directus 9.23.1 → 9.23.4

package/dist/controllers/permissions.js

@@ -10,6 +10,7 @@ const use_collection_1 = __importDefault(require("../middleware/use-collection")
 const validate_batch_1 = require("../middleware/validate-batch");
 const services_1 = require("../services");
 const async_handler_1 = __importDefault(require("../utils/async-handler"));
+const sanitize_query_1 = require("../utils/sanitize-query");
 const router = express_1.default.Router();
 router.use((0, use_collection_1.default)('directus_permissions'));
 router.post('/', (0, async_handler_1.default)(async (req, res, next) => {
@@ -29,11 +30,11 @@ router.post('/', (0, async_handler_1.default)(async (req, res, next) => {
     try {
         if (Array.isArray(req.body)) {
             const items = await service.readMany(savedKeys, req.sanitizedQuery);
-            res.locals.payload = { data: items };
+            res.locals['payload'] = { data: items };
         }
         else {
             const item = await service.readOne(savedKeys[0], req.sanitizedQuery);
-            res.locals.payload = { data: item };
+            res.locals['payload'] = { data: item };
         }
     }
     catch (error) {
@@ -64,7 +65,7 @@ const readHandler = (0, async_handler_1.default)(async (req, res, next) => {
         result = await service.readByQuery(req.sanitizedQuery);
     }
     const meta = await metaService.getMetaForQuery('directus_permissions', req.sanitizedQuery);
-    res.locals.payload = { data: result, meta };
+    res.locals['payload'] = { data: result, meta };
     return next();
 });
 router.get('/', (0, validate_batch_1.validateBatch)('read'), readHandler, respond_1.respond);
@@ -76,8 +77,8 @@ router.get('/:pk', (0, async_handler_1.default)(async (req, res, next) => {
         accountability: req.accountability,
         schema: req.schema,
     });
-    const record = await service.readOne(req.params.pk, req.sanitizedQuery);
-    res.locals.payload = { data: record };
+    const record = await service.readOne(req.params['pk'], req.sanitizedQuery);
+    res.locals['payload'] = { data: record };
     return next();
 }), respond_1.respond);
 router.patch('/', (0, validate_batch_1.validateBatch)('update'), (0, async_handler_1.default)(async (req, res, next) => {
@@ -93,11 +94,12 @@ router.patch('/', (0, validate_batch_1.validateBatch)('update'), (0, async_handl
         keys = await service.updateMany(req.body.keys, req.body.data);
     }
     else {
-        keys = await service.updateByQuery(req.body.query, req.body.data);
+        const sanitizedQuery = (0, sanitize_query_1.sanitizeQuery)(req.body.query, req.accountability);
+        keys = await service.updateByQuery(sanitizedQuery, req.body.data);
     }
     try {
         const result = await service.readMany(keys, req.sanitizedQuery);
-        res.locals.payload = { data: result };
+        res.locals['payload'] = { data: result };
     }
     catch (error) {
         if (error instanceof exceptions_1.ForbiddenException) {
@@ -112,10 +114,10 @@ router.patch('/:pk', (0, async_handler_1.default)(async (req, res, next) => {
         accountability: req.accountability,
         schema: req.schema,
     });
-    const primaryKey = await service.updateOne(req.params.pk, req.body);
+    const primaryKey = await service.updateOne(req.params['pk'], req.body);
     try {
         const item = await service.readOne(primaryKey, req.sanitizedQuery);
-        res.locals.payload = { data: item || null };
+        res.locals['payload'] = { data: item || null };
     }
     catch (error) {
         if (error instanceof exceptions_1.ForbiddenException) {
@@ -137,7 +139,8 @@ router.delete('/', (0, validate_batch_1.validateBatch)('delete'), (0, async_hand
         await service.deleteMany(req.body.keys);
     }
     else {
-        await service.deleteByQuery(req.body.query);
+        const sanitizedQuery = (0, sanitize_query_1.sanitizeQuery)(req.body.query, req.accountability);
+        await service.deleteByQuery(sanitizedQuery);
     }
     return next();
 }), respond_1.respond);
@@ -146,7 +149,7 @@ router.delete('/:pk', (0, async_handler_1.default)(async (req, res, next) => {
         accountability: req.accountability,
         schema: req.schema,
     });
-    await service.deleteOne(req.params.pk);
+    await service.deleteOne(req.params['pk']);
     return next();
 }), respond_1.respond);
 exports.default = router;

package/dist/controllers/presets.js

@@ -10,6 +10,7 @@ const use_collection_1 = __importDefault(require("../middleware/use-collection")
 const validate_batch_1 = require("../middleware/validate-batch");
 const services_1 = require("../services");
 const async_handler_1 = __importDefault(require("../utils/async-handler"));
+const sanitize_query_1 = require("../utils/sanitize-query");
 const router = express_1.default.Router();
 router.use((0, use_collection_1.default)('directus_presets'));
 router.post('/', (0, async_handler_1.default)(async (req, res, next) => {
@@ -29,11 +30,11 @@ router.post('/', (0, async_handler_1.default)(async (req, res, next) => {
     try {
         if (Array.isArray(req.body)) {
             const records = await service.readMany(savedKeys, req.sanitizedQuery);
-            res.locals.payload = { data: records };
+            res.locals['payload'] = { data: records };
         }
         else {
             const record = await service.readOne(savedKeys[0], req.sanitizedQuery);
-            res.locals.payload = { data: record };
+            res.locals['payload'] = { data: record };
         }
     }
     catch (error) {
@@ -64,7 +65,7 @@ const readHandler = (0, async_handler_1.default)(async (req, res, next) => {
         result = await service.readByQuery(req.sanitizedQuery);
     }
     const meta = await metaService.getMetaForQuery('directus_presets', req.sanitizedQuery);
-    res.locals.payload = { data: result, meta };
+    res.locals['payload'] = { data: result, meta };
     return next();
 });
 router.get('/', (0, validate_batch_1.validateBatch)('read'), readHandler, respond_1.respond);
@@ -74,8 +75,8 @@ router.get('/:pk', (0, async_handler_1.default)(async (req, res, next) => {
         accountability: req.accountability,
         schema: req.schema,
     });
-    const record = await service.readOne(req.params.pk, req.sanitizedQuery);
-    res.locals.payload = { data: record || null };
+    const record = await service.readOne(req.params['pk'], req.sanitizedQuery);
+    res.locals['payload'] = { data: record || null };
     return next();
 }), respond_1.respond);
 router.patch('/', (0, validate_batch_1.validateBatch)('update'), (0, async_handler_1.default)(async (req, res, next) => {
@@ -91,11 +92,12 @@ router.patch('/', (0, validate_batch_1.validateBatch)('update'), (0, async_handl
         keys = await service.updateMany(req.body.keys, req.body.data);
     }
     else {
-        keys = await service.updateByQuery(req.body.query, req.body.data);
+        const sanitizedQuery = (0, sanitize_query_1.sanitizeQuery)(req.body.query, req.accountability);
+        keys = await service.updateByQuery(sanitizedQuery, req.body.data);
     }
     try {
         const result = await service.readMany(keys, req.sanitizedQuery);
-        res.locals.payload = { data: result };
+        res.locals['payload'] = { data: result };
     }
     catch (error) {
         if (error instanceof exceptions_1.ForbiddenException) {
@@ -110,10 +112,10 @@ router.patch('/:pk', (0, async_handler_1.default)(async (req, res, next) => {
         accountability: req.accountability,
         schema: req.schema,
     });
-    const primaryKey = await service.updateOne(req.params.pk, req.body);
+    const primaryKey = await service.updateOne(req.params['pk'], req.body);
     try {
         const record = await service.readOne(primaryKey, req.sanitizedQuery);
-        res.locals.payload = { data: record };
+        res.locals['payload'] = { data: record };
     }
     catch (error) {
         if (error instanceof exceptions_1.ForbiddenException) {
@@ -135,7 +137,8 @@ router.delete('/', (0, validate_batch_1.validateBatch)('delete'), (0, async_hand
         await service.deleteMany(req.body.keys);
     }
     else {
-        await service.deleteByQuery(req.body.query);
+        const sanitizedQuery = (0, sanitize_query_1.sanitizeQuery)(req.body.query, req.accountability);
+        await service.deleteByQuery(sanitizedQuery);
     }
     return next();
 }), respond_1.respond);
@@ -144,7 +147,7 @@ router.delete('/:pk', (0, async_handler_1.default)(async (req, res, next) => {
         accountability: req.accountability,
         schema: req.schema,
     });
-    await service.deleteOne(req.params.pk);
+    await service.deleteOne(req.params['pk']);
     return next();
 }), respond_1.respond);
 exports.default = router;

package/dist/controllers/relations.js

@@ -19,7 +19,7 @@ router.get('/', (0, async_handler_1.default)(async (req, res, next) => {
         schema: req.schema,
     });
     const relations = await service.readAll();
-    res.locals.payload = { data: relations || null };
+    res.locals['payload'] = { data: relations || null };
     return next();
 }), respond_1.respond);
 router.get('/:collection', collection_exists_1.default, (0, async_handler_1.default)(async (req, res, next) => {
@@ -27,8 +27,8 @@ router.get('/:collection', collection_exists_1.default, (0, async_handler_1.defa
         accountability: req.accountability,
         schema: req.schema,
     });
-    const relations = await service.readAll(req.params.collection);
-    res.locals.payload = { data: relations || null };
+    const relations = await service.readAll(req.params['collection']);
+    res.locals['payload'] = { data: relations || null };
     return next();
 }), respond_1.respond);
 router.get('/:collection/:field', collection_exists_1.default, (0, async_handler_1.default)(async (req, res, next) => {
@@ -36,8 +36,8 @@ router.get('/:collection/:field', collection_exists_1.default, (0, async_handler
         accountability: req.accountability,
         schema: req.schema,
     });
-    const relation = await service.readOne(req.params.collection, req.params.field);
-    res.locals.payload = { data: relation || null };
+    const relation = await service.readOne(req.params['collection'], req.params['field']);
+    res.locals['payload'] = { data: relation || null };
     return next();
 }), respond_1.respond);
 const newRelationSchema = joi_1.default.object({
@@ -63,7 +63,7 @@ router.post('/', (0, async_handler_1.default)(async (req, res, next) => {
     await service.createOne(req.body);
     try {
         const createdRelation = await service.readOne(req.body.collection, req.body.field);
-        res.locals.payload = { data: createdRelation || null };
+        res.locals['payload'] = { data: createdRelation || null };
     }
     catch (error) {
         if (error instanceof exceptions_1.ForbiddenException) {
@@ -93,10 +93,10 @@ router.patch('/:collection/:field', collection_exists_1.default, (0, async_handl
     if (error) {
         throw new exceptions_1.InvalidPayloadException(error.message);
     }
-    await service.updateOne(req.params.collection, req.params.field, req.body);
+    await service.updateOne(req.params['collection'], req.params['field'], req.body);
     try {
-        const updatedField = await service.readOne(req.params.collection, req.params.field);
-        res.locals.payload = { data: updatedField || null };
+        const updatedField = await service.readOne(req.params['collection'], req.params['field']);
+        res.locals['payload'] = { data: updatedField || null };
     }
     catch (error) {
         if (error instanceof exceptions_1.ForbiddenException) {
@@ -111,7 +111,7 @@ router.delete('/:collection/:field', collection_exists_1.default, (0, async_hand
         accountability: req.accountability,
         schema: req.schema,
     });
-    await service.deleteOne(req.params.collection, req.params.field);
+    await service.deleteOne(req.params['collection'], req.params['field']);
     return next();
 }), respond_1.respond);
 exports.default = router;

package/dist/controllers/revisions.js

@@ -22,7 +22,7 @@ const readHandler = (0, async_handler_1.default)(async (req, res, next) => {
     });
     const records = await service.readByQuery(req.sanitizedQuery);
     const meta = await metaService.getMetaForQuery('directus_revisions', req.sanitizedQuery);
-    res.locals.payload = { data: records || null, meta };
+    res.locals['payload'] = { data: records || null, meta };
     return next();
 });
 router.get('/', (0, validate_batch_1.validateBatch)('read'), readHandler, respond_1.respond);
@@ -32,8 +32,8 @@ router.get('/:pk', (0, async_handler_1.default)(async (req, res, next) => {
         accountability: req.accountability,
         schema: req.schema,
     });
-    const record = await service.readOne(req.params.pk, req.sanitizedQuery);
-    res.locals.payload = { data: record || null };
+    const record = await service.readOne(req.params['pk'], req.sanitizedQuery);
+    res.locals['payload'] = { data: record || null };
     return next();
 }), respond_1.respond);
 exports.default = router;

package/dist/controllers/roles.js

@@ -10,6 +10,7 @@ const use_collection_1 = __importDefault(require("../middleware/use-collection")
 const validate_batch_1 = require("../middleware/validate-batch");
 const services_1 = require("../services");
 const async_handler_1 = __importDefault(require("../utils/async-handler"));
+const sanitize_query_1 = require("../utils/sanitize-query");
 const router = express_1.default.Router();
 router.use((0, use_collection_1.default)('directus_roles'));
 router.post('/', (0, async_handler_1.default)(async (req, res, next) => {
@@ -29,11 +30,11 @@ router.post('/', (0, async_handler_1.default)(async (req, res, next) => {
     try {
         if (Array.isArray(req.body)) {
             const items = await service.readMany(savedKeys, req.sanitizedQuery);
-            res.locals.payload = { data: items };
+            res.locals['payload'] = { data: items };
         }
         else {
             const item = await service.readOne(savedKeys[0], req.sanitizedQuery);
-            res.locals.payload = { data: item };
+            res.locals['payload'] = { data: item };
         }
     }
     catch (error) {
@@ -55,7 +56,7 @@ const readHandler = (0, async_handler_1.default)(async (req, res, next) => {
     });
     const records = await service.readByQuery(req.sanitizedQuery);
     const meta = await metaService.getMetaForQuery('directus_roles', req.sanitizedQuery);
-    res.locals.payload = { data: records || null, meta };
+    res.locals['payload'] = { data: records || null, meta };
     return next();
 });
 router.get('/', (0, validate_batch_1.validateBatch)('read'), readHandler, respond_1.respond);
@@ -65,8 +66,8 @@ router.get('/:pk', (0, async_handler_1.default)(async (req, res, next) => {
         accountability: req.accountability,
         schema: req.schema,
     });
-    const record = await service.readOne(req.params.pk, req.sanitizedQuery);
-    res.locals.payload = { data: record || null };
+    const record = await service.readOne(req.params['pk'], req.sanitizedQuery);
+    res.locals['payload'] = { data: record || null };
     return next();
 }), respond_1.respond);
 router.patch('/', (0, validate_batch_1.validateBatch)('update'), (0, async_handler_1.default)(async (req, res, next) => {
@@ -82,11 +83,12 @@ router.patch('/', (0, validate_batch_1.validateBatch)('update'), (0, async_handl
         keys = await service.updateMany(req.body.keys, req.body.data);
     }
     else {
-        keys = await service.updateByQuery(req.body.query, req.body.data);
+        const sanitizedQuery = (0, sanitize_query_1.sanitizeQuery)(req.body.query, req.accountability);
+        keys = await service.updateByQuery(sanitizedQuery, req.body.data);
     }
     try {
         const result = await service.readMany(keys, req.sanitizedQuery);
-        res.locals.payload = { data: result };
+        res.locals['payload'] = { data: result };
     }
     catch (error) {
         if (error instanceof exceptions_1.ForbiddenException) {
@@ -101,10 +103,10 @@ router.patch('/:pk', (0, async_handler_1.default)(async (req, res, next) => {
         accountability: req.accountability,
         schema: req.schema,
     });
-    const primaryKey = await service.updateOne(req.params.pk, req.body);
+    const primaryKey = await service.updateOne(req.params['pk'], req.body);
     try {
         const item = await service.readOne(primaryKey, req.sanitizedQuery);
-        res.locals.payload = { data: item || null };
+        res.locals['payload'] = { data: item || null };
     }
     catch (error) {
         if (error instanceof exceptions_1.ForbiddenException) {
@@ -126,7 +128,8 @@ router.delete('/', (0, validate_batch_1.validateBatch)('delete'), (0, async_hand
         await service.deleteMany(req.body.keys);
     }
     else {
-        await service.deleteByQuery(req.body.query);
+        const sanitizedQuery = (0, sanitize_query_1.sanitizeQuery)(req.body.query, req.accountability);
+        await service.deleteByQuery(sanitizedQuery);
     }
     return next();
 }), respond_1.respond);
@@ -135,7 +138,7 @@ router.delete('/:pk', (0, async_handler_1.default)(async (req, res, next) => {
         accountability: req.accountability,
         schema: req.schema,
     });
-    await service.deleteOne(req.params.pk);
+    await service.deleteOne(req.params['pk']);
     return next();
 }), respond_1.respond);
 exports.default = router;

package/dist/controllers/schema.js

@@ -17,7 +17,7 @@ const router = express_1.default.Router();
 router.get('/snapshot', (0, async_handler_1.default)(async (req, res, next) => {
     const service = new schema_1.SchemaService({ accountability: req.accountability });
     const currentSnapshot = await service.snapshot();
-    res.locals.payload = { data: currentSnapshot };
+    res.locals['payload'] = { data: currentSnapshot };
     return next();
 }), respond_1.respond);
 router.post('/apply', (0, async_handler_1.default)(async (req, _res, next) => {
@@ -29,7 +29,7 @@ const schemaMultipartHandler = (req, res, next) => {
     if (req.is('application/json')) {
         if (Object.keys(req.body).length === 0)
             throw new exceptions_1.InvalidPayloadException(`No data was included in the body`);
-        res.locals.uploadedSnapshot = req.body;
+        res.locals['uploadedSnapshot'] = req.body;
         return next();
     }
     if (!req.is('multipart/form-data'))
@@ -70,7 +70,7 @@ const schemaMultipartHandler = (req, res, next) => {
             }
             if (!uploadedSnapshot)
                 throw new exceptions_1.InvalidPayloadException(`No file was included in the body`);
-            res.locals.uploadedSnapshot = uploadedSnapshot;
+            res.locals['uploadedSnapshot'] = uploadedSnapshot;
             return next();
         }
         catch (error) {
@@ -86,13 +86,13 @@ const schemaMultipartHandler = (req, res, next) => {
 };
 router.post('/diff', (0, async_handler_1.default)(schemaMultipartHandler), (0, async_handler_1.default)(async (req, res, next) => {
     const service = new schema_1.SchemaService({ accountability: req.accountability });
-    const snapshot = res.locals.uploadedSnapshot;
+    const snapshot = res.locals['uploadedSnapshot'];
     const currentSnapshot = await service.snapshot();
     const snapshotDiff = await service.diff(snapshot, { currentSnapshot, force: 'force' in req.query });
     if (!snapshotDiff)
         return next();
     const currentSnapshotHash = (0, get_versioned_hash_1.getVersionedHash)(currentSnapshot);
-    res.locals.payload = { data: { hash: currentSnapshotHash, diff: snapshotDiff } };
+    res.locals['payload'] = { data: { hash: currentSnapshotHash, diff: snapshotDiff } };
     return next();
 }), respond_1.respond);
 exports.default = router;

package/dist/controllers/server.js

@@ -15,7 +15,7 @@ router.get('/specs/oas', (0, async_handler_1.default)(async (req, res, next) =>
         accountability: req.accountability,
         schema: req.schema,
     });
-    res.locals.payload = await service.oas.generate();
+    res.locals['payload'] = await service.oas.generate();
     return next();
 }), respond_1.respond);
 router.get('/specs/graphql/:scope?', (0, async_handler_1.default)(async (req, res) => {
@@ -27,12 +27,12 @@ router.get('/specs/graphql/:scope?', (0, async_handler_1.default)(async (req, re
         accountability: req.accountability,
         schema: req.schema,
     });
-    const scope = req.params.scope || 'items';
+    const scope = req.params['scope'] || 'items';
     if (['items', 'system'].includes(scope) === false)
         throw new exceptions_1.RouteNotFoundException(req.path);
     const info = await serverService.serverInfo();
     const result = await service.graphql.generate(scope);
-    const filename = info.project.project_name + '_' + (0, date_fns_1.format)(new Date(), 'yyyy-MM-dd') + '.graphql';
+    const filename = info['project'].project_name + '_' + (0, date_fns_1.format)(new Date(), 'yyyy-MM-dd') + '.graphql';
     res.attachment(filename);
     res.send(result);
 }));
@@ -42,7 +42,7 @@ router.get('/info', (0, async_handler_1.default)(async (req, res, next) => {
         schema: req.schema,
     });
     const data = await service.serverInfo();
-    res.locals.payload = { data };
+    res.locals['payload'] = { data };
     return next();
 }), respond_1.respond);
 router.get('/health', (0, async_handler_1.default)(async (req, res, next) => {
@@ -52,10 +52,10 @@ router.get('/health', (0, async_handler_1.default)(async (req, res, next) => {
     });
     const data = await service.health();
     res.setHeader('Content-Type', 'application/health+json');
-    if (data.status === 'error')
+    if (data['status'] === 'error')
         res.status(503);
-    res.locals.payload = data;
-    res.locals.cache = false;
+    res.locals['payload'] = data;
+    res.locals['cache'] = false;
     return next();
 }), respond_1.respond);
 exports.default = router;

package/dist/controllers/settings.js

@@ -17,7 +17,7 @@ router.get('/', (0, async_handler_1.default)(async (req, res, next) => {
         schema: req.schema,
     });
     const records = await service.readSingleton(req.sanitizedQuery);
-    res.locals.payload = { data: records || null };
+    res.locals['payload'] = { data: records || null };
     return next();
 }), respond_1.respond);
 router.patch('/', (0, async_handler_1.default)(async (req, res, next) => {
@@ -28,7 +28,7 @@ router.patch('/', (0, async_handler_1.default)(async (req, res, next) => {
     await service.upsertSingleton(req.body);
     try {
         const record = await service.readSingleton(req.sanitizedQuery);
-        res.locals.payload = { data: record || null };
+        res.locals['payload'] = { data: record || null };
     }
     catch (error) {
         if (error instanceof exceptions_1.ForbiddenException) {

package/dist/controllers/shares.js

@@ -4,15 +4,16 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 const express_1 = __importDefault(require("express"));
+const joi_1 = __importDefault(require("joi"));
+const constants_1 = require("../constants");
+const env_1 = __importDefault(require("../env"));
 const exceptions_1 = require("../exceptions");
 const respond_1 = require("../middleware/respond");
 const use_collection_1 = __importDefault(require("../middleware/use-collection"));
 const validate_batch_1 = require("../middleware/validate-batch");
 const services_1 = require("../services");
 const async_handler_1 = __importDefault(require("../utils/async-handler"));
-const constants_1 = require("../constants");
-const joi_1 = __importDefault(require("joi"));
-const env_1 = __importDefault(require("../env"));
+const sanitize_query_1 = require("../utils/sanitize-query");
 const router = express_1.default.Router();
 router.use((0, use_collection_1.default)('directus_shares'));
 const sharedLoginSchema = joi_1.default.object({
@@ -29,8 +30,8 @@ router.post('/auth', (0, async_handler_1.default)(async (req, res, next) => {
         throw new exceptions_1.InvalidPayloadException(error.message);
     }
     const { accessToken, refreshToken, expires } = await service.login(req.body);
-    res.cookie(env_1.default.REFRESH_TOKEN_COOKIE_NAME, refreshToken, constants_1.COOKIE_OPTIONS);
-    res.locals.payload = { data: { access_token: accessToken, expires } };
+    res.cookie(env_1.default['REFRESH_TOKEN_COOKIE_NAME'], refreshToken, constants_1.COOKIE_OPTIONS);
+    res.locals['payload'] = { data: { access_token: accessToken, expires } };
     return next();
 }), respond_1.respond);
 const sharedInviteSchema = joi_1.default.object({
@@ -66,11 +67,11 @@ router.post('/', (0, async_handler_1.default)(async (req, res, next) => {
     try {
         if (Array.isArray(req.body)) {
             const items = await service.readMany(savedKeys, req.sanitizedQuery);
-            res.locals.payload = { data: items };
+            res.locals['payload'] = { data: items };
         }
         else {
             const item = await service.readOne(savedKeys[0], req.sanitizedQuery);
-            res.locals.payload = { data: item };
+            res.locals['payload'] = { data: item };
         }
     }
     catch (error) {
@@ -87,7 +88,7 @@ const readHandler = (0, async_handler_1.default)(async (req, res, next) => {
         schema: req.schema,
     });
     const records = await service.readByQuery(req.sanitizedQuery);
-    res.locals.payload = { data: records || null };
+    res.locals['payload'] = { data: records || null };
     return next();
 });
 router.get('/', (0, validate_batch_1.validateBatch)('read'), readHandler, respond_1.respond);
@@ -96,7 +97,7 @@ router.get(`/info/:pk(${constants_1.UUID_REGEX})`, (0, async_handler_1.default)(
     const service = new services_1.SharesService({
         schema: req.schema,
     });
-    const record = await service.readOne(req.params.pk, {
+    const record = await service.readOne(req.params['pk'], {
         fields: ['id', 'collection', 'item', 'password', 'max_uses', 'times_used', 'date_start', 'date_end'],
         filter: {
             _and: [
@@ -131,7 +132,7 @@ router.get(`/info/:pk(${constants_1.UUID_REGEX})`, (0, async_handler_1.default)(
             ],
         },
     });
-    res.locals.payload = { data: record || null };
+    res.locals['payload'] = { data: record || null };
     return next();
 }), respond_1.respond);
 router.get(`/:pk(${constants_1.UUID_REGEX})`, (0, async_handler_1.default)(async (req, res, next) => {
@@ -139,8 +140,8 @@ router.get(`/:pk(${constants_1.UUID_REGEX})`, (0, async_handler_1.default)(async
         accountability: req.accountability,
         schema: req.schema,
     });
-    const record = await service.readOne(req.params.pk, req.sanitizedQuery);
-    res.locals.payload = { data: record || null };
+    const record = await service.readOne(req.params['pk'], req.sanitizedQuery);
+    res.locals['payload'] = { data: record || null };
     return next();
 }), respond_1.respond);
 router.patch('/', (0, validate_batch_1.validateBatch)('update'), (0, async_handler_1.default)(async (req, res, next) => {
@@ -156,11 +157,12 @@ router.patch('/', (0, validate_batch_1.validateBatch)('update'), (0, async_handl
         keys = await service.updateMany(req.body.keys, req.body.data);
     }
     else {
-        keys = await service.updateByQuery(req.body.query, req.body.data);
+        const sanitizedQuery = (0, sanitize_query_1.sanitizeQuery)(req.body.query, req.accountability);
+        keys = await service.updateByQuery(sanitizedQuery, req.body.data);
     }
     try {
         const result = await service.readMany(keys, req.sanitizedQuery);
-        res.locals.payload = { data: result };
+        res.locals['payload'] = { data: result };
     }
     catch (error) {
         if (error instanceof exceptions_1.ForbiddenException) {
@@ -175,10 +177,10 @@ router.patch(`/:pk(${constants_1.UUID_REGEX})`, (0, async_handler_1.default)(asy
         accountability: req.accountability,
         schema: req.schema,
     });
-    const primaryKey = await service.updateOne(req.params.pk, req.body);
+    const primaryKey = await service.updateOne(req.params['pk'], req.body);
     try {
         const item = await service.readOne(primaryKey, req.sanitizedQuery);
-        res.locals.payload = { data: item || null };
+        res.locals['payload'] = { data: item || null };
     }
     catch (error) {
         if (error instanceof exceptions_1.ForbiddenException) {
@@ -200,7 +202,8 @@ router.delete('/', (0, async_handler_1.default)(async (req, _res, next) => {
         await service.deleteMany(req.body.keys);
     }
     else {
-        await service.deleteByQuery(req.body.query);
+        const sanitizedQuery = (0, sanitize_query_1.sanitizeQuery)(req.body.query, req.accountability);
+        await service.deleteByQuery(sanitizedQuery);
     }
     return next();
 }), respond_1.respond);
@@ -209,7 +212,7 @@ router.delete(`/:pk(${constants_1.UUID_REGEX})`, (0, async_handler_1.default)(as
         accountability: req.accountability,
         schema: req.schema,
     });
-    await service.deleteOne(req.params.pk);
+    await service.deleteOne(req.params['pk']);
     return next();
 }), respond_1.respond);
 exports.default = router;