directus 9.22.4 → 9.23.3

package/dist/controllers/auth.js

@@ -4,17 +4,16 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 const express_1 = require("express");
+const drivers_1 = require("../auth/drivers");
+const constants_1 = require("../constants");
 const env_1 = __importDefault(require("../env"));
 const exceptions_1 = require("../exceptions");
+const logger_1 = __importDefault(require("../logger"));
 const respond_1 = require("../middleware/respond");
 const services_1 = require("../services");
 const async_handler_1 = __importDefault(require("../utils/async-handler"));
 const get_auth_providers_1 = require("../utils/get-auth-providers");
-const logger_1 = __importDefault(require("../logger"));
-const drivers_1 = require("../auth/drivers");
-const constants_1 = require("../constants");
 const get_ip_from_req_1 = require("../utils/get-ip-from-req");
-const constants_2 = require("../constants");
 const router = (0, express_1.Router)();
 const authProviders = (0, get_auth_providers_1.getAuthProviders)();
 for (const authProvider of authProviders) {
@@ -48,10 +47,14 @@ if (!env_1.default.AUTH_DISABLE_DEFAULT) {
 router.post('/refresh', (0, async_handler_1.default)(async (req, res, next) => {
     const accountability = {
         ip: (0, get_ip_from_req_1.getIPFromReq)(req),
-        userAgent: req.get('user-agent'),
-        origin: req.get('origin'),
         role: null,
     };
+    const userAgent = req.get('user-agent');
+    if (userAgent)
+        accountability.userAgent = userAgent;
+    const origin = req.get('origin');
+    if (origin)
+        accountability.origin = origin;
     const authenticationService = new services_1.AuthenticationService({
         accountability: accountability,
         schema: req.schema,
@@ -69,19 +72,22 @@ router.post('/refresh', (0, async_handler_1.default)(async (req, res, next) => {
         payload.data.refresh_token = refreshToken;
     }
     if (mode === 'cookie') {
-        res.cookie(env_1.default.REFRESH_TOKEN_COOKIE_NAME, refreshToken, constants_2.COOKIE_OPTIONS);
+        res.cookie(env_1.default.REFRESH_TOKEN_COOKIE_NAME, refreshToken, constants_1.COOKIE_OPTIONS);
     }
     res.locals.payload = payload;
     return next();
 }), respond_1.respond);
 router.post('/logout', (0, async_handler_1.default)(async (req, res, next) => {
-    var _a;
     const accountability = {
         ip: (0, get_ip_from_req_1.getIPFromReq)(req),
-        userAgent: req.get('user-agent'),
-        origin: req.get('origin'),
         role: null,
     };
+    const userAgent = req.get('user-agent');
+    if (userAgent)
+        accountability.userAgent = userAgent;
+    const origin = req.get('origin');
+    if (origin)
+        accountability.origin = origin;
     const authenticationService = new services_1.AuthenticationService({
         accountability: accountability,
         schema: req.schema,
@@ -95,7 +101,7 @@ router.post('/logout', (0, async_handler_1.default)(async (req, res, next) => {
         res.clearCookie(env_1.default.REFRESH_TOKEN_COOKIE_NAME, {
             httpOnly: true,
             domain: env_1.default.REFRESH_TOKEN_COOKIE_DOMAIN,
-            secure: (_a = env_1.default.REFRESH_TOKEN_COOKIE_SECURE) !== null && _a !== void 0 ? _a : false,
+            secure: env_1.default.REFRESH_TOKEN_COOKIE_SECURE ?? false,
             sameSite: env_1.default.REFRESH_TOKEN_COOKIE_SAME_SITE || 'strict',
         });
     }
@@ -107,10 +113,14 @@ router.post('/password/request', (0, async_handler_1.default)(async (req, res, n
     }
     const accountability = {
         ip: (0, get_ip_from_req_1.getIPFromReq)(req),
-        userAgent: req.get('user-agent'),
-        origin: req.get('origin'),
         role: null,
     };
+    const userAgent = req.get('user-agent');
+    if (userAgent)
+        accountability.userAgent = userAgent;
+    const origin = req.get('origin');
+    if (origin)
+        accountability.origin = origin;
     const service = new services_1.UsersService({ accountability, schema: req.schema });
     try {
         await service.requestPasswordReset(req.body.email, req.body.reset_url || null);
@@ -135,10 +145,14 @@ router.post('/password/reset', (0, async_handler_1.default)(async (req, res, nex
     }
     const accountability = {
         ip: (0, get_ip_from_req_1.getIPFromReq)(req),
-        userAgent: req.get('user-agent'),
-        origin: req.get('origin'),
         role: null,
     };
+    const userAgent = req.get('user-agent');
+    if (userAgent)
+        accountability.userAgent = userAgent;
+    const origin = req.get('origin');
+    if (origin)
+        accountability.origin = origin;
     const service = new services_1.UsersService({ accountability, schema: req.schema });
     await service.resetPassword(req.body.token, req.body.password);
     return next();

package/dist/controllers/dashboards.js

@@ -10,6 +10,7 @@ const use_collection_1 = __importDefault(require("../middleware/use-collection")
 const validate_batch_1 = require("../middleware/validate-batch");
 const services_1 = require("../services");
 const async_handler_1 = __importDefault(require("../utils/async-handler"));
+const sanitize_query_1 = require("../utils/sanitize-query");
 const router = express_1.default.Router();
 router.use((0, use_collection_1.default)('directus_dashboards'));
 router.post('/', (0, async_handler_1.default)(async (req, res, next) => {
@@ -82,7 +83,8 @@ router.patch('/', (0, validate_batch_1.validateBatch)('update'), (0, async_handl
         keys = await service.updateMany(req.body.keys, req.body.data);
     }
     else {
-        keys = await service.updateByQuery(req.body.query, req.body.data);
+        const sanitizedQuery = (0, sanitize_query_1.sanitizeQuery)(req.body.query, req.accountability);
+        keys = await service.updateByQuery(sanitizedQuery, req.body.data);
     }
     try {
         const result = await service.readMany(keys, req.sanitizedQuery);
@@ -126,7 +128,8 @@ router.delete('/', (0, async_handler_1.default)(async (req, res, next) => {
         await service.deleteMany(req.body.keys);
     }
     else {
-        await service.deleteByQuery(req.body.query);
+        const sanitizedQuery = (0, sanitize_query_1.sanitizeQuery)(req.body.query, req.accountability);
+        await service.deleteByQuery(sanitizedQuery);
     }
     return next();
 }), respond_1.respond);

package/dist/controllers/extensions.js

@@ -3,16 +3,16 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
+const constants_1 = require("@directus/shared/constants");
+const utils_1 = require("@directus/shared/utils");
 const express_1 = require("express");
-const async_handler_1 = __importDefault(require("../utils/async-handler"));
+const env_1 = __importDefault(require("../env"));
 const exceptions_1 = require("../exceptions");
 const extensions_1 = require("../extensions");
-const ms_1 = __importDefault(require("ms"));
-const env_1 = __importDefault(require("../env"));
-const get_cache_headers_1 = require("../utils/get-cache-headers");
 const respond_1 = require("../middleware/respond");
-const utils_1 = require("@directus/shared/utils");
-const constants_1 = require("@directus/shared/constants");
+const async_handler_1 = __importDefault(require("../utils/async-handler"));
+const get_cache_headers_1 = require("../utils/get-cache-headers");
+const get_milliseconds_1 = require("../utils/get-milliseconds");
 const router = (0, express_1.Router)();
 router.get('/:type', (0, async_handler_1.default)(async (req, res, next) => {
     const type = (0, utils_1.depluralize)(req.params.type);
@@ -33,7 +33,7 @@ router.get('/sources/index.js', (0, async_handler_1.default)(async (req, res) =>
         throw new exceptions_1.RouteNotFoundException(req.path);
     }
     res.setHeader('Content-Type', 'application/javascript; charset=UTF-8');
-    res.setHeader('Cache-Control', env_1.default.EXTENSIONS_CACHE_TTL ? (0, get_cache_headers_1.getCacheControlHeader)(req, (0, ms_1.default)(env_1.default.EXTENSIONS_CACHE_TTL)) : 'no-store');
+    res.setHeader('Cache-Control', (0, get_cache_headers_1.getCacheControlHeader)(req, (0, get_milliseconds_1.getMilliseconds)(env_1.default.EXTENSIONS_CACHE_TTL), false, false));
     res.setHeader('Vary', 'Origin, Cache-Control');
     res.end(extensionSource);
 }));

package/dist/controllers/fields.js

@@ -3,15 +3,15 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
+const constants_1 = require("@directus/shared/constants");
 const express_1 = require("express");
 const joi_1 = __importDefault(require("joi"));
-const constants_1 = require("../constants");
+const constants_2 = require("../constants");
 const exceptions_1 = require("../exceptions");
 const collection_exists_1 = __importDefault(require("../middleware/collection-exists"));
 const respond_1 = require("../middleware/respond");
 const use_collection_1 = __importDefault(require("../middleware/use-collection"));
 const fields_1 = require("../services/fields");
-const constants_2 = require("@directus/shared/constants");
 const async_handler_1 = __importDefault(require("../utils/async-handler"));
 const router = (0, express_1.Router)();
 router.use((0, use_collection_1.default)('directus_fields'));
@@ -46,7 +46,7 @@ const newFieldSchema = joi_1.default.object({
     collection: joi_1.default.string().optional(),
     field: joi_1.default.string().required(),
     type: joi_1.default.string()
-        .valid(...constants_2.TYPES, ...constants_1.ALIAS_TYPES)
+        .valid(...constants_1.TYPES, ...constants_2.ALIAS_TYPES)
         .allow(null)
         .optional(),
     schema: joi_1.default.object({
@@ -110,7 +110,7 @@ router.patch('/:collection', collection_exists_1.default, (0, async_handler_1.de
 }), respond_1.respond);
 const updateSchema = joi_1.default.object({
     type: joi_1.default.string()
-        .valid(...constants_2.TYPES, ...constants_1.ALIAS_TYPES)
+        .valid(...constants_1.TYPES, ...constants_2.ALIAS_TYPES)
         .allow(null),
     schema: joi_1.default.object({
         default_value: joi_1.default.any(),

package/dist/controllers/files.js

@@ -18,6 +18,7 @@ const services_1 = require("../services");
 const async_handler_1 = __importDefault(require("../utils/async-handler"));
 // @ts-ignore
 const format_title_1 = __importDefault(require("@directus/format-title"));
+const sanitize_query_1 = require("../utils/sanitize-query");
 const router = express_1.default.Router();
 router.use((0, use_collection_1.default)('directus_files'));
 const multipartHandler = (req, res, next) => {
@@ -63,12 +64,14 @@ const multipartHandler = (req, res, next) => {
             return busboy.emit('error', new exceptions_1.InvalidPayloadException(`File is missing filename`));
         }
         fileCount++;
-        if (!payload.title) {
-            payload.title = (0, format_title_1.default)(path_1.default.parse(filename).name);
+        if (!existingPrimaryKey) {
+            if (!payload.title) {
+                payload.title = (0, format_title_1.default)(path_1.default.parse(filename).name);
+            }
+            payload.filename_download = filename;
         }
         const payloadWithRequiredFields = {
             ...payload,
-            filename_download: filename,
             type: mimeType,
             storage: payload.storage || disk,
         };
@@ -93,7 +96,7 @@ const multipartHandler = (req, res, next) => {
     function tryDone() {
         if (savedFiles.length === fileCount) {
             if (fileCount === 0) {
-                return next(new exceptions_1.InvalidPayloadException(`No files where included in the body`));
+                return next(new exceptions_1.InvalidPayloadException(`No files were included in the body`));
             }
             res.locals.savedFiles = savedFiles;
             return next();
@@ -209,7 +212,8 @@ router.patch('/', (0, validate_batch_1.validateBatch)('update'), (0, async_handl
         keys = await service.updateMany(req.body.keys, req.body.data);
     }
     else {
-        keys = await service.updateByQuery(req.body.query, req.body.data);
+        const sanitizedQuery = (0, sanitize_query_1.sanitizeQuery)(req.body.query, req.accountability);
+        keys = await service.updateByQuery(sanitizedQuery, req.body.data);
     }
     try {
         const result = await service.readMany(keys, req.sanitizedQuery);
@@ -253,7 +257,8 @@ router.delete('/', (0, validate_batch_1.validateBatch)('delete'), (0, async_hand
         await service.deleteMany(req.body.keys);
     }
     else {
-        await service.deleteByQuery(req.body.query);
+        const sanitizedQuery = (0, sanitize_query_1.sanitizeQuery)(req.body.query, req.accountability);
+        await service.deleteByQuery(sanitizedQuery);
     }
     return next();
 }), respond_1.respond);

package/dist/controllers/flows.js

@@ -12,6 +12,7 @@ const use_collection_1 = __importDefault(require("../middleware/use-collection")
 const validate_batch_1 = require("../middleware/validate-batch");
 const services_1 = require("../services");
 const async_handler_1 = __importDefault(require("../utils/async-handler"));
+const sanitize_query_1 = require("../utils/sanitize-query");
 const router = express_1.default.Router();
 router.use((0, use_collection_1.default)('directus_flows'));
 const webhookFlowHandler = (0, async_handler_1.default)(async (req, res, next) => {
@@ -101,7 +102,8 @@ router.patch('/', (0, validate_batch_1.validateBatch)('update'), (0, async_handl
         keys = await service.updateMany(req.body.keys, req.body.data);
     }
     else {
-        keys = await service.updateByQuery(req.body.query, req.body.data);
+        const sanitizedQuery = (0, sanitize_query_1.sanitizeQuery)(req.body.query, req.accountability);
+        keys = await service.updateByQuery(sanitizedQuery, req.body.data);
     }
     try {
         const result = await service.readMany(keys, req.sanitizedQuery);
@@ -145,7 +147,8 @@ router.delete('/', (0, async_handler_1.default)(async (req, res, next) => {
         await service.deleteMany(req.body.keys);
     }
     else {
-        await service.deleteByQuery(req.body.query);
+        const sanitizedQuery = (0, sanitize_query_1.sanitizeQuery)(req.body.query, req.accountability);
+        await service.deleteByQuery(sanitizedQuery);
     }
     return next();
 }), respond_1.respond);

package/dist/controllers/folders.js

@@ -10,6 +10,7 @@ const use_collection_1 = __importDefault(require("../middleware/use-collection")
 const validate_batch_1 = require("../middleware/validate-batch");
 const services_1 = require("../services");
 const async_handler_1 = __importDefault(require("../utils/async-handler"));
+const sanitize_query_1 = require("../utils/sanitize-query");
 const router = express_1.default.Router();
 router.use((0, use_collection_1.default)('directus_folders'));
 router.post('/', (0, async_handler_1.default)(async (req, res, next) => {
@@ -91,7 +92,8 @@ router.patch('/', (0, validate_batch_1.validateBatch)('update'), (0, async_handl
         keys = await service.updateMany(req.body.keys, req.body.data);
     }
     else {
-        keys = await service.updateByQuery(req.body.query, req.body.data);
+        const sanitizedQuery = (0, sanitize_query_1.sanitizeQuery)(req.body.query, req.accountability);
+        keys = await service.updateByQuery(sanitizedQuery, req.body.data);
     }
     try {
         const result = await service.readMany(keys, req.sanitizedQuery);
@@ -135,7 +137,8 @@ router.delete('/', (0, validate_batch_1.validateBatch)('delete'), (0, async_hand
         await service.deleteMany(req.body.keys);
     }
     else {
-        await service.deleteByQuery(req.body.query);
+        const sanitizedQuery = (0, sanitize_query_1.sanitizeQuery)(req.body.query, req.accountability);
+        await service.deleteByQuery(sanitizedQuery);
     }
     return next();
 }), respond_1.respond);

package/dist/controllers/graphql.js

@@ -16,6 +16,9 @@ router.use('/system', graphql_1.parseGraphQL, (0, async_handler_1.default)(async
         scope: 'system',
     });
     res.locals.payload = await service.execute(res.locals.graphqlParams);
+    if (res.locals.payload?.errors?.length > 0) {
+        res.locals.cache = false;
+    }
     return next();
 }), respond_1.respond);
 router.use('/', graphql_1.parseGraphQL, (0, async_handler_1.default)(async (req, res, next) => {
@@ -25,6 +28,9 @@ router.use('/', graphql_1.parseGraphQL, (0, async_handler_1.default)(async (req,
         scope: 'items',
     });
     res.locals.payload = await service.execute(res.locals.graphqlParams);
+    if (res.locals.payload?.errors?.length > 0) {
+        res.locals.cache = false;
+    }
     return next();
 }), respond_1.respond);
 exports.default = router;

package/dist/controllers/items.js

@@ -10,6 +10,7 @@ const respond_1 = require("../middleware/respond");
 const validate_batch_1 = require("../middleware/validate-batch");
 const services_1 = require("../services");
 const async_handler_1 = __importDefault(require("../utils/async-handler"));
+const sanitize_query_1 = require("../utils/sanitize-query");
 const router = express_1.default.Router();
 router.post('/:collection', collection_exists_1.default, (0, async_handler_1.default)(async (req, res, next) => {
     if (req.params.collection.startsWith('directus_'))
@@ -112,7 +113,8 @@ router.patch('/:collection', collection_exists_1.default, (0, validate_batch_1.v
         keys = await service.updateMany(req.body.keys, req.body.data);
     }
     else {
-        keys = await service.updateByQuery(req.body.query, req.body.data);
+        const sanitizedQuery = (0, sanitize_query_1.sanitizeQuery)(req.body.query, req.accountability);
+        keys = await service.updateByQuery(sanitizedQuery, req.body.data);
     }
     try {
         const result = await service.readMany(keys, req.sanitizedQuery);
@@ -163,7 +165,8 @@ router.delete('/:collection', collection_exists_1.default, (0, validate_batch_1.
         await service.deleteMany(req.body.keys);
     }
     else {
-        await service.deleteByQuery(req.body.query);
+        const sanitizedQuery = (0, sanitize_query_1.sanitizeQuery)(req.body.query, req.accountability);
+        await service.deleteByQuery(sanitizedQuery);
     }
     return next();
 }), respond_1.respond);

package/dist/controllers/not-found.d.ts

@@ -1,4 +1,4 @@
-import { RequestHandler } from 'express';
+import type { RequestHandler } from 'express';
 /**
  * Handles not found routes.
  *

package/dist/controllers/not-found.js

@@ -18,12 +18,11 @@ const exceptions_1 = require("../exceptions");
  * @param next
  */
 const notFound = async (req, res, next) => {
-    var _a;
     try {
         const hooksResult = await emitter_1.default.emitFilter('request.not_found', false, { request: req, response: res }, {
             database: (0, database_1.default)(),
             schema: req.schema,
-            accountability: (_a = req.accountability) !== null && _a !== void 0 ? _a : null,
+            accountability: req.accountability ?? null,
         });
         if (hooksResult) {
             return next();

package/dist/controllers/notifications.js

@@ -10,6 +10,7 @@ const use_collection_1 = __importDefault(require("../middleware/use-collection")
 const validate_batch_1 = require("../middleware/validate-batch");
 const services_1 = require("../services");
 const async_handler_1 = __importDefault(require("../utils/async-handler"));
+const sanitize_query_1 = require("../utils/sanitize-query");
 const router = express_1.default.Router();
 router.use((0, use_collection_1.default)('directus_notifications'));
 router.post('/', (0, async_handler_1.default)(async (req, res, next) => {
@@ -91,7 +92,8 @@ router.patch('/', (0, validate_batch_1.validateBatch)('update'), (0, async_handl
         keys = await service.updateMany(req.body.keys, req.body.data);
     }
     else {
-        keys = await service.updateByQuery(req.body.query, req.body.data);
+        const sanitizedQuery = (0, sanitize_query_1.sanitizeQuery)(req.body.query, req.accountability);
+        keys = await service.updateByQuery(sanitizedQuery, req.body.data);
     }
     try {
         const result = await service.readMany(keys, req.sanitizedQuery);
@@ -135,7 +137,8 @@ router.delete('/', (0, validate_batch_1.validateBatch)('delete'), (0, async_hand
         await service.deleteMany(req.body.keys);
     }
     else {
-        await service.deleteByQuery(req.body.query);
+        const sanitizedQuery = (0, sanitize_query_1.sanitizeQuery)(req.body.query, req.accountability);
+        await service.deleteByQuery(sanitizedQuery);
     }
     return next();
 }), respond_1.respond);

package/dist/controllers/operations.js

@@ -10,6 +10,7 @@ const use_collection_1 = __importDefault(require("../middleware/use-collection")
 const validate_batch_1 = require("../middleware/validate-batch");
 const services_1 = require("../services");
 const async_handler_1 = __importDefault(require("../utils/async-handler"));
+const sanitize_query_1 = require("../utils/sanitize-query");
 const router = express_1.default.Router();
 router.use((0, use_collection_1.default)('directus_operations'));
 router.post('/', (0, async_handler_1.default)(async (req, res, next) => {
@@ -82,7 +83,8 @@ router.patch('/', (0, validate_batch_1.validateBatch)('update'), (0, async_handl
         keys = await service.updateMany(req.body.keys, req.body.data);
     }
     else {
-        keys = await service.updateByQuery(req.body.query, req.body.data);
+        const sanitizedQuery = (0, sanitize_query_1.sanitizeQuery)(req.body.query, req.accountability);
+        keys = await service.updateByQuery(sanitizedQuery, req.body.data);
     }
     try {
         const result = await service.readMany(keys, req.sanitizedQuery);
@@ -126,7 +128,8 @@ router.delete('/', (0, async_handler_1.default)(async (req, res, next) => {
         await service.deleteMany(req.body.keys);
     }
     else {
-        await service.deleteByQuery(req.body.query);
+        const sanitizedQuery = (0, sanitize_query_1.sanitizeQuery)(req.body.query, req.accountability);
+        await service.deleteByQuery(sanitizedQuery);
     }
     return next();
 }), respond_1.respond);

package/dist/controllers/panels.js

@@ -10,6 +10,7 @@ const use_collection_1 = __importDefault(require("../middleware/use-collection")
 const validate_batch_1 = require("../middleware/validate-batch");
 const services_1 = require("../services");
 const async_handler_1 = __importDefault(require("../utils/async-handler"));
+const sanitize_query_1 = require("../utils/sanitize-query");
 const router = express_1.default.Router();
 router.use((0, use_collection_1.default)('directus_panels'));
 router.post('/', (0, async_handler_1.default)(async (req, res, next) => {
@@ -82,7 +83,8 @@ router.patch('/', (0, validate_batch_1.validateBatch)('update'), (0, async_handl
         keys = await service.updateMany(req.body.keys, req.body.data);
     }
     else {
-        keys = await service.updateByQuery(req.body.query, req.body.data);
+        const sanitizedQuery = (0, sanitize_query_1.sanitizeQuery)(req.body.query, req.accountability);
+        keys = await service.updateByQuery(sanitizedQuery, req.body.data);
     }
     try {
         const result = await service.readMany(keys, req.sanitizedQuery);
@@ -126,7 +128,8 @@ router.delete('/', (0, async_handler_1.default)(async (req, res, next) => {
         await service.deleteMany(req.body.keys);
     }
     else {
-        await service.deleteByQuery(req.body.query);
+        const sanitizedQuery = (0, sanitize_query_1.sanitizeQuery)(req.body.query, req.accountability);
+        await service.deleteByQuery(sanitizedQuery);
     }
     return next();
 }), respond_1.respond);

package/dist/controllers/permissions.js

@@ -10,6 +10,7 @@ const use_collection_1 = __importDefault(require("../middleware/use-collection")
 const validate_batch_1 = require("../middleware/validate-batch");
 const services_1 = require("../services");
 const async_handler_1 = __importDefault(require("../utils/async-handler"));
+const sanitize_query_1 = require("../utils/sanitize-query");
 const router = express_1.default.Router();
 router.use((0, use_collection_1.default)('directus_permissions'));
 router.post('/', (0, async_handler_1.default)(async (req, res, next) => {
@@ -93,7 +94,8 @@ router.patch('/', (0, validate_batch_1.validateBatch)('update'), (0, async_handl
         keys = await service.updateMany(req.body.keys, req.body.data);
     }
     else {
-        keys = await service.updateByQuery(req.body.query, req.body.data);
+        const sanitizedQuery = (0, sanitize_query_1.sanitizeQuery)(req.body.query, req.accountability);
+        keys = await service.updateByQuery(sanitizedQuery, req.body.data);
     }
     try {
         const result = await service.readMany(keys, req.sanitizedQuery);
@@ -137,7 +139,8 @@ router.delete('/', (0, validate_batch_1.validateBatch)('delete'), (0, async_hand
         await service.deleteMany(req.body.keys);
     }
     else {
-        await service.deleteByQuery(req.body.query);
+        const sanitizedQuery = (0, sanitize_query_1.sanitizeQuery)(req.body.query, req.accountability);
+        await service.deleteByQuery(sanitizedQuery);
     }
     return next();
 }), respond_1.respond);

package/dist/controllers/presets.js

@@ -10,6 +10,7 @@ const use_collection_1 = __importDefault(require("../middleware/use-collection")
 const validate_batch_1 = require("../middleware/validate-batch");
 const services_1 = require("../services");
 const async_handler_1 = __importDefault(require("../utils/async-handler"));
+const sanitize_query_1 = require("../utils/sanitize-query");
 const router = express_1.default.Router();
 router.use((0, use_collection_1.default)('directus_presets'));
 router.post('/', (0, async_handler_1.default)(async (req, res, next) => {
@@ -91,7 +92,8 @@ router.patch('/', (0, validate_batch_1.validateBatch)('update'), (0, async_handl
         keys = await service.updateMany(req.body.keys, req.body.data);
     }
     else {
-        keys = await service.updateByQuery(req.body.query, req.body.data);
+        const sanitizedQuery = (0, sanitize_query_1.sanitizeQuery)(req.body.query, req.accountability);
+        keys = await service.updateByQuery(sanitizedQuery, req.body.data);
     }
     try {
         const result = await service.readMany(keys, req.sanitizedQuery);
@@ -135,7 +137,8 @@ router.delete('/', (0, validate_batch_1.validateBatch)('delete'), (0, async_hand
         await service.deleteMany(req.body.keys);
     }
     else {
-        await service.deleteByQuery(req.body.query);
+        const sanitizedQuery = (0, sanitize_query_1.sanitizeQuery)(req.body.query, req.accountability);
+        await service.deleteByQuery(sanitizedQuery);
     }
     return next();
 }), respond_1.respond);

package/dist/controllers/roles.js

@@ -10,6 +10,7 @@ const use_collection_1 = __importDefault(require("../middleware/use-collection")
 const validate_batch_1 = require("../middleware/validate-batch");
 const services_1 = require("../services");
 const async_handler_1 = __importDefault(require("../utils/async-handler"));
+const sanitize_query_1 = require("../utils/sanitize-query");
 const router = express_1.default.Router();
 router.use((0, use_collection_1.default)('directus_roles'));
 router.post('/', (0, async_handler_1.default)(async (req, res, next) => {
@@ -82,7 +83,8 @@ router.patch('/', (0, validate_batch_1.validateBatch)('update'), (0, async_handl
         keys = await service.updateMany(req.body.keys, req.body.data);
     }
     else {
-        keys = await service.updateByQuery(req.body.query, req.body.data);
+        const sanitizedQuery = (0, sanitize_query_1.sanitizeQuery)(req.body.query, req.accountability);
+        keys = await service.updateByQuery(sanitizedQuery, req.body.data);
     }
     try {
         const result = await service.readMany(keys, req.sanitizedQuery);
@@ -126,7 +128,8 @@ router.delete('/', (0, validate_batch_1.validateBatch)('delete'), (0, async_hand
         await service.deleteMany(req.body.keys);
     }
     else {
-        await service.deleteByQuery(req.body.query);
+        const sanitizedQuery = (0, sanitize_query_1.sanitizeQuery)(req.body.query, req.accountability);
+        await service.deleteByQuery(sanitizedQuery);
     }
     return next();
 }), respond_1.respond);

package/dist/controllers/schema.d.ts

@@ -0,0 +1,2 @@
+declare const router: import("express-serve-static-core").Router;
+export default router;