directus 9.23.1 → 9.23.4

package/dist/controllers/auth.js

@@ -4,17 +4,16 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 const express_1 = require("express");
+const drivers_1 = require("../auth/drivers");
+const constants_1 = require("../constants");
 const env_1 = __importDefault(require("../env"));
 const exceptions_1 = require("../exceptions");
+const logger_1 = __importDefault(require("../logger"));
 const respond_1 = require("../middleware/respond");
 const services_1 = require("../services");
 const async_handler_1 = __importDefault(require("../utils/async-handler"));
 const get_auth_providers_1 = require("../utils/get-auth-providers");
-const logger_1 = __importDefault(require("../logger"));
-const drivers_1 = require("../auth/drivers");
-const constants_1 = require("../constants");
 const get_ip_from_req_1 = require("../utils/get-ip-from-req");
-const constants_2 = require("../constants");
 const router = (0, express_1.Router)();
 const authProviders = (0, get_auth_providers_1.getAuthProviders)();
 for (const authProvider of authProviders) {
@@ -42,21 +41,25 @@ for (const authProvider of authProviders) {
     }
     router.use(`/login/${authProvider.name}`, authRouter);
 }
-if (!env_1.default.AUTH_DISABLE_DEFAULT) {
+if (!env_1.default['AUTH_DISABLE_DEFAULT']) {
     router.use('/login', (0, drivers_1.createLocalAuthRouter)(constants_1.DEFAULT_AUTH_PROVIDER));
 }
 router.post('/refresh', (0, async_handler_1.default)(async (req, res, next) => {
     const accountability = {
         ip: (0, get_ip_from_req_1.getIPFromReq)(req),
-        userAgent: req.get('user-agent'),
-        origin: req.get('origin'),
         role: null,
     };
+    const userAgent = req.get('user-agent');
+    if (userAgent)
+        accountability.userAgent = userAgent;
+    const origin = req.get('origin');
+    if (origin)
+        accountability.origin = origin;
     const authenticationService = new services_1.AuthenticationService({
         accountability: accountability,
         schema: req.schema,
     });
-    const currentRefreshToken = req.body.refresh_token || req.cookies[env_1.default.REFRESH_TOKEN_COOKIE_NAME];
+    const currentRefreshToken = req.body.refresh_token || req.cookies[env_1.default['REFRESH_TOKEN_COOKIE_NAME']];
     if (!currentRefreshToken) {
         throw new exceptions_1.InvalidPayloadException(`"refresh_token" is required in either the JSON payload or Cookie`);
     }
@@ -66,37 +69,40 @@ router.post('/refresh', (0, async_handler_1.default)(async (req, res, next) => {
         data: { access_token: accessToken, expires },
     };
     if (mode === 'json') {
-        payload.data.refresh_token = refreshToken;
+        payload['data']['refresh_token'] = refreshToken;
     }
     if (mode === 'cookie') {
-        res.cookie(env_1.default.REFRESH_TOKEN_COOKIE_NAME, refreshToken, constants_2.COOKIE_OPTIONS);
+        res.cookie(env_1.default['REFRESH_TOKEN_COOKIE_NAME'], refreshToken, constants_1.COOKIE_OPTIONS);
     }
-    res.locals.payload = payload;
+    res.locals['payload'] = payload;
     return next();
 }), respond_1.respond);
 router.post('/logout', (0, async_handler_1.default)(async (req, res, next) => {
-    var _a;
     const accountability = {
         ip: (0, get_ip_from_req_1.getIPFromReq)(req),
-        userAgent: req.get('user-agent'),
-        origin: req.get('origin'),
         role: null,
     };
+    const userAgent = req.get('user-agent');
+    if (userAgent)
+        accountability.userAgent = userAgent;
+    const origin = req.get('origin');
+    if (origin)
+        accountability.origin = origin;
     const authenticationService = new services_1.AuthenticationService({
         accountability: accountability,
         schema: req.schema,
     });
-    const currentRefreshToken = req.body.refresh_token || req.cookies[env_1.default.REFRESH_TOKEN_COOKIE_NAME];
+    const currentRefreshToken = req.body.refresh_token || req.cookies[env_1.default['REFRESH_TOKEN_COOKIE_NAME']];
     if (!currentRefreshToken) {
         throw new exceptions_1.InvalidPayloadException(`"refresh_token" is required in either the JSON payload or Cookie`);
     }
     await authenticationService.logout(currentRefreshToken);
-    if (req.cookies[env_1.default.REFRESH_TOKEN_COOKIE_NAME]) {
-        res.clearCookie(env_1.default.REFRESH_TOKEN_COOKIE_NAME, {
+    if (req.cookies[env_1.default['REFRESH_TOKEN_COOKIE_NAME']]) {
+        res.clearCookie(env_1.default['REFRESH_TOKEN_COOKIE_NAME'], {
             httpOnly: true,
-            domain: env_1.default.REFRESH_TOKEN_COOKIE_DOMAIN,
-            secure: (_a = env_1.default.REFRESH_TOKEN_COOKIE_SECURE) !== null && _a !== void 0 ? _a : false,
-            sameSite: env_1.default.REFRESH_TOKEN_COOKIE_SAME_SITE || 'strict',
+            domain: env_1.default['REFRESH_TOKEN_COOKIE_DOMAIN'],
+            secure: env_1.default['REFRESH_TOKEN_COOKIE_SECURE'] ?? false,
+            sameSite: env_1.default['REFRESH_TOKEN_COOKIE_SAME_SITE'] || 'strict',
         });
     }
     return next();
@@ -107,10 +113,14 @@ router.post('/password/request', (0, async_handler_1.default)(async (req, res, n
     }
     const accountability = {
         ip: (0, get_ip_from_req_1.getIPFromReq)(req),
-        userAgent: req.get('user-agent'),
-        origin: req.get('origin'),
         role: null,
     };
+    const userAgent = req.get('user-agent');
+    if (userAgent)
+        accountability.userAgent = userAgent;
+    const origin = req.get('origin');
+    if (origin)
+        accountability.origin = origin;
     const service = new services_1.UsersService({ accountability, schema: req.schema });
     try {
         await service.requestPasswordReset(req.body.email, req.body.reset_url || null);
@@ -135,18 +145,22 @@ router.post('/password/reset', (0, async_handler_1.default)(async (req, res, nex
     }
     const accountability = {
         ip: (0, get_ip_from_req_1.getIPFromReq)(req),
-        userAgent: req.get('user-agent'),
-        origin: req.get('origin'),
         role: null,
     };
+    const userAgent = req.get('user-agent');
+    if (userAgent)
+        accountability.userAgent = userAgent;
+    const origin = req.get('origin');
+    if (origin)
+        accountability.origin = origin;
     const service = new services_1.UsersService({ accountability, schema: req.schema });
     await service.resetPassword(req.body.token, req.body.password);
     return next();
 }), respond_1.respond);
 router.get('/', (0, async_handler_1.default)(async (req, res, next) => {
-    res.locals.payload = {
+    res.locals['payload'] = {
         data: (0, get_auth_providers_1.getAuthProviders)(),
-        disableDefault: env_1.default.AUTH_DISABLE_DEFAULT,
+        disableDefault: env_1.default['AUTH_DISABLE_DEFAULT'],
     };
     return next();
 }), respond_1.respond);

package/dist/controllers/collections.js

@@ -18,12 +18,12 @@ router.post('/', (0, async_handler_1.default)(async (req, res, next) => {
     if (Array.isArray(req.body)) {
         const collectionKey = await collectionsService.createMany(req.body);
         const records = await collectionsService.readMany(collectionKey);
-        res.locals.payload = { data: records || null };
+        res.locals['payload'] = { data: records || null };
     }
     else {
         const collectionKey = await collectionsService.createOne(req.body);
         const record = await collectionsService.readOne(collectionKey);
-        res.locals.payload = { data: record || null };
+        res.locals['payload'] = { data: record || null };
     }
     return next();
 }), respond_1.respond);
@@ -44,7 +44,7 @@ const readHandler = (0, async_handler_1.default)(async (req, res, next) => {
         result = await collectionsService.readByQuery();
     }
     const meta = await metaService.getMetaForQuery('directus_collections', {});
-    res.locals.payload = { data: result, meta };
+    res.locals['payload'] = { data: result, meta };
     return next();
 });
 router.get('/', (0, validate_batch_1.validateBatch)('read'), readHandler, respond_1.respond);
@@ -54,8 +54,8 @@ router.get('/:collection', (0, async_handler_1.default)(async (req, res, next) =
         accountability: req.accountability,
         schema: req.schema,
     });
-    const collection = await collectionsService.readOne(req.params.collection);
-    res.locals.payload = { data: collection || null };
+    const collection = await collectionsService.readOne(req.params['collection']);
+    res.locals['payload'] = { data: collection || null };
     return next();
 }), respond_1.respond);
 router.patch('/', (0, async_handler_1.default)(async (req, res, next) => {
@@ -66,7 +66,7 @@ router.patch('/', (0, async_handler_1.default)(async (req, res, next) => {
     const collectionKeys = await collectionsService.updateBatch(req.body);
     try {
         const collections = await collectionsService.readMany(collectionKeys);
-        res.locals.payload = { data: collections || null };
+        res.locals['payload'] = { data: collections || null };
     }
     catch (error) {
         if (error instanceof exceptions_1.ForbiddenException) {
@@ -81,10 +81,10 @@ router.patch('/:collection', (0, async_handler_1.default)(async (req, res, next)
         accountability: req.accountability,
         schema: req.schema,
     });
-    await collectionsService.updateOne(req.params.collection, req.body);
+    await collectionsService.updateOne(req.params['collection'], req.body);
     try {
-        const collection = await collectionsService.readOne(req.params.collection);
-        res.locals.payload = { data: collection || null };
+        const collection = await collectionsService.readOne(req.params['collection']);
+        res.locals['payload'] = { data: collection || null };
     }
     catch (error) {
         if (error instanceof exceptions_1.ForbiddenException) {
@@ -99,7 +99,7 @@ router.delete('/:collection', (0, async_handler_1.default)(async (req, res, next
         accountability: req.accountability,
         schema: req.schema,
     });
-    await collectionsService.deleteOne(req.params.collection);
+    await collectionsService.deleteOne(req.params['collection']);
     return next();
 }), respond_1.respond);
 exports.default = router;

package/dist/controllers/dashboards.js

@@ -10,6 +10,7 @@ const use_collection_1 = __importDefault(require("../middleware/use-collection")
 const validate_batch_1 = require("../middleware/validate-batch");
 const services_1 = require("../services");
 const async_handler_1 = __importDefault(require("../utils/async-handler"));
+const sanitize_query_1 = require("../utils/sanitize-query");
 const router = express_1.default.Router();
 router.use((0, use_collection_1.default)('directus_dashboards'));
 router.post('/', (0, async_handler_1.default)(async (req, res, next) => {
@@ -29,11 +30,11 @@ router.post('/', (0, async_handler_1.default)(async (req, res, next) => {
     try {
         if (Array.isArray(req.body)) {
             const items = await service.readMany(savedKeys, req.sanitizedQuery);
-            res.locals.payload = { data: items };
+            res.locals['payload'] = { data: items };
         }
         else {
             const item = await service.readOne(savedKeys[0], req.sanitizedQuery);
-            res.locals.payload = { data: item };
+            res.locals['payload'] = { data: item };
         }
     }
     catch (error) {
@@ -55,7 +56,7 @@ const readHandler = (0, async_handler_1.default)(async (req, res, next) => {
     });
     const records = await service.readByQuery(req.sanitizedQuery);
     const meta = await metaService.getMetaForQuery(req.collection, req.sanitizedQuery);
-    res.locals.payload = { data: records || null, meta };
+    res.locals['payload'] = { data: records || null, meta };
     return next();
 });
 router.get('/', (0, validate_batch_1.validateBatch)('read'), readHandler, respond_1.respond);
@@ -65,8 +66,8 @@ router.get('/:pk', (0, async_handler_1.default)(async (req, res, next) => {
         accountability: req.accountability,
         schema: req.schema,
     });
-    const record = await service.readOne(req.params.pk, req.sanitizedQuery);
-    res.locals.payload = { data: record || null };
+    const record = await service.readOne(req.params['pk'], req.sanitizedQuery);
+    res.locals['payload'] = { data: record || null };
     return next();
 }), respond_1.respond);
 router.patch('/', (0, validate_batch_1.validateBatch)('update'), (0, async_handler_1.default)(async (req, res, next) => {
@@ -82,11 +83,12 @@ router.patch('/', (0, validate_batch_1.validateBatch)('update'), (0, async_handl
         keys = await service.updateMany(req.body.keys, req.body.data);
     }
     else {
-        keys = await service.updateByQuery(req.body.query, req.body.data);
+        const sanitizedQuery = (0, sanitize_query_1.sanitizeQuery)(req.body.query, req.accountability);
+        keys = await service.updateByQuery(sanitizedQuery, req.body.data);
     }
     try {
         const result = await service.readMany(keys, req.sanitizedQuery);
-        res.locals.payload = { data: result };
+        res.locals['payload'] = { data: result };
     }
     catch (error) {
         if (error instanceof exceptions_1.ForbiddenException) {
@@ -101,10 +103,10 @@ router.patch('/:pk', (0, async_handler_1.default)(async (req, res, next) => {
         accountability: req.accountability,
         schema: req.schema,
     });
-    const primaryKey = await service.updateOne(req.params.pk, req.body);
+    const primaryKey = await service.updateOne(req.params['pk'], req.body);
     try {
         const item = await service.readOne(primaryKey, req.sanitizedQuery);
-        res.locals.payload = { data: item || null };
+        res.locals['payload'] = { data: item || null };
     }
     catch (error) {
         if (error instanceof exceptions_1.ForbiddenException) {
@@ -126,7 +128,8 @@ router.delete('/', (0, async_handler_1.default)(async (req, res, next) => {
         await service.deleteMany(req.body.keys);
     }
     else {
-        await service.deleteByQuery(req.body.query);
+        const sanitizedQuery = (0, sanitize_query_1.sanitizeQuery)(req.body.query, req.accountability);
+        await service.deleteByQuery(sanitizedQuery);
     }
     return next();
 }), respond_1.respond);
@@ -135,7 +138,7 @@ router.delete('/:pk', (0, async_handler_1.default)(async (req, res, next) => {
         accountability: req.accountability,
         schema: req.schema,
     });
-    await service.deleteOne(req.params.pk);
+    await service.deleteOne(req.params['pk']);
     return next();
 }), respond_1.respond);
 exports.default = router;

package/dist/controllers/extensions.js

@@ -15,13 +15,13 @@ const get_cache_headers_1 = require("../utils/get-cache-headers");
 const get_milliseconds_1 = require("../utils/get-milliseconds");
 const router = (0, express_1.Router)();
 router.get('/:type', (0, async_handler_1.default)(async (req, res, next) => {
-    const type = (0, utils_1.depluralize)(req.params.type);
+    const type = (0, utils_1.depluralize)(req.params['type']);
     if (!(0, utils_1.isIn)(type, constants_1.EXTENSION_TYPES)) {
         throw new exceptions_1.RouteNotFoundException(req.path);
     }
     const extensionManager = (0, extensions_1.getExtensionManager)();
     const extensions = extensionManager.getExtensionsList(type);
-    res.locals.payload = {
+    res.locals['payload'] = {
         data: extensions,
     };
     return next();
@@ -33,7 +33,7 @@ router.get('/sources/index.js', (0, async_handler_1.default)(async (req, res) =>
         throw new exceptions_1.RouteNotFoundException(req.path);
     }
     res.setHeader('Content-Type', 'application/javascript; charset=UTF-8');
-    res.setHeader('Cache-Control', (0, get_cache_headers_1.getCacheControlHeader)(req, (0, get_milliseconds_1.getMilliseconds)(env_1.default.EXTENSIONS_CACHE_TTL), false, false));
+    res.setHeader('Cache-Control', (0, get_cache_headers_1.getCacheControlHeader)(req, (0, get_milliseconds_1.getMilliseconds)(env_1.default['EXTENSIONS_CACHE_TTL']), false, false));
     res.setHeader('Vary', 'Origin, Cache-Control');
     res.end(extensionSource);
 }));

package/dist/controllers/fields.js

@@ -3,15 +3,15 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
+const constants_1 = require("@directus/shared/constants");
 const express_1 = require("express");
 const joi_1 = __importDefault(require("joi"));
-const constants_1 = require("../constants");
+const constants_2 = require("../constants");
 const exceptions_1 = require("../exceptions");
 const collection_exists_1 = __importDefault(require("../middleware/collection-exists"));
 const respond_1 = require("../middleware/respond");
 const use_collection_1 = __importDefault(require("../middleware/use-collection"));
 const fields_1 = require("../services/fields");
-const constants_2 = require("@directus/shared/constants");
 const async_handler_1 = __importDefault(require("../utils/async-handler"));
 const router = (0, express_1.Router)();
 router.use((0, use_collection_1.default)('directus_fields'));
@@ -21,7 +21,7 @@ router.get('/', (0, async_handler_1.default)(async (req, res, next) => {
         schema: req.schema,
     });
     const fields = await service.readAll();
-    res.locals.payload = { data: fields || null };
+    res.locals['payload'] = { data: fields || null };
     return next();
 }), respond_1.respond);
 router.get('/:collection', collection_exists_1.default, (0, async_handler_1.default)(async (req, res, next) => {
@@ -29,8 +29,8 @@ router.get('/:collection', collection_exists_1.default, (0, async_handler_1.defa
         accountability: req.accountability,
         schema: req.schema,
     });
-    const fields = await service.readAll(req.params.collection);
-    res.locals.payload = { data: fields || null };
+    const fields = await service.readAll(req.params['collection']);
+    res.locals['payload'] = { data: fields || null };
     return next();
 }), respond_1.respond);
 router.get('/:collection/:field', collection_exists_1.default, (0, async_handler_1.default)(async (req, res, next) => {
@@ -38,15 +38,15 @@ router.get('/:collection/:field', collection_exists_1.default, (0, async_handler
         accountability: req.accountability,
         schema: req.schema,
     });
-    const field = await service.readOne(req.params.collection, req.params.field);
-    res.locals.payload = { data: field || null };
+    const field = await service.readOne(req.params['collection'], req.params['field']);
+    res.locals['payload'] = { data: field || null };
     return next();
 }), respond_1.respond);
 const newFieldSchema = joi_1.default.object({
     collection: joi_1.default.string().optional(),
     field: joi_1.default.string().required(),
     type: joi_1.default.string()
-        .valid(...constants_2.TYPES, ...constants_1.ALIAS_TYPES)
+        .valid(...constants_1.TYPES, ...constants_2.ALIAS_TYPES)
         .allow(null)
         .optional(),
     schema: joi_1.default.object({
@@ -68,10 +68,10 @@ router.post('/:collection', collection_exists_1.default, (0, async_handler_1.def
         throw new exceptions_1.InvalidPayloadException(error.message);
     }
     const field = req.body;
-    await service.createField(req.params.collection, field);
+    await service.createField(req.params['collection'], field);
     try {
-        const createdField = await service.readOne(req.params.collection, field.field);
-        res.locals.payload = { data: createdField || null };
+        const createdField = await service.readOne(req.params['collection'], field.field);
+        res.locals['payload'] = { data: createdField || null };
     }
     catch (error) {
         if (error instanceof exceptions_1.ForbiddenException) {
@@ -90,14 +90,14 @@ router.patch('/:collection', collection_exists_1.default, (0, async_handler_1.de
         throw new exceptions_1.InvalidPayloadException('Submitted body has to be an array.');
     }
     for (const field of req.body) {
-        await service.updateField(req.params.collection, field);
+        await service.updateField(req.params['collection'], field);
     }
     try {
         const results = [];
         for (const field of req.body) {
-            const updatedField = await service.readOne(req.params.collection, field.field);
+            const updatedField = await service.readOne(req.params['collection'], field.field);
             results.push(updatedField);
-            res.locals.payload = { data: results || null };
+            res.locals['payload'] = { data: results || null };
         }
     }
     catch (error) {
@@ -110,7 +110,7 @@ router.patch('/:collection', collection_exists_1.default, (0, async_handler_1.de
 }), respond_1.respond);
 const updateSchema = joi_1.default.object({
     type: joi_1.default.string()
-        .valid(...constants_2.TYPES, ...constants_1.ALIAS_TYPES)
+        .valid(...constants_1.TYPES, ...constants_2.ALIAS_TYPES)
         .allow(null),
     schema: joi_1.default.object({
         default_value: joi_1.default.any(),
@@ -135,11 +135,11 @@ router.patch('/:collection/:field', collection_exists_1.default, (0, async_handl
     }
     const fieldData = req.body;
     if (!fieldData.field)
-        fieldData.field = req.params.field;
-    await service.updateField(req.params.collection, fieldData);
+        fieldData.field = req.params['field'];
+    await service.updateField(req.params['collection'], fieldData);
     try {
-        const updatedField = await service.readOne(req.params.collection, req.params.field);
-        res.locals.payload = { data: updatedField || null };
+        const updatedField = await service.readOne(req.params['collection'], req.params['field']);
+        res.locals['payload'] = { data: updatedField || null };
     }
     catch (error) {
         if (error instanceof exceptions_1.ForbiddenException) {
@@ -154,7 +154,7 @@ router.delete('/:collection/:field', collection_exists_1.default, (0, async_hand
         accountability: req.accountability,
         schema: req.schema,
     });
-    await service.deleteField(req.params.collection, req.params.field);
+    await service.deleteField(req.params['collection'], req.params['field']);
     return next();
 }), respond_1.respond);
 exports.default = router;

package/dist/controllers/files.js

@@ -18,6 +18,7 @@ const services_1 = require("../services");
 const async_handler_1 = __importDefault(require("../utils/async-handler"));
 // @ts-ignore
 const format_title_1 = __importDefault(require("@directus/format-title"));
+const sanitize_query_1 = require("../utils/sanitize-query");
 const router = express_1.default.Router();
 router.use((0, use_collection_1.default)('directus_files'));
 const multipartHandler = (req, res, next) => {
@@ -36,13 +37,13 @@ const multipartHandler = (req, res, next) => {
     const busboy = (0, busboy_1.default)({ headers, defParamCharset: 'utf8' });
     const savedFiles = [];
     const service = new services_1.FilesService({ accountability: req.accountability, schema: req.schema });
-    const existingPrimaryKey = req.params.pk || undefined;
+    const existingPrimaryKey = req.params['pk'] || undefined;
     /**
      * The order of the fields in multipart/form-data is important. We require that all fields
      * are provided _before_ the files. This allows us to set the storage location, and create
      * the row in directus_files async during the upload of the actual file.
      */
-    let disk = (0, utils_1.toArray)(env_1.default.STORAGE_LOCATIONS)[0];
+    let disk = (0, utils_1.toArray)(env_1.default['STORAGE_LOCATIONS'])[0];
     let payload = {};
     let fileCount = 0;
     busboy.on('field', (fieldname, val) => {
@@ -63,12 +64,14 @@ const multipartHandler = (req, res, next) => {
             return busboy.emit('error', new exceptions_1.InvalidPayloadException(`File is missing filename`));
         }
         fileCount++;
-        if (!payload.title) {
-            payload.title = (0, format_title_1.default)(path_1.default.parse(filename).name);
+        if (!existingPrimaryKey) {
+            if (!payload.title) {
+                payload.title = (0, format_title_1.default)(path_1.default.parse(filename).name);
+            }
+            payload.filename_download = filename;
         }
         const payloadWithRequiredFields = {
             ...payload,
-            filename_download: filename,
             type: mimeType,
             storage: payload.storage || disk,
         };
@@ -82,6 +85,7 @@ const multipartHandler = (req, res, next) => {
         catch (error) {
             busboy.emit('error', error);
         }
+        return undefined;
     });
     busboy.on('error', (error) => {
         next(error);
@@ -95,7 +99,7 @@ const multipartHandler = (req, res, next) => {
             if (fileCount === 0) {
                 return next(new exceptions_1.InvalidPayloadException(`No files were included in the body`));
             }
-            res.locals.savedFiles = savedFiles;
+            res.locals['savedFiles'] = savedFiles;
             return next();
         }
     }
@@ -108,7 +112,7 @@ router.post('/', (0, async_handler_1.default)(exports.multipartHandler), (0, asy
     });
     let keys = [];
     if (req.is('multipart/form-data')) {
-        keys = res.locals.savedFiles;
+        keys = res.locals['savedFiles'];
     }
     else {
         keys = await service.createOne(req.body);
@@ -116,14 +120,14 @@ router.post('/', (0, async_handler_1.default)(exports.multipartHandler), (0, asy
     try {
         if (Array.isArray(keys) && keys.length > 1) {
             const records = await service.readMany(keys, req.sanitizedQuery);
-            res.locals.payload = {
+            res.locals['payload'] = {
                 data: records,
             };
         }
         else {
             const key = Array.isArray(keys) ? keys[0] : keys;
             const record = await service.readOne(key, req.sanitizedQuery);
-            res.locals.payload = {
+            res.locals['payload'] = {
                 data: record,
             };
         }
@@ -152,7 +156,7 @@ router.post('/import', (0, async_handler_1.default)(async (req, res, next) => {
     const primaryKey = await service.importOne(req.body.url, req.body.data);
     try {
         const record = await service.readOne(primaryKey, req.sanitizedQuery);
-        res.locals.payload = { data: record || null };
+        res.locals['payload'] = { data: record || null };
     }
     catch (error) {
         if (error instanceof exceptions_1.ForbiddenException) {
@@ -182,7 +186,7 @@ const readHandler = (0, async_handler_1.default)(async (req, res, next) => {
         result = await service.readByQuery(req.sanitizedQuery);
     }
     const meta = await metaService.getMetaForQuery('directus_files', req.sanitizedQuery);
-    res.locals.payload = { data: result, meta };
+    res.locals['payload'] = { data: result, meta };
     return next();
 });
 router.get('/', (0, validate_batch_1.validateBatch)('read'), readHandler, respond_1.respond);
@@ -192,8 +196,8 @@ router.get('/:pk', (0, async_handler_1.default)(async (req, res, next) => {
         accountability: req.accountability,
         schema: req.schema,
     });
-    const record = await service.readOne(req.params.pk, req.sanitizedQuery);
-    res.locals.payload = { data: record || null };
+    const record = await service.readOne(req.params['pk'], req.sanitizedQuery);
+    res.locals['payload'] = { data: record || null };
     return next();
 }), respond_1.respond);
 router.patch('/', (0, validate_batch_1.validateBatch)('update'), (0, async_handler_1.default)(async (req, res, next) => {
@@ -209,11 +213,12 @@ router.patch('/', (0, validate_batch_1.validateBatch)('update'), (0, async_handl
         keys = await service.updateMany(req.body.keys, req.body.data);
     }
     else {
-        keys = await service.updateByQuery(req.body.query, req.body.data);
+        const sanitizedQuery = (0, sanitize_query_1.sanitizeQuery)(req.body.query, req.accountability);
+        keys = await service.updateByQuery(sanitizedQuery, req.body.data);
     }
     try {
         const result = await service.readMany(keys, req.sanitizedQuery);
-        res.locals.payload = { data: result || null };
+        res.locals['payload'] = { data: result || null };
     }
     catch (error) {
         if (error instanceof exceptions_1.ForbiddenException) {
@@ -228,10 +233,10 @@ router.patch('/:pk', (0, async_handler_1.default)(exports.multipartHandler), (0,
         accountability: req.accountability,
         schema: req.schema,
     });
-    await service.updateOne(req.params.pk, req.body);
+    await service.updateOne(req.params['pk'], req.body);
     try {
-        const record = await service.readOne(req.params.pk, req.sanitizedQuery);
-        res.locals.payload = { data: record || null };
+        const record = await service.readOne(req.params['pk'], req.sanitizedQuery);
+        res.locals['payload'] = { data: record || null };
     }
     catch (error) {
         if (error instanceof exceptions_1.ForbiddenException) {
@@ -253,7 +258,8 @@ router.delete('/', (0, validate_batch_1.validateBatch)('delete'), (0, async_hand
         await service.deleteMany(req.body.keys);
     }
     else {
-        await service.deleteByQuery(req.body.query);
+        const sanitizedQuery = (0, sanitize_query_1.sanitizeQuery)(req.body.query, req.accountability);
+        await service.deleteByQuery(sanitizedQuery);
     }
     return next();
 }), respond_1.respond);
@@ -262,7 +268,7 @@ router.delete('/:pk', (0, async_handler_1.default)(async (req, res, next) => {
         accountability: req.accountability,
         schema: req.schema,
     });
-    await service.deleteOne(req.params.pk);
+    await service.deleteOne(req.params['pk']);
     return next();
 }), respond_1.respond);
 exports.default = router;