directus 9.2.2 → 9.4.2

package/dist/utils/apply-query.js

@@ -76,44 +76,44 @@ function applyQuery(knex, collection, dbQuery, query, schema, subQuery = false)
     return dbQuery;
 }
 exports.default = applyQuery;
-/**
- * Apply a given filter object to the Knex QueryBuilder instance.
- *
- * Relational nested filters, like the following example:
- *
- * ```json
- * // Fetch pages that have articles written by Rijk
- *
- * {
- *   "articles": {
- *     "author": {
- *       "name": {
- *         "_eq": "Rijk"
- *       }
- *     }
- *   }
- * }
- * ```
- *
- * are handled by joining the nested tables, and using a where statement on the top level on the
- * nested field through the join. This allows us to filter the top level items based on nested data.
- * The where on the root is done with a subquery to prevent duplicates, any nested joins are done
- * with aliases to prevent naming conflicts.
- *
- * The output SQL for the above would look something like:
- *
- * ```sql
- * SELECT *
- * FROM pages
- * WHERE
- *   pages.id in (
- *     SELECT articles.page_id AS page_id
- *     FROM articles
- *     LEFT JOIN authors AS xviqp ON articles.author = xviqp.id
- *     WHERE xviqp.name = 'Rijk'
- *   )
- * ```
- */
+function getRelationInfo(relations, collection, field) {
+    var _a, _b;
+    const implicitRelation = (_a = field.match(/^\$FOLLOW\((.*?),(.*?)(?:,(.*?))?\)$/)) === null || _a === void 0 ? void 0 : _a.slice(1);
+    if (implicitRelation) {
+        if (implicitRelation[2] === undefined) {
+            const [m2oCollection, m2oField] = implicitRelation;
+            const relation = {
+                collection: m2oCollection,
+                field: m2oField,
+                related_collection: collection,
+                schema: null,
+                meta: null,
+            };
+            return { relation, relationType: 'o2m' };
+        }
+        else {
+            const [a2oCollection, a2oItemField, a2oCollectionField] = implicitRelation;
+            const relation = {
+                collection: a2oCollection,
+                field: a2oItemField,
+                related_collection: collection,
+                schema: null,
+                meta: {
+                    one_collection_field: a2oCollectionField,
+                    one_field: field,
+                },
+            };
+            return { relation, relationType: 'o2a' };
+        }
+    }
+    const relation = (_b = relations.find((relation) => {
+        var _a;
+        return ((relation.collection === collection && relation.field === field) ||
+            (relation.related_collection === collection && ((_a = relation.meta) === null || _a === void 0 ? void 0 : _a.one_field) === field));
+    })) !== null && _b !== void 0 ? _b : null;
+    const relationType = relation ? (0, get_relation_type_1.getRelationType)({ relation, collection, field }) : null;
+    return { relation, relationType };
+}
 function applyFilter(knex, schema, rootQuery, rootFilter, collection, subQuery = false) {
     const helpers = (0, helpers_1.getHelpers)(knex);
     const relations = schema.relations;
@@ -143,31 +143,34 @@ function applyFilter(knex, schema, rootQuery, rootFilter, collection, subQuery =
             followRelation(path);
             function followRelation(pathParts, parentCollection = collection, parentAlias) {
                 /**
-                 * For M2A fields, the path can contain an optional collection scope <field>:<scope>
+                 * For A2M fields, the path can contain an optional collection scope <field>:<scope>
                  */
                 const pathRoot = pathParts[0].split(':')[0];
-                const relation = relations.find((relation) => {
-                    var _a;
-                    return ((relation.collection === parentCollection && relation.field === pathRoot) ||
-                        (relation.related_collection === parentCollection && ((_a = relation.meta) === null || _a === void 0 ? void 0 : _a.one_field) === pathRoot));
-                });
-                if (!relation)
+                const { relation, relationType } = getRelationInfo(relations, parentCollection, pathRoot);
+                if (!relation) {
                     return;
-                const relationType = (0, get_relation_type_1.getRelationType)({ relation, collection: parentCollection, field: pathRoot });
+                }
                 const alias = generateAlias();
                 (0, lodash_1.set)(aliasMap, parentAlias ? [parentAlias, ...pathParts] : pathParts, alias);
                 if (relationType === 'm2o') {
                     dbQuery.leftJoin({ [alias]: relation.related_collection }, `${parentAlias || parentCollection}.${relation.field}`, `${alias}.${schema.collections[relation.related_collection].primary}`);
                 }
-                if (relationType === 'm2a') {
+                if (relationType === 'a2o') {
                     const pathScope = pathParts[0].split(':')[1];
                     if (!pathScope) {
                         throw new exceptions_1.InvalidQueryException(`You have to provide a collection scope when filtering on a many-to-any item`);
                     }
                     dbQuery.leftJoin({ [alias]: pathScope }, (joinClause) => {
                         joinClause
-                            .on(`${parentAlias || parentCollection}.${relation.field}`, '=', knex.raw(`CAST(?? AS CHAR(255))`, `${alias}.${schema.collections[pathScope].primary}`))
-                            .andOnVal(relation.meta.one_collection_field, '=', pathScope);
+                            .onVal(relation.meta.one_collection_field, '=', pathScope)
+                            .andOn(`${parentAlias || parentCollection}.${relation.field}`, '=', knex.raw(`CAST(?? AS CHAR(255))`, `${alias}.${schema.collections[pathScope].primary}`));
+                    });
+                }
+                if (relationType === 'o2a') {
+                    dbQuery.leftJoin({ [alias]: relation.collection }, (joinClause) => {
+                        joinClause
+                            .onVal(relation.meta.one_collection_field, '=', parentCollection)
+                            .andOn(`${alias}.${relation.field}`, '=', knex.raw(`CAST(?? AS CHAR(255))`, `${parentAlias || parentCollection}.${schema.collections[parentCollection].primary}`));
                     });
                 }
                 // Still join o2m relations when in subquery OR when the o2m relation is not at the root level
@@ -179,7 +182,7 @@ function applyFilter(knex, schema, rootQuery, rootFilter, collection, subQuery =
                     if (relationType === 'm2o') {
                         parent = relation.related_collection;
                     }
-                    else if (relationType === 'm2a') {
+                    else if (relationType === 'a2o') {
                         const pathScope = pathParts[0].split(':')[1];
                         if (!pathScope) {
                             throw new exceptions_1.InvalidQueryException(`You have to provide a collection scope when filtering on a many-to-any item`);
@@ -215,17 +218,12 @@ function applyFilter(knex, schema, rootQuery, rootFilter, collection, subQuery =
             }
             const filterPath = getFilterPath(key, value);
             /**
-             * For M2A fields, the path can contain an optional collection scope <field>:<scope>
+             * For A2M fields, the path can contain an optional collection scope <field>:<scope>
              */
             const pathRoot = filterPath[0].split(':')[0];
-            const relation = relations.find((relation) => {
-                var _a;
-                return ((relation.collection === collection && relation.field === pathRoot) ||
-                    (relation.related_collection === collection && ((_a = relation.meta) === null || _a === void 0 ? void 0 : _a.one_field) === pathRoot));
-            });
+            const { relation, relationType } = getRelationInfo(relations, collection, pathRoot);
             const { operator: filterOperator, value: filterValue } = getOperation(key, value);
-            const relationType = relation ? (0, get_relation_type_1.getRelationType)({ relation, collection: collection, field: pathRoot }) : null;
-            if (relationType === 'm2o' || relationType === 'm2a' || relationType === null) {
+            if (relationType === 'm2o' || relationType === 'a2o' || relationType === null) {
                 if (filterPath.length > 1) {
                     const columnName = getWhereColumn(filterPath, collection);
                     if (!columnName)
@@ -237,7 +235,13 @@ function applyFilter(knex, schema, rootQuery, rootFilter, collection, subQuery =
                 }
             }
             else if (subQuery === false) {
-                const pkField = `${collection}.${schema.collections[relation.related_collection].primary}`;
+                if (!relation)
+                    continue;
+                let pkField = `${collection}.${schema.collections[relation.related_collection].primary}`;
+                if (relationType === 'o2a') {
+                    pkField = knex.raw(`CAST(?? AS CHAR(255))`, [pkField]);
+                }
+                // Note: knex's types don't appreciate knex.raw in whereIn, even though it's officially supported
                 dbQuery[logical].whereIn(pkField, (subQueryKnex) => {
                     const field = relation.field;
                     const collection = relation.collection;
@@ -376,22 +380,17 @@ function applyFilter(knex, schema, rootQuery, rootFilter, collection, subQuery =
             return followRelation(path);
             function followRelation(pathParts, parentCollection = collection, parentAlias) {
                 /**
-                 * For M2A fields, the path can contain an optional collection scope <field>:<scope>
+                 * For A2M fields, the path can contain an optional collection scope <field>:<scope>
                  */
                 const pathRoot = pathParts[0].split(':')[0];
-                const relation = relations.find((relation) => {
-                    var _a;
-                    return ((relation.collection === parentCollection && relation.field === pathRoot) ||
-                        (relation.related_collection === parentCollection && ((_a = relation.meta) === null || _a === void 0 ? void 0 : _a.one_field) === pathRoot));
-                });
+                const { relation, relationType } = getRelationInfo(relations, parentCollection, pathRoot);
                 if (!relation) {
                     throw new exceptions_1.InvalidQueryException(`"${parentCollection}.${pathRoot}" is not a relational field`);
                 }
-                const relationType = (0, get_relation_type_1.getRelationType)({ relation, collection: parentCollection, field: pathRoot });
                 const alias = (0, lodash_1.get)(aliasMap, parentAlias ? [parentAlias, ...pathParts] : pathParts);
                 const remainingParts = pathParts.slice(1);
                 let parent;
-                if (relationType === 'm2a') {
+                if (relationType === 'a2o') {
                     const pathScope = pathParts[0].split(':')[1];
                     if (!pathScope) {
                         throw new exceptions_1.InvalidQueryException(`You have to provide a collection scope when filtering on a many-to-any item`);

package/dist/utils/apply-snapshot.js

@@ -10,6 +10,7 @@ const database_1 = __importDefault(require("../database"));
 const get_schema_1 = require("./get-schema");
 const services_1 = require("../services");
 const lodash_1 = require("lodash");
+const logger_1 = __importDefault(require("../logger"));
 async function applySnapshot(snapshot, options) {
     var _a, _b, _c, _d;
     const database = (_a = options === null || options === void 0 ? void 0 : options.database) !== null && _a !== void 0 ? _a : (0, database_1.default)();
@@ -20,7 +21,13 @@ async function applySnapshot(snapshot, options) {
         const collectionsService = new services_1.CollectionsService({ knex: trx, schema });
         for (const { collection, diff } of snapshotDiff.collections) {
             if ((diff === null || diff === void 0 ? void 0 : diff[0].kind) === 'D') {
-                await collectionsService.deleteOne(collection);
+                try {
+                    await collectionsService.deleteOne(collection);
+                }
+                catch (err) {
+                    logger_1.default.error(`Failed to delete collection "${collection}"`);
+                    throw err;
+                }
             }
             if ((diff === null || diff === void 0 ? void 0 : diff[0].kind) === 'N' && diff[0].rhs) {
                 // We'll nest the to-be-created fields in the same collection creation, to prevent
@@ -28,10 +35,16 @@ async function applySnapshot(snapshot, options) {
                 const fields = snapshotDiff.fields
                     .filter((fieldDiff) => fieldDiff.collection === collection)
                     .map((fieldDiff) => fieldDiff.diff[0].rhs);
-                await collectionsService.createOne({
-                    ...diff[0].rhs,
-                    fields,
-                });
+                try {
+                    await collectionsService.createOne({
+                        ...diff[0].rhs,
+                        fields,
+                    });
+                }
+                catch (err) {
+                    logger_1.default.error(`Failed to create collection "${collection}"`);
+                    throw err;
+                }
                 // Now that the fields are in for this collection, we can strip them from the field
                 // edits
                 snapshotDiff.fields = snapshotDiff.fields.filter((fieldDiff) => fieldDiff.collection !== collection);
@@ -41,27 +54,51 @@ async function applySnapshot(snapshot, options) {
                     return field.collection === collection;
                 });
                 if (newValues) {
-                    await collectionsService.updateOne(collection, newValues);
+                    try {
+                        await collectionsService.updateOne(collection, newValues);
+                    }
+                    catch (err) {
+                        logger_1.default.error(`Failed to update collection "${collection}"`);
+                        throw err;
+                    }
                 }
             }
         }
         const fieldsService = new services_1.FieldsService({ knex: trx, schema: await (0, get_schema_1.getSchema)({ database: trx }) });
         for (const { collection, field, diff } of snapshotDiff.fields) {
             if ((diff === null || diff === void 0 ? void 0 : diff[0].kind) === 'N') {
-                await fieldsService.createField(collection, diff[0].rhs);
+                try {
+                    await fieldsService.createField(collection, diff[0].rhs);
+                }
+                catch (err) {
+                    logger_1.default.error(`Failed to create field "${collection}.${field}"`);
+                    throw err;
+                }
             }
             if ((diff === null || diff === void 0 ? void 0 : diff[0].kind) === 'E' || (diff === null || diff === void 0 ? void 0 : diff[0].kind) === 'A') {
                 const newValues = snapshot.fields.find((snapshotField) => {
                     return snapshotField.collection === collection && snapshotField.field === field;
                 });
                 if (newValues) {
-                    await fieldsService.updateField(collection, {
-                        ...newValues,
-                    });
+                    try {
+                        await fieldsService.updateField(collection, {
+                            ...newValues,
+                        });
+                    }
+                    catch (err) {
+                        logger_1.default.error(`Failed to update field "${collection}.${field}"`);
+                        throw err;
+                    }
                 }
             }
             if ((diff === null || diff === void 0 ? void 0 : diff[0].kind) === 'D') {
-                await fieldsService.deleteField(collection, field);
+                try {
+                    await fieldsService.deleteField(collection, field);
+                }
+                catch (err) {
+                    logger_1.default.error(`Failed to delete field "${collection}.${field}"`);
+                    throw err;
+                }
                 // Field deletion also cleans up the relationship. We should ignore any relationship
                 // changes attached to this now non-existing field
                 snapshotDiff.relations = snapshotDiff.relations.filter((relation) => (relation.collection === collection && relation.field === field) === false);
@@ -74,18 +111,36 @@ async function applySnapshot(snapshot, options) {
                 (0, lodash_1.set)(structure, diffEdit.path, undefined);
             }
             if ((diff === null || diff === void 0 ? void 0 : diff[0].kind) === 'N') {
-                await relationsService.createOne(diff[0].rhs);
+                try {
+                    await relationsService.createOne(diff[0].rhs);
+                }
+                catch (err) {
+                    logger_1.default.error(`Failed to create relation "${collection}.${field}"`);
+                    throw err;
+                }
             }
             if ((diff === null || diff === void 0 ? void 0 : diff[0].kind) === 'E' || (diff === null || diff === void 0 ? void 0 : diff[0].kind) === 'A') {
                 const newValues = snapshot.relations.find((relation) => {
                     return relation.collection === collection && relation.field === field;
                 });
                 if (newValues) {
-                    await relationsService.updateOne(collection, field, newValues);
+                    try {
+                        await relationsService.updateOne(collection, field, newValues);
+                    }
+                    catch (err) {
+                        logger_1.default.error(`Failed to update relation "${collection}.${field}"`);
+                        throw err;
+                    }
                 }
             }
             if ((diff === null || diff === void 0 ? void 0 : diff[0].kind) === 'D') {
-                await relationsService.deleteOne(collection, field);
+                try {
+                    await relationsService.deleteOne(collection, field);
+                }
+                catch (err) {
+                    logger_1.default.error(`Failed to delete relation "${collection}.${field}"`);
+                    throw err;
+                }
             }
         }
     });

package/dist/utils/get-ast-from-query.js

@@ -88,7 +88,7 @@ async function getASTFromQuery(collection, query, schema, options) {
                 const parts = name.split('.');
                 let rootField = parts[0];
                 let collectionScope = null;
-                // m2a related collection scoped field selector `fields=sections.section_id:headings.title`
+                // a2o related collection scoped field selector `fields=sections.section_id:headings.title`
                 if (rootField.includes(':')) {
                     const [key, scope] = rootField.split(':');
                     rootField = key;
@@ -136,14 +136,14 @@ async function getASTFromQuery(collection, query, schema, options) {
             if (!relationType)
                 continue;
             let child = null;
-            if (relationType === 'm2a') {
+            if (relationType === 'a2o') {
                 const allowedCollections = relation.meta.one_allowed_collections.filter((collection) => {
                     if (!permissions)
                         return true;
                     return permissions.some((permission) => permission.collection === collection);
                 });
                 child = {
-                    type: 'm2a',
+                    type: 'a2o',
                     names: allowedCollections,
                     children: {},
                     query: {},

package/dist/utils/get-default-value.js

@@ -16,12 +16,14 @@ function getDefaultValue(column) {
         return null;
     if (defaultValue === 'NULL')
         return null;
-    // Check if the default is wrapped in an extra pair of quotes, this happens in SQLite
+    // Check if the default is wrapped in an extra pair of quotes, this happens in SQLite / MariaDB
     if (typeof defaultValue === 'string' &&
         ((defaultValue.startsWith(`'`) && defaultValue.endsWith(`'`)) ||
             (defaultValue.startsWith(`"`) && defaultValue.endsWith(`"`)))) {
         defaultValue = defaultValue.slice(1, -1);
     }
+    if (defaultValue === '0000-00-00 00:00:00')
+        return null;
     switch (type) {
         case 'bigInteger':
         case 'integer':

package/dist/utils/get-ip-from-req.d.ts

@@ -0,0 +1,2 @@
+import { Request } from 'express';
+export declare function getIPFromReq(req: Request): string;

package/dist/utils/get-ip-from-req.js

@@ -0,0 +1,24 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getIPFromReq = void 0;
+const net_1 = require("net");
+const env_1 = __importDefault(require("../env"));
+const logger_1 = __importDefault(require("../logger"));
+function getIPFromReq(req) {
+    let ip = req.ip;
+    if (env_1.default.IP_CUSTOM_HEADER) {
+        const customIPHeaderValue = req.get(env_1.default.IP_CUSTOM_HEADER);
+        if (typeof customIPHeaderValue === 'string' && (0, net_1.isIP)(customIPHeaderValue) !== 0) {
+            ip = customIPHeaderValue;
+        }
+        else {
+            logger_1.default.warn(`Custom IP header didn't return valid IP address: ${JSON.stringify(customIPHeaderValue)}`);
+        }
+    }
+    // IP addresses starting with ::ffff: are IPv4 addresses in IPv6 format. We can strip the prefix to get back to IPv4
+    return ip.startsWith('::ffff:') ? ip.substring(7) : ip;
+}
+exports.getIPFromReq = getIPFromReq;

package/dist/utils/get-permissions.js

@@ -9,6 +9,7 @@ const lodash_1 = require("lodash");
 const database_1 = __importDefault(require("../database"));
 const app_access_permissions_1 = require("../database/system-data/app-access-permissions");
 const merge_permissions_1 = require("../utils/merge-permissions");
+const merge_permissions_for_share_1 = require("./merge-permissions-for-share");
 const users_1 = require("../services/users");
 const roles_1 = require("../services/roles");
 const cache_1 = require("../cache");
@@ -18,8 +19,8 @@ async function getPermissions(accountability, schema) {
     const database = (0, database_1.default)();
     const { systemCache, cache } = (0, cache_1.getCache)();
     let permissions = [];
-    const { user, role, app, admin } = accountability;
-    const cacheKey = `permissions-${(0, object_hash_1.default)({ user, role, app, admin })}`;
+    const { user, role, app, admin, share_scope } = accountability;
+    const cacheKey = `permissions-${(0, object_hash_1.default)({ user, role, app, admin, share_scope })}`;
     if (env_1.default.CACHE_PERMISSIONS !== false) {
         const cachedPermissions = await systemCache.get(cacheKey);
         if (cachedPermissions) {
@@ -44,14 +45,21 @@ async function getPermissions(accountability, schema) {
         }
     }
     if (accountability.admin !== true) {
-        const permissionsForRole = await database
-            .select('*')
-            .from('directus_permissions')
-            .where({ role: accountability.role });
+        const query = database.select('*').from('directus_permissions');
+        if (accountability.role) {
+            query.where({ role: accountability.role });
+        }
+        else {
+            query.whereNull('role');
+        }
+        const permissionsForRole = await query;
         const { permissions: parsedPermissions, requiredPermissionData, containDynamicData, } = parsePermissions(permissionsForRole);
         permissions = parsedPermissions;
         if (accountability.app === true) {
-            permissions = (0, merge_permissions_1.mergePermissions)(permissions, app_access_permissions_1.appAccessMinimalPermissions.map((perm) => ({ ...perm, role: accountability.role })));
+            permissions = (0, merge_permissions_1.mergePermissions)('or', permissions, app_access_permissions_1.appAccessMinimalPermissions.map((perm) => ({ ...perm, role: accountability.role })));
+        }
+        if (accountability.share_scope) {
+            permissions = (0, merge_permissions_for_share_1.mergePermissionsForShare)(permissions, accountability, schema);
         }
         const filterContext = containDynamicData
             ? await getFilterContext(schema, accountability, requiredPermissionData)

package/dist/utils/get-relation-type.d.ts

@@ -3,4 +3,4 @@ export declare function getRelationType(getRelationOptions: {
     relation: Relation;
     collection: string | null;
     field: string;
-}): 'm2o' | 'o2m' | 'm2a' | null;
+}): 'm2o' | 'o2m' | 'a2o' | null;

package/dist/utils/get-relation-type.js

@@ -10,7 +10,7 @@ function getRelationType(getRelationOptions) {
         relation.field === field &&
         ((_a = relation.meta) === null || _a === void 0 ? void 0 : _a.one_collection_field) &&
         ((_b = relation.meta) === null || _b === void 0 ? void 0 : _b.one_allowed_collections)) {
-        return 'm2a';
+        return 'a2o';
     }
     if (relation.collection === collection && relation.field === field) {
         return 'm2o';

package/dist/utils/merge-permissions-for-share.d.ts

@@ -0,0 +1,5 @@
+import { Permission, Accountability, Filter } from '@directus/shared/types';
+import { SchemaOverview } from '../types';
+export declare function mergePermissionsForShare(currentPermissions: Permission[], accountability: Accountability, schema: SchemaOverview): Permission[];
+export declare function traverse(schema: SchemaOverview, rootItemPrimaryKeyField: string, rootItemPrimaryKey: string, currentCollection: string, parentCollections?: string[], path?: string[]): Partial<Permission>[];
+export declare function getFilterForPath(type: 'o2m' | 'm2o' | 'a2o', path: string[], rootPrimaryKeyField: string, rootPrimaryKey: string): Filter;

package/dist/utils/merge-permissions-for-share.js

@@ -0,0 +1,116 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getFilterForPath = exports.traverse = exports.mergePermissionsForShare = void 0;
+const lodash_1 = require("lodash");
+const merge_permissions_1 = require("./merge-permissions");
+const app_access_permissions_1 = require("../database/system-data/app-access-permissions");
+const reduce_schema_1 = require("./reduce-schema");
+function mergePermissionsForShare(currentPermissions, accountability, schema) {
+    const defaults = {
+        action: 'read',
+        role: accountability.role,
+        collection: '',
+        permissions: {},
+        validation: null,
+        presets: null,
+        fields: null,
+    };
+    const { collection, item } = accountability.share_scope;
+    const parentPrimaryKeyField = schema.collections[collection].primary;
+    const reducedSchema = (0, reduce_schema_1.reduceSchema)(schema, currentPermissions, ['read']);
+    const relationalPermissions = traverse(reducedSchema, parentPrimaryKeyField, item, collection);
+    const parentCollectionPermission = (0, lodash_1.assign)({}, defaults, {
+        collection,
+        permissions: {
+            [parentPrimaryKeyField]: {
+                _eq: item,
+            },
+        },
+    });
+    // All permissions that will be merged into the original permissions set
+    const allGeneratedPermissions = [
+        parentCollectionPermission,
+        ...relationalPermissions.map((generated) => (0, lodash_1.assign)({}, defaults, generated)),
+        ...app_access_permissions_1.schemaPermissions,
+    ];
+    // All the collections that are touched through the relational tree from the current root collection, and the schema collections
+    const allowedCollections = (0, lodash_1.uniq)(allGeneratedPermissions.map(({ collection }) => collection));
+    const generatedPermissions = [];
+    // Merge all the permissions that relate to the same collection with an _or (this allows you to properly retrieve)
+    // the items of a collection if you entered that collection from multiple angles
+    for (const collection of allowedCollections) {
+        const permissionsForCollection = allGeneratedPermissions.filter((permission) => permission.collection === collection);
+        if (permissionsForCollection.length > 0) {
+            generatedPermissions.push(...(0, merge_permissions_1.mergePermissions)('or', permissionsForCollection));
+        }
+        else {
+            generatedPermissions.push(...permissionsForCollection);
+        }
+    }
+    // Explicitly filter out permissions to collections unrelated to the root parent item.
+    const limitedPermissions = currentPermissions.filter(({ collection }) => allowedCollections.includes(collection));
+    return (0, merge_permissions_1.mergePermissions)('and', limitedPermissions, generatedPermissions);
+}
+exports.mergePermissionsForShare = mergePermissionsForShare;
+function traverse(schema, rootItemPrimaryKeyField, rootItemPrimaryKey, currentCollection, parentCollections = [], path = []) {
+    var _a, _b, _c;
+    const permissions = [];
+    // If there's already a permissions rule for the collection we're currently checking, we'll shortcircuit.
+    // This prevents infinite loop in recursive relationships, like articles->related_articles->articles, or
+    // articles.author->users.avatar->files.created_by->users.avatar->files.created_by->🔁
+    if (parentCollections.includes(currentCollection)) {
+        return permissions;
+    }
+    const relationsInCollection = schema.relations.filter((relation) => {
+        return relation.collection === currentCollection || relation.related_collection === currentCollection;
+    });
+    for (const relation of relationsInCollection) {
+        let type;
+        if (relation.related_collection === currentCollection) {
+            type = 'o2m';
+        }
+        else if (!relation.related_collection) {
+            type = 'a2o';
+        }
+        else {
+            type = 'm2o';
+        }
+        if (type === 'o2m') {
+            permissions.push({
+                collection: relation.collection,
+                permissions: getFilterForPath(type, [...path, relation.field], rootItemPrimaryKeyField, rootItemPrimaryKey),
+            });
+            permissions.push(...traverse(schema, rootItemPrimaryKeyField, rootItemPrimaryKey, relation.collection, [...parentCollections, currentCollection], [...path, relation.field]));
+        }
+        if (type === 'a2o' && ((_a = relation.meta) === null || _a === void 0 ? void 0 : _a.one_allowed_collections)) {
+            for (const collection of relation.meta.one_allowed_collections) {
+                permissions.push({
+                    collection,
+                    permissions: getFilterForPath(type, [...path, `$FOLLOW(${relation.collection},${relation.field},${relation.meta.one_collection_field})`], rootItemPrimaryKeyField, rootItemPrimaryKey),
+                });
+            }
+        }
+        if (type === 'm2o') {
+            permissions.push({
+                collection: relation.related_collection,
+                permissions: getFilterForPath(type, [...path, `$FOLLOW(${relation.collection},${relation.field})`], rootItemPrimaryKeyField, rootItemPrimaryKey),
+            });
+            if ((_b = relation.meta) === null || _b === void 0 ? void 0 : _b.one_field) {
+                permissions.push(...traverse(schema, rootItemPrimaryKeyField, rootItemPrimaryKey, relation.related_collection, [...parentCollections, currentCollection], [...path, (_c = relation.meta) === null || _c === void 0 ? void 0 : _c.one_field]));
+            }
+        }
+    }
+    return permissions;
+}
+exports.traverse = traverse;
+function getFilterForPath(type, path, rootPrimaryKeyField, rootPrimaryKey) {
+    const filter = {};
+    if (type === 'm2o' || type === 'a2o') {
+        (0, lodash_1.set)(filter, path.reverse(), { [rootPrimaryKeyField]: { _eq: rootPrimaryKey } });
+    }
+    else {
+        (0, lodash_1.set)(filter, path.reverse(), { _eq: rootPrimaryKey });
+    }
+    return filter;
+}
+exports.getFilterForPath = getFilterForPath;

package/dist/utils/merge-permissions.d.ts

@@ -1,2 +1,14 @@
+/// <reference types="lodash" />
 import { Permission } from '@directus/shared/types';
-export declare function mergePermissions(...permissions: Permission[][]): Permission[];
+export declare function mergePermissions(strategy: 'and' | 'or', ...permissions: Permission[][]): Permission[];
+export declare function mergePermission(strategy: 'and' | 'or', currentPerm: Permission, newPerm: Permission): import("lodash").Omit<{
+    permissions: import("@directus/shared/types").Filter | null;
+    validation: import("@directus/shared/types").Filter | null;
+    fields: string[] | null;
+    presets: Record<string, any> | null;
+    id?: number | undefined;
+    role: string | null;
+    collection: string;
+    action: import("@directus/shared/types").PermissionsAction;
+    system?: true | undefined;
+}, "id" | "system">;