0 : _a.user))
+            throw new exceptions_1.ForbiddenException();
+        const share = await this.readOne(payload.share, { fields: ['collection'] });
+        const usersService = new users_1.UsersService({
+            knex: this.knex,
+            schema: this.schema,
+        });
+        const mailService = new mail_1.MailService({ schema: this.schema, accountability: this.accountability });
+        const userInfo = await usersService.readOne(this.accountability.user, {
+            fields: ['first_name', 'last_name', 'email', 'id'],
+        });
+        const message = `
+Hello!
+
+${(0, user_name_1.userName)(userInfo)} has invited you to view an item in ${share.collection}.
+
+[Open](${env_1.default.PUBLIC_URL}/admin/shared/${payload.share})
+`;
+        for (const email of payload.emails) {
+            await mailService.send({
+                template: {
+                    name: 'base',
+                    data: {
+                        html: (0, md_1.md)(message),
+                    },
+                },
+                to: email,
+                subject: `${(0, user_name_1.userName)(userInfo)} has shared an item with you`,
+            });
+        }
+    }
+}
+exports.SharesService = SharesService;

package/dist/services/specifications.js

@@ -442,7 +442,7 @@ class OASSpecsService {
                     ],
                 };
             }
-            else if (relationType === 'm2a') {
+            else if (relationType === 'a2o') {
                 const relatedTags = tags.filter((tag) => relation.meta.one_allowed_collections.includes(tag['x-collection']));
                 propertyObject.type = 'array';
                 propertyObject.items = {

package/dist/services/users.d.ts

@@ -1,8 +1,8 @@
 import { Knex } from 'knex';
-import { AbstractServiceOptions, Item, PrimaryKey, SchemaOverview } from '../types';
+import { AbstractServiceOptions, Item, PrimaryKey, SchemaOverview, MutationOptions } from '../types';
 import { Query } from '@directus/shared/types';
 import { Accountability } from '@directus/shared/types';
-import { ItemsService, MutationOptions } from './items';
+import { ItemsService } from './items';
 export declare class UsersService extends ItemsService {
     knex: Knex;
     accountability: Accountability | null;