directus 9.23.1 → 9.23.3

package/dist/controllers/flows.js

@@ -12,6 +12,7 @@ const use_collection_1 = __importDefault(require("../middleware/use-collection")
 const validate_batch_1 = require("../middleware/validate-batch");
 const services_1 = require("../services");
 const async_handler_1 = __importDefault(require("../utils/async-handler"));
+const sanitize_query_1 = require("../utils/sanitize-query");
 const router = express_1.default.Router();
 router.use((0, use_collection_1.default)('directus_flows'));
 const webhookFlowHandler = (0, async_handler_1.default)(async (req, res, next) => {
@@ -101,7 +102,8 @@ router.patch('/', (0, validate_batch_1.validateBatch)('update'), (0, async_handl
         keys = await service.updateMany(req.body.keys, req.body.data);
     }
     else {
-        keys = await service.updateByQuery(req.body.query, req.body.data);
+        const sanitizedQuery = (0, sanitize_query_1.sanitizeQuery)(req.body.query, req.accountability);
+        keys = await service.updateByQuery(sanitizedQuery, req.body.data);
     }
     try {
         const result = await service.readMany(keys, req.sanitizedQuery);
@@ -145,7 +147,8 @@ router.delete('/', (0, async_handler_1.default)(async (req, res, next) => {
         await service.deleteMany(req.body.keys);
     }
     else {
-        await service.deleteByQuery(req.body.query);
+        const sanitizedQuery = (0, sanitize_query_1.sanitizeQuery)(req.body.query, req.accountability);
+        await service.deleteByQuery(sanitizedQuery);
     }
     return next();
 }), respond_1.respond);

package/dist/controllers/folders.js

@@ -10,6 +10,7 @@ const use_collection_1 = __importDefault(require("../middleware/use-collection")
 const validate_batch_1 = require("../middleware/validate-batch");
 const services_1 = require("../services");
 const async_handler_1 = __importDefault(require("../utils/async-handler"));
+const sanitize_query_1 = require("../utils/sanitize-query");
 const router = express_1.default.Router();
 router.use((0, use_collection_1.default)('directus_folders'));
 router.post('/', (0, async_handler_1.default)(async (req, res, next) => {
@@ -91,7 +92,8 @@ router.patch('/', (0, validate_batch_1.validateBatch)('update'), (0, async_handl
         keys = await service.updateMany(req.body.keys, req.body.data);
     }
     else {
-        keys = await service.updateByQuery(req.body.query, req.body.data);
+        const sanitizedQuery = (0, sanitize_query_1.sanitizeQuery)(req.body.query, req.accountability);
+        keys = await service.updateByQuery(sanitizedQuery, req.body.data);
     }
     try {
         const result = await service.readMany(keys, req.sanitizedQuery);
@@ -135,7 +137,8 @@ router.delete('/', (0, validate_batch_1.validateBatch)('delete'), (0, async_hand
         await service.deleteMany(req.body.keys);
     }
     else {
-        await service.deleteByQuery(req.body.query);
+        const sanitizedQuery = (0, sanitize_query_1.sanitizeQuery)(req.body.query, req.accountability);
+        await service.deleteByQuery(sanitizedQuery);
     }
     return next();
 }), respond_1.respond);

package/dist/controllers/graphql.js

@@ -10,27 +10,25 @@ const services_1 = require("../services");
 const async_handler_1 = __importDefault(require("../utils/async-handler"));
 const router = (0, express_1.Router)();
 router.use('/system', graphql_1.parseGraphQL, (0, async_handler_1.default)(async (req, res, next) => {
-    var _a, _b;
     const service = new services_1.GraphQLService({
         accountability: req.accountability,
         schema: req.schema,
         scope: 'system',
     });
     res.locals.payload = await service.execute(res.locals.graphqlParams);
-    if (((_b = (_a = res.locals.payload) === null || _a === void 0 ? void 0 : _a.errors) === null || _b === void 0 ? void 0 : _b.length) > 0) {
+    if (res.locals.payload?.errors?.length > 0) {
         res.locals.cache = false;
     }
     return next();
 }), respond_1.respond);
 router.use('/', graphql_1.parseGraphQL, (0, async_handler_1.default)(async (req, res, next) => {
-    var _a, _b;
     const service = new services_1.GraphQLService({
         accountability: req.accountability,
         schema: req.schema,
         scope: 'items',
     });
     res.locals.payload = await service.execute(res.locals.graphqlParams);
-    if (((_b = (_a = res.locals.payload) === null || _a === void 0 ? void 0 : _a.errors) === null || _b === void 0 ? void 0 : _b.length) > 0) {
+    if (res.locals.payload?.errors?.length > 0) {
         res.locals.cache = false;
     }
     return next();

package/dist/controllers/items.js

@@ -10,6 +10,7 @@ const respond_1 = require("../middleware/respond");
 const validate_batch_1 = require("../middleware/validate-batch");
 const services_1 = require("../services");
 const async_handler_1 = __importDefault(require("../utils/async-handler"));
+const sanitize_query_1 = require("../utils/sanitize-query");
 const router = express_1.default.Router();
 router.post('/:collection', collection_exists_1.default, (0, async_handler_1.default)(async (req, res, next) => {
     if (req.params.collection.startsWith('directus_'))
@@ -112,7 +113,8 @@ router.patch('/:collection', collection_exists_1.default, (0, validate_batch_1.v
         keys = await service.updateMany(req.body.keys, req.body.data);
     }
     else {
-        keys = await service.updateByQuery(req.body.query, req.body.data);
+        const sanitizedQuery = (0, sanitize_query_1.sanitizeQuery)(req.body.query, req.accountability);
+        keys = await service.updateByQuery(sanitizedQuery, req.body.data);
     }
     try {
         const result = await service.readMany(keys, req.sanitizedQuery);
@@ -163,7 +165,8 @@ router.delete('/:collection', collection_exists_1.default, (0, validate_batch_1.
         await service.deleteMany(req.body.keys);
     }
     else {
-        await service.deleteByQuery(req.body.query);
+        const sanitizedQuery = (0, sanitize_query_1.sanitizeQuery)(req.body.query, req.accountability);
+        await service.deleteByQuery(sanitizedQuery);
     }
     return next();
 }), respond_1.respond);

package/dist/controllers/not-found.d.ts

@@ -1,4 +1,4 @@
-import { RequestHandler } from 'express';
+import type { RequestHandler } from 'express';
 /**
  * Handles not found routes.
  *

package/dist/controllers/not-found.js

@@ -18,12 +18,11 @@ const exceptions_1 = require("../exceptions");
  * @param next
  */
 const notFound = async (req, res, next) => {
-    var _a;
     try {
         const hooksResult = await emitter_1.default.emitFilter('request.not_found', false, { request: req, response: res }, {
             database: (0, database_1.default)(),
             schema: req.schema,
-            accountability: (_a = req.accountability) !== null && _a !== void 0 ? _a : null,
+            accountability: req.accountability ?? null,
         });
         if (hooksResult) {
             return next();

package/dist/controllers/notifications.js

@@ -10,6 +10,7 @@ const use_collection_1 = __importDefault(require("../middleware/use-collection")
 const validate_batch_1 = require("../middleware/validate-batch");
 const services_1 = require("../services");
 const async_handler_1 = __importDefault(require("../utils/async-handler"));
+const sanitize_query_1 = require("../utils/sanitize-query");
 const router = express_1.default.Router();
 router.use((0, use_collection_1.default)('directus_notifications'));
 router.post('/', (0, async_handler_1.default)(async (req, res, next) => {
@@ -91,7 +92,8 @@ router.patch('/', (0, validate_batch_1.validateBatch)('update'), (0, async_handl
         keys = await service.updateMany(req.body.keys, req.body.data);
     }
     else {
-        keys = await service.updateByQuery(req.body.query, req.body.data);
+        const sanitizedQuery = (0, sanitize_query_1.sanitizeQuery)(req.body.query, req.accountability);
+        keys = await service.updateByQuery(sanitizedQuery, req.body.data);
     }
     try {
         const result = await service.readMany(keys, req.sanitizedQuery);
@@ -135,7 +137,8 @@ router.delete('/', (0, validate_batch_1.validateBatch)('delete'), (0, async_hand
         await service.deleteMany(req.body.keys);
     }
     else {
-        await service.deleteByQuery(req.body.query);
+        const sanitizedQuery = (0, sanitize_query_1.sanitizeQuery)(req.body.query, req.accountability);
+        await service.deleteByQuery(sanitizedQuery);
     }
     return next();
 }), respond_1.respond);

package/dist/controllers/operations.js

@@ -10,6 +10,7 @@ const use_collection_1 = __importDefault(require("../middleware/use-collection")
 const validate_batch_1 = require("../middleware/validate-batch");
 const services_1 = require("../services");
 const async_handler_1 = __importDefault(require("../utils/async-handler"));
+const sanitize_query_1 = require("../utils/sanitize-query");
 const router = express_1.default.Router();
 router.use((0, use_collection_1.default)('directus_operations'));
 router.post('/', (0, async_handler_1.default)(async (req, res, next) => {
@@ -82,7 +83,8 @@ router.patch('/', (0, validate_batch_1.validateBatch)('update'), (0, async_handl
         keys = await service.updateMany(req.body.keys, req.body.data);
     }
     else {
-        keys = await service.updateByQuery(req.body.query, req.body.data);
+        const sanitizedQuery = (0, sanitize_query_1.sanitizeQuery)(req.body.query, req.accountability);
+        keys = await service.updateByQuery(sanitizedQuery, req.body.data);
     }
     try {
         const result = await service.readMany(keys, req.sanitizedQuery);
@@ -126,7 +128,8 @@ router.delete('/', (0, async_handler_1.default)(async (req, res, next) => {
         await service.deleteMany(req.body.keys);
     }
     else {
-        await service.deleteByQuery(req.body.query);
+        const sanitizedQuery = (0, sanitize_query_1.sanitizeQuery)(req.body.query, req.accountability);
+        await service.deleteByQuery(sanitizedQuery);
     }
     return next();
 }), respond_1.respond);

package/dist/controllers/panels.js

@@ -10,6 +10,7 @@ const use_collection_1 = __importDefault(require("../middleware/use-collection")
 const validate_batch_1 = require("../middleware/validate-batch");
 const services_1 = require("../services");
 const async_handler_1 = __importDefault(require("../utils/async-handler"));
+const sanitize_query_1 = require("../utils/sanitize-query");
 const router = express_1.default.Router();
 router.use((0, use_collection_1.default)('directus_panels'));
 router.post('/', (0, async_handler_1.default)(async (req, res, next) => {
@@ -82,7 +83,8 @@ router.patch('/', (0, validate_batch_1.validateBatch)('update'), (0, async_handl
         keys = await service.updateMany(req.body.keys, req.body.data);
     }
     else {
-        keys = await service.updateByQuery(req.body.query, req.body.data);
+        const sanitizedQuery = (0, sanitize_query_1.sanitizeQuery)(req.body.query, req.accountability);
+        keys = await service.updateByQuery(sanitizedQuery, req.body.data);
     }
     try {
         const result = await service.readMany(keys, req.sanitizedQuery);
@@ -126,7 +128,8 @@ router.delete('/', (0, async_handler_1.default)(async (req, res, next) => {
         await service.deleteMany(req.body.keys);
     }
     else {
-        await service.deleteByQuery(req.body.query);
+        const sanitizedQuery = (0, sanitize_query_1.sanitizeQuery)(req.body.query, req.accountability);
+        await service.deleteByQuery(sanitizedQuery);
     }
     return next();
 }), respond_1.respond);

package/dist/controllers/permissions.js

@@ -10,6 +10,7 @@ const use_collection_1 = __importDefault(require("../middleware/use-collection")
 const validate_batch_1 = require("../middleware/validate-batch");
 const services_1 = require("../services");
 const async_handler_1 = __importDefault(require("../utils/async-handler"));
+const sanitize_query_1 = require("../utils/sanitize-query");
 const router = express_1.default.Router();
 router.use((0, use_collection_1.default)('directus_permissions'));
 router.post('/', (0, async_handler_1.default)(async (req, res, next) => {
@@ -93,7 +94,8 @@ router.patch('/', (0, validate_batch_1.validateBatch)('update'), (0, async_handl
         keys = await service.updateMany(req.body.keys, req.body.data);
     }
     else {
-        keys = await service.updateByQuery(req.body.query, req.body.data);
+        const sanitizedQuery = (0, sanitize_query_1.sanitizeQuery)(req.body.query, req.accountability);
+        keys = await service.updateByQuery(sanitizedQuery, req.body.data);
     }
     try {
         const result = await service.readMany(keys, req.sanitizedQuery);
@@ -137,7 +139,8 @@ router.delete('/', (0, validate_batch_1.validateBatch)('delete'), (0, async_hand
         await service.deleteMany(req.body.keys);
     }
     else {
-        await service.deleteByQuery(req.body.query);
+        const sanitizedQuery = (0, sanitize_query_1.sanitizeQuery)(req.body.query, req.accountability);
+        await service.deleteByQuery(sanitizedQuery);
     }
     return next();
 }), respond_1.respond);

package/dist/controllers/presets.js

@@ -10,6 +10,7 @@ const use_collection_1 = __importDefault(require("../middleware/use-collection")
 const validate_batch_1 = require("../middleware/validate-batch");
 const services_1 = require("../services");
 const async_handler_1 = __importDefault(require("../utils/async-handler"));
+const sanitize_query_1 = require("../utils/sanitize-query");
 const router = express_1.default.Router();
 router.use((0, use_collection_1.default)('directus_presets'));
 router.post('/', (0, async_handler_1.default)(async (req, res, next) => {
@@ -91,7 +92,8 @@ router.patch('/', (0, validate_batch_1.validateBatch)('update'), (0, async_handl
         keys = await service.updateMany(req.body.keys, req.body.data);
     }
     else {
-        keys = await service.updateByQuery(req.body.query, req.body.data);
+        const sanitizedQuery = (0, sanitize_query_1.sanitizeQuery)(req.body.query, req.accountability);
+        keys = await service.updateByQuery(sanitizedQuery, req.body.data);
     }
     try {
         const result = await service.readMany(keys, req.sanitizedQuery);
@@ -135,7 +137,8 @@ router.delete('/', (0, validate_batch_1.validateBatch)('delete'), (0, async_hand
         await service.deleteMany(req.body.keys);
     }
     else {
-        await service.deleteByQuery(req.body.query);
+        const sanitizedQuery = (0, sanitize_query_1.sanitizeQuery)(req.body.query, req.accountability);
+        await service.deleteByQuery(sanitizedQuery);
     }
     return next();
 }), respond_1.respond);

package/dist/controllers/roles.js

@@ -10,6 +10,7 @@ const use_collection_1 = __importDefault(require("../middleware/use-collection")
 const validate_batch_1 = require("../middleware/validate-batch");
 const services_1 = require("../services");
 const async_handler_1 = __importDefault(require("../utils/async-handler"));
+const sanitize_query_1 = require("../utils/sanitize-query");
 const router = express_1.default.Router();
 router.use((0, use_collection_1.default)('directus_roles'));
 router.post('/', (0, async_handler_1.default)(async (req, res, next) => {
@@ -82,7 +83,8 @@ router.patch('/', (0, validate_batch_1.validateBatch)('update'), (0, async_handl
         keys = await service.updateMany(req.body.keys, req.body.data);
     }
     else {
-        keys = await service.updateByQuery(req.body.query, req.body.data);
+        const sanitizedQuery = (0, sanitize_query_1.sanitizeQuery)(req.body.query, req.accountability);
+        keys = await service.updateByQuery(sanitizedQuery, req.body.data);
     }
     try {
         const result = await service.readMany(keys, req.sanitizedQuery);
@@ -126,7 +128,8 @@ router.delete('/', (0, validate_batch_1.validateBatch)('delete'), (0, async_hand
         await service.deleteMany(req.body.keys);
     }
     else {
-        await service.deleteByQuery(req.body.query);
+        const sanitizedQuery = (0, sanitize_query_1.sanitizeQuery)(req.body.query, req.accountability);
+        await service.deleteByQuery(sanitizedQuery);
     }
     return next();
 }), respond_1.respond);

package/dist/controllers/shares.js

@@ -4,15 +4,16 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 const express_1 = __importDefault(require("express"));
+const joi_1 = __importDefault(require("joi"));
+const constants_1 = require("../constants");
+const env_1 = __importDefault(require("../env"));
 const exceptions_1 = require("../exceptions");
 const respond_1 = require("../middleware/respond");
 const use_collection_1 = __importDefault(require("../middleware/use-collection"));
 const validate_batch_1 = require("../middleware/validate-batch");
 const services_1 = require("../services");
 const async_handler_1 = __importDefault(require("../utils/async-handler"));
-const constants_1 = require("../constants");
-const joi_1 = __importDefault(require("joi"));
-const env_1 = __importDefault(require("../env"));
+const sanitize_query_1 = require("../utils/sanitize-query");
 const router = express_1.default.Router();
 router.use((0, use_collection_1.default)('directus_shares'));
 const sharedLoginSchema = joi_1.default.object({
@@ -156,7 +157,8 @@ router.patch('/', (0, validate_batch_1.validateBatch)('update'), (0, async_handl
         keys = await service.updateMany(req.body.keys, req.body.data);
     }
     else {
-        keys = await service.updateByQuery(req.body.query, req.body.data);
+        const sanitizedQuery = (0, sanitize_query_1.sanitizeQuery)(req.body.query, req.accountability);
+        keys = await service.updateByQuery(sanitizedQuery, req.body.data);
     }
     try {
         const result = await service.readMany(keys, req.sanitizedQuery);
@@ -200,7 +202,8 @@ router.delete('/', (0, async_handler_1.default)(async (req, _res, next) => {
         await service.deleteMany(req.body.keys);
     }
     else {
-        await service.deleteByQuery(req.body.query);
+        const sanitizedQuery = (0, sanitize_query_1.sanitizeQuery)(req.body.query, req.accountability);
+        await service.deleteByQuery(sanitizedQuery);
     }
     return next();
 }), respond_1.respond);

package/dist/controllers/users.js

@@ -11,6 +11,7 @@ const use_collection_1 = __importDefault(require("../middleware/use-collection")
 const validate_batch_1 = require("../middleware/validate-batch");
 const services_1 = require("../services");
 const async_handler_1 = __importDefault(require("../utils/async-handler"));
+const sanitize_query_1 = require("../utils/sanitize-query");
 const router = express_1.default.Router();
 router.use((0, use_collection_1.default)('directus_users'));
 router.post('/', (0, async_handler_1.default)(async (req, res, next) => {
@@ -62,10 +63,9 @@ const readHandler = (0, async_handler_1.default)(async (req, res, next) => {
 router.get('/', (0, validate_batch_1.validateBatch)('read'), readHandler, respond_1.respond);
 router.search('/', (0, validate_batch_1.validateBatch)('read'), readHandler, respond_1.respond);
 router.get('/me', (0, async_handler_1.default)(async (req, res, next) => {
-    var _a, _b, _c;
-    if ((_a = req.accountability) === null || _a === void 0 ? void 0 : _a.share_scope) {
+    if (req.accountability?.share_scope) {
         const user = {
-            share: (_b = req.accountability) === null || _b === void 0 ? void 0 : _b.share,
+            share: req.accountability?.share,
             role: {
                 id: req.accountability.role,
                 admin_access: false,
@@ -75,7 +75,7 @@ router.get('/me', (0, async_handler_1.default)(async (req, res, next) => {
         res.locals.payload = { data: user };
         return next();
     }
-    if (!((_c = req.accountability) === null || _c === void 0 ? void 0 : _c.user)) {
+    if (!req.accountability?.user) {
         throw new exceptions_1.InvalidCredentialsException();
     }
     const service = new services_1.UsersService({
@@ -107,8 +107,7 @@ router.get('/:pk', (0, async_handler_1.default)(async (req, res, next) => {
     return next();
 }), respond_1.respond);
 router.patch('/me', (0, async_handler_1.default)(async (req, res, next) => {
-    var _a;
-    if (!((_a = req.accountability) === null || _a === void 0 ? void 0 : _a.user)) {
+    if (!req.accountability?.user) {
         throw new exceptions_1.InvalidCredentialsException();
     }
     const service = new services_1.UsersService({
@@ -121,8 +120,7 @@ router.patch('/me', (0, async_handler_1.default)(async (req, res, next) => {
     return next();
 }), respond_1.respond);
 router.patch('/me/track/page', (0, async_handler_1.default)(async (req, _res, next) => {
-    var _a;
-    if (!((_a = req.accountability) === null || _a === void 0 ? void 0 : _a.user)) {
+    if (!req.accountability?.user) {
         throw new exceptions_1.InvalidCredentialsException();
     }
     if (!req.body.last_page) {
@@ -145,7 +143,8 @@ router.patch('/', (0, validate_batch_1.validateBatch)('update'), (0, async_handl
         keys = await service.updateMany(req.body.keys, req.body.data);
     }
     else {
-        keys = await service.updateByQuery(req.body.query, req.body.data);
+        const sanitizedQuery = (0, sanitize_query_1.sanitizeQuery)(req.body.query, req.accountability);
+        keys = await service.updateByQuery(sanitizedQuery, req.body.data);
     }
     try {
         const result = await service.readMany(keys, req.sanitizedQuery);
@@ -189,7 +188,8 @@ router.delete('/', (0, validate_batch_1.validateBatch)('delete'), (0, async_hand
         await service.deleteMany(req.body.keys);
     }
     else {
-        await service.deleteByQuery(req.body.query);
+        const sanitizedQuery = (0, sanitize_query_1.sanitizeQuery)(req.body.query, req.accountability);
+        await service.deleteByQuery(sanitizedQuery);
     }
     return next();
 }), respond_1.respond);
@@ -233,8 +233,7 @@ router.post('/invite/accept', (0, async_handler_1.default)(async (req, _res, nex
     return next();
 }), respond_1.respond);
 router.post('/me/tfa/generate/', (0, async_handler_1.default)(async (req, res, next) => {
-    var _a;
-    if (!((_a = req.accountability) === null || _a === void 0 ? void 0 : _a.user)) {
+    if (!req.accountability?.user) {
         throw new exceptions_1.InvalidCredentialsException();
     }
     if (!req.body.password) {
@@ -254,8 +253,7 @@ router.post('/me/tfa/generate/', (0, async_handler_1.default)(async (req, res, n
     return next();
 }), respond_1.respond);
 router.post('/me/tfa/enable/', (0, async_handler_1.default)(async (req, _res, next) => {
-    var _a, _b;
-    if (!((_a = req.accountability) === null || _a === void 0 ? void 0 : _a.user)) {
+    if (!req.accountability?.user) {
         throw new exceptions_1.InvalidCredentialsException();
     }
     if (!req.body.secret) {
@@ -271,7 +269,7 @@ router.post('/me/tfa/enable/', (0, async_handler_1.default)(async (req, _res, ne
         });
         const role = (await rolesService.readOne(req.accountability.role));
         if (role && role.enforce_tfa) {
-            const existingPermission = await ((_b = req.accountability.permissions) === null || _b === void 0 ? void 0 : _b.find((p) => p.collection === 'directus_users' && p.action === 'update'));
+            const existingPermission = await req.accountability.permissions?.find((p) => p.collection === 'directus_users' && p.action === 'update');
             if (existingPermission) {
                 existingPermission.fields = ['tfa_secret'];
                 existingPermission.permissions = { id: { _eq: req.accountability.user } };
@@ -299,8 +297,7 @@ router.post('/me/tfa/enable/', (0, async_handler_1.default)(async (req, _res, ne
     return next();
 }), respond_1.respond);
 router.post('/me/tfa/disable', (0, async_handler_1.default)(async (req, _res, next) => {
-    var _a, _b;
-    if (!((_a = req.accountability) === null || _a === void 0 ? void 0 : _a.user)) {
+    if (!req.accountability?.user) {
         throw new exceptions_1.InvalidCredentialsException();
     }
     if (!req.body.otp) {
@@ -313,7 +310,7 @@ router.post('/me/tfa/disable', (0, async_handler_1.default)(async (req, _res, ne
         });
         const role = (await rolesService.readOne(req.accountability.role));
         if (role && role.enforce_tfa) {
-            const existingPermission = await ((_b = req.accountability.permissions) === null || _b === void 0 ? void 0 : _b.find((p) => p.collection === 'directus_users' && p.action === 'update'));
+            const existingPermission = await req.accountability.permissions?.find((p) => p.collection === 'directus_users' && p.action === 'update');
             if (existingPermission) {
                 existingPermission.fields = ['tfa_secret'];
                 existingPermission.permissions = { id: { _eq: req.accountability.user } };
@@ -345,8 +342,7 @@ router.post('/me/tfa/disable', (0, async_handler_1.default)(async (req, _res, ne
     return next();
 }), respond_1.respond);
 router.post('/:pk/tfa/disable', (0, async_handler_1.default)(async (req, _res, next) => {
-    var _a;
-    if (!((_a = req.accountability) === null || _a === void 0 ? void 0 : _a.user)) {
+    if (!req.accountability?.user) {
         throw new exceptions_1.InvalidCredentialsException();
     }
     if (!req.accountability.admin || !req.params.pk) {

package/dist/controllers/utils.js

@@ -17,27 +17,24 @@ const generate_hash_1 = require("../utils/generate-hash");
 const sanitize_query_1 = require("../utils/sanitize-query");
 const router = (0, express_1.Router)();
 router.get('/random/string', (0, async_handler_1.default)(async (req, res) => {
-    var _a;
     const { nanoid } = await import('nanoid');
     if (req.query && req.query.length && Number(req.query.length) > 500)
         throw new exceptions_1.InvalidQueryException(`"length" can't be more than 500 characters`);
-    const string = nanoid(((_a = req.query) === null || _a === void 0 ? void 0 : _a.length) ? Number(req.query.length) : 32);
+    const string = nanoid(req.query?.length ? Number(req.query.length) : 32);
     return res.json({ data: string });
 }));
 router.post('/hash/generate', (0, async_handler_1.default)(async (req, res) => {
-    var _a;
-    if (!((_a = req.body) === null || _a === void 0 ? void 0 : _a.string)) {
+    if (!req.body?.string) {
         throw new exceptions_1.InvalidPayloadException(`"string" is required`);
     }
     const hash = await (0, generate_hash_1.generateHash)(req.body.string);
     return res.json({ data: hash });
 }));
 router.post('/hash/verify', (0, async_handler_1.default)(async (req, res) => {
-    var _a, _b;
-    if (!((_a = req.body) === null || _a === void 0 ? void 0 : _a.string)) {
+    if (!req.body?.string) {
         throw new exceptions_1.InvalidPayloadException(`"string" is required`);
     }
-    if (!((_b = req.body) === null || _b === void 0 ? void 0 : _b.hash)) {
+    if (!req.body?.hash) {
         throw new exceptions_1.InvalidPayloadException(`"hash" is required`);
     }
     const result = await argon2_1.default.verify(req.body.hash, req.body.string);
@@ -97,7 +94,6 @@ router.post('/import/:collection', collection_exists_1.default, (0, async_handle
     req.pipe(busboy);
 }));
 router.post('/export/:collection', collection_exists_1.default, (0, async_handler_1.default)(async (req, res, next) => {
-    var _a;
     if (!req.body.query) {
         throw new exceptions_1.InvalidPayloadException(`"query" is required.`);
     }
@@ -108,7 +104,7 @@ router.post('/export/:collection', collection_exists_1.default, (0, async_handle
         accountability: req.accountability,
         schema: req.schema,
     });
-    const sanitizedQuery = (0, sanitize_query_1.sanitizeQuery)(req.body.query, (_a = req.accountability) !== null && _a !== void 0 ? _a : null);
+    const sanitizedQuery = (0, sanitize_query_1.sanitizeQuery)(req.body.query, req.accountability ?? null);
     // We're not awaiting this, as it's supposed to run async in the background
     service.exportToFile(req.params.collection, sanitizedQuery, req.body.format, {
         file: req.body.file,
@@ -116,8 +112,7 @@ router.post('/export/:collection', collection_exists_1.default, (0, async_handle
     return next();
 }), respond_1.respond);
 router.post('/cache/clear', (0, async_handler_1.default)(async (req, res) => {
-    var _a;
-    if (((_a = req.accountability) === null || _a === void 0 ? void 0 : _a.admin) !== true) {
+    if (req.accountability?.admin !== true) {
         throw new exceptions_1.ForbiddenException();
     }
     await (0, cache_1.flushCaches)(true);

package/dist/controllers/webhooks.js

@@ -10,6 +10,7 @@ const use_collection_1 = __importDefault(require("../middleware/use-collection")
 const validate_batch_1 = require("../middleware/validate-batch");
 const services_1 = require("../services");
 const async_handler_1 = __importDefault(require("../utils/async-handler"));
+const sanitize_query_1 = require("../utils/sanitize-query");
 const router = express_1.default.Router();
 router.use((0, use_collection_1.default)('directus_webhooks'));
 router.post('/', (0, async_handler_1.default)(async (req, res, next) => {
@@ -79,7 +80,8 @@ router.patch('/', (0, validate_batch_1.validateBatch)('update'), (0, async_handl
         keys = await service.updateMany(req.body.keys, req.body.data);
     }
     else {
-        keys = await service.updateByQuery(req.body.query, req.body.data);
+        const sanitizedQuery = (0, sanitize_query_1.sanitizeQuery)(req.body.query, req.accountability);
+        keys = await service.updateByQuery(sanitizedQuery, req.body.data);
     }
     try {
         const result = await service.readMany(keys, req.sanitizedQuery);
@@ -123,7 +125,8 @@ router.delete('/', (0, async_handler_1.default)(async (req, res, next) => {
         await service.deleteMany(req.body.keys);
     }
     else {
-        await service.deleteByQuery(req.body.query);
+        const sanitizedQuery = (0, sanitize_query_1.sanitizeQuery)(req.body.query, req.accountability);
+        await service.deleteByQuery(sanitizedQuery);
     }
     return next();
 }), respond_1.respond);

package/dist/database/helpers/fn/dialects/mssql.d.ts

@@ -1,5 +1,5 @@
+import type { Knex } from 'knex';
 import { FnHelper, FnHelperOptions } from '../types';
-import { Knex } from 'knex';
 export declare class FnHelperMSSQL extends FnHelper {
     year(table: string, column: string, options: FnHelperOptions): Knex.Raw;
     month(table: string, column: string, options: FnHelperOptions): Knex.Raw;

package/dist/database/helpers/fn/dialects/mssql.js

@@ -10,33 +10,32 @@ const parseLocaltime = (columnType) => {
 };
 class FnHelperMSSQL extends types_1.FnHelper {
     year(table, column, options) {
-        return this.knex.raw(`DATEPART(year, ??.??${parseLocaltime(options === null || options === void 0 ? void 0 : options.type)})`, [table, column]);
+        return this.knex.raw(`DATEPART(year, ??.??${parseLocaltime(options?.type)})`, [table, column]);
     }
     month(table, column, options) {
-        return this.knex.raw(`DATEPART(month, ??.??${parseLocaltime(options === null || options === void 0 ? void 0 : options.type)})`, [table, column]);
+        return this.knex.raw(`DATEPART(month, ??.??${parseLocaltime(options?.type)})`, [table, column]);
     }
     week(table, column, options) {
-        return this.knex.raw(`DATEPART(week, ??.??${parseLocaltime(options === null || options === void 0 ? void 0 : options.type)})`, [table, column]);
+        return this.knex.raw(`DATEPART(week, ??.??${parseLocaltime(options?.type)})`, [table, column]);
     }
     day(table, column, options) {
-        return this.knex.raw(`DATEPART(day, ??.??${parseLocaltime(options === null || options === void 0 ? void 0 : options.type)})`, [table, column]);
+        return this.knex.raw(`DATEPART(day, ??.??${parseLocaltime(options?.type)})`, [table, column]);
     }
     weekday(table, column, options) {
-        return this.knex.raw(`DATEPART(weekday, ??.??${parseLocaltime(options === null || options === void 0 ? void 0 : options.type)})`, [table, column]);
+        return this.knex.raw(`DATEPART(weekday, ??.??${parseLocaltime(options?.type)})`, [table, column]);
     }
     hour(table, column, options) {
-        return this.knex.raw(`DATEPART(hour, ??.??${parseLocaltime(options === null || options === void 0 ? void 0 : options.type)})`, [table, column]);
+        return this.knex.raw(`DATEPART(hour, ??.??${parseLocaltime(options?.type)})`, [table, column]);
     }
     minute(table, column, options) {
-        return this.knex.raw(`DATEPART(minute, ??.??${parseLocaltime(options === null || options === void 0 ? void 0 : options.type)})`, [table, column]);
+        return this.knex.raw(`DATEPART(minute, ??.??${parseLocaltime(options?.type)})`, [table, column]);
     }
     second(table, column, options) {
-        return this.knex.raw(`DATEPART(second, ??.??${parseLocaltime(options === null || options === void 0 ? void 0 : options.type)})`, [table, column]);
+        return this.knex.raw(`DATEPART(second, ??.??${parseLocaltime(options?.type)})`, [table, column]);
     }
     count(table, column, options) {
-        var _a, _b, _c, _d, _e;
-        const collectionName = (options === null || options === void 0 ? void 0 : options.originalCollectionName) || table;
-        const type = (_e = (_d = (_c = (_b = (_a = this.schema.collections) === null || _a === void 0 ? void 0 : _a[collectionName]) === null || _b === void 0 ? void 0 : _b.fields) === null || _c === void 0 ? void 0 : _c[column]) === null || _d === void 0 ? void 0 : _d.type) !== null && _e !== void 0 ? _e : 'unknown';
+        const collectionName = options?.originalCollectionName || table;
+        const type = this.schema.collections?.[collectionName]?.fields?.[column]?.type ?? 'unknown';
         if (type === 'json') {
             return this.knex.raw(`(SELECT COUNT(*) FROM OPENJSON(??.??, '$'))`, [table, column]);
         }

package/dist/database/helpers/fn/dialects/mysql.d.ts

@@ -1,5 +1,5 @@
+import type { Knex } from 'knex';
 import { FnHelper, FnHelperOptions } from '../types';
-import { Knex } from 'knex';
 export declare class FnHelperMySQL extends FnHelper {
     year(table: string, column: string): Knex.Raw;
     month(table: string, column: string): Knex.Raw;

package/dist/database/helpers/fn/dialects/mysql.js

@@ -28,9 +28,8 @@ class FnHelperMySQL extends types_1.FnHelper {
         return this.knex.raw('SECOND(??.??)', [table, column]);
     }
     count(table, column, options) {
-        var _a, _b, _c, _d, _e;
-        const collectionName = (options === null || options === void 0 ? void 0 : options.originalCollectionName) || table;
-        const type = (_e = (_d = (_c = (_b = (_a = this.schema.collections) === null || _a === void 0 ? void 0 : _a[collectionName]) === null || _b === void 0 ? void 0 : _b.fields) === null || _c === void 0 ? void 0 : _c[column]) === null || _d === void 0 ? void 0 : _d.type) !== null && _e !== void 0 ? _e : 'unknown';
+        const collectionName = options?.originalCollectionName || table;
+        const type = this.schema.collections?.[collectionName]?.fields?.[column]?.type ?? 'unknown';
         if (type === 'json') {
             return this.knex.raw('JSON_LENGTH(??.??)', [table, column]);
         }