directus 9.5.0 → 9.6.0

package/dist/middleware/authenticate.js

@@ -1,39 +1,23 @@
 "use strict";
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || function (mod) {
-    if (mod && mod.__esModule) return mod;
-    var result = {};
-    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
-    __setModuleDefault(result, mod);
-    return result;
-};
 var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-const jsonwebtoken_1 = __importStar(require("jsonwebtoken"));
+exports.handler = void 0;
+const lodash_1 = require("lodash");
 const database_1 = __importDefault(require("../database"));
+const emitter_1 = __importDefault(require("../emitter"));
 const env_1 = __importDefault(require("../env"));
 const exceptions_1 = require("../exceptions");
 const async_handler_1 = __importDefault(require("../utils/async-handler"));
 const get_ip_from_req_1 = require("../utils/get-ip-from-req");
 const is_directus_jwt_1 = __importDefault(require("../utils/is-directus-jwt"));
+const jwt_1 = require("../utils/jwt");
 /**
  * Verify the passed JWT and assign the user ID and role to `req`
  */
-const authenticate = (0, async_handler_1.default)(async (req, res, next) => {
-    req.accountability = {
+const handler = async (req, res, next) => {
+    const defaultAccountability = {
         user: null,
         role: null,
         admin: false,
@@ -42,23 +26,21 @@ const authenticate = (0, async_handler_1.default)(async (req, res, next) => {
         userAgent: req.get('user-agent'),
     };
     const database = (0, database_1.default)();
+    const customAccountability = await emitter_1.default.emitFilter('authenticate', defaultAccountability, {
+        req,
+    }, {
+        database,
+        schema: null,
+        accountability: null,
+    });
+    if (customAccountability && (0, lodash_1.isEqual)(customAccountability, defaultAccountability) === false) {
+        req.accountability = customAccountability;
+        return next();
+    }
+    req.accountability = defaultAccountability;
     if (req.token) {
         if ((0, is_directus_jwt_1.default)(req.token)) {
-            let payload;
-            try {
-                payload = jsonwebtoken_1.default.verify(req.token, env_1.default.SECRET, { issuer: 'directus' });
-            }
-            catch (err) {
-                if (err instanceof jsonwebtoken_1.TokenExpiredError) {
-                    throw new exceptions_1.InvalidCredentialsException('Token expired.');
-                }
-                else if (err instanceof jsonwebtoken_1.JsonWebTokenError) {
-                    throw new exceptions_1.InvalidCredentialsException('Token invalid.');
-                }
-                else {
-                    throw err;
-                }
-            }
+            const payload = (0, jwt_1.verifyAccessJWT)(req.token, env_1.default.SECRET);
             req.accountability.share = payload.share;
             req.accountability.share_scope = payload.share_scope;
             req.accountability.user = payload.id;
@@ -87,5 +69,6 @@ const authenticate = (0, async_handler_1.default)(async (req, res, next) => {
         }
     }
     return next();
-});
-exports.default = authenticate;
+};
+exports.handler = handler;
+exports.default = (0, async_handler_1.default)(exports.handler);

package/dist/middleware/extract-token.js

@@ -15,7 +15,7 @@ const extractToken = (req, res, next) => {
     }
     if (req.headers && req.headers.authorization) {
         const parts = req.headers.authorization.split(' ');
-        if (parts.length === 2 && parts[0] === 'Bearer') {
+        if (parts.length === 2 && parts[0].toLowerCase() === 'bearer') {
             token = parts[1];
         }
     }

package/dist/server.js

@@ -36,8 +36,10 @@ const logger_1 = __importDefault(require("./logger"));
 const emitter_1 = __importDefault(require("./emitter"));
 const update_check_1 = __importDefault(require("update-check"));
 const package_json_1 = __importDefault(require("../package.json"));
+const get_config_from_env_1 = require("./utils/get-config-from-env");
 async function createServer() {
     const server = http.createServer(await (0, app_1.default)());
+    Object.assign(server, (0, get_config_from_env_1.getConfigFromEnv)('SERVER_'));
     server.on('request', function (req, res) {
         const startTime = process.hrtime();
         const complete = (0, lodash_1.once)(function (finished) {
@@ -124,9 +126,10 @@ async function createServer() {
 exports.createServer = createServer;
 async function startServer() {
     const server = await createServer();
+    const host = env_1.default.HOST;
     const port = env_1.default.PORT;
     server
-        .listen(port, () => {
+        .listen(port, host, () => {
         (0, update_check_1.default)(package_json_1.default)
             .then((update) => {
             if (update) {
@@ -136,7 +139,7 @@ async function startServer() {
             .catch(() => {
             // No need to log/warn here. The update message is only an informative nice-to-have
         });
-        logger_1.default.info(`Server started at http://localhost:${port}`);
+        logger_1.default.info(`Server started at http://${host}:${port}`);
         emitter_1.default.emitAction('server.start', { server }, {
             database: (0, database_1.default)(),
             schema: null,

package/dist/services/authorization.js

@@ -11,6 +11,7 @@ const exceptions_2 = require("@directus/shared/exceptions");
 const utils_1 = require("@directus/shared/utils");
 const items_1 = require("./items");
 const payload_1 = require("./payload");
+const strip_function_1 = require("../utils/strip-function");
 class AuthorizationService {
     constructor(options) {
         this.knex = options.knex || (0, database_1.default)();
@@ -97,7 +98,7 @@ class AuthorizationService {
                     }
                     if (allowedFields.includes('*'))
                         continue;
-                    const fieldKey = childNode.name;
+                    const fieldKey = (0, strip_function_1.stripFunction)(childNode.name);
                     if (allowedFields.includes(fieldKey) === false) {
                         throw new exceptions_1.ForbiddenException();
                     }

package/dist/services/collections.js

@@ -66,24 +66,7 @@ class CollectionsService {
         // permission problems. This might not work reliably in MySQL, as it doesn't support DDL in
         // transactions.
         await this.knex.transaction(async (trx) => {
-            if (payload.meta) {
-                const collectionItemsService = new items_1.ItemsService('directus_collections', {
-                    knex: trx,
-                    accountability: this.accountability,
-                    schema: this.schema,
-                });
-                await collectionItemsService.createOne({
-                    ...payload.meta,
-                    collection: payload.collection,
-                });
-            }
             if (payload.schema) {
-                const fieldsService = new fields_1.FieldsService({ knex: trx, schema: this.schema });
-                const fieldItemsService = new items_1.ItemsService('directus_fields', {
-                    knex: trx,
-                    accountability: this.accountability,
-                    schema: this.schema,
-                });
                 // Directus heavily relies on the primary key of a collection, so we have to make sure that
                 // every collection that is created has a primary key. If no primary key field is created
                 // while making the collection, we default to an auto incremented id named `id`
@@ -114,18 +97,33 @@ class CollectionsService {
                     }
                     return field;
                 });
-                await trx.transaction(async (schemaTrx) => {
-                    await schemaTrx.schema.createTable(payload.collection, (table) => {
-                        for (const field of payload.fields) {
-                            if (field.type && constants_1.ALIAS_TYPES.includes(field.type) === false) {
-                                fieldsService.addColumnToTable(table, field);
-                            }
+                const fieldsService = new fields_1.FieldsService({ knex: trx, schema: this.schema });
+                await trx.schema.createTable(payload.collection, (table) => {
+                    for (const field of payload.fields) {
+                        if (field.type && constants_1.ALIAS_TYPES.includes(field.type) === false) {
+                            fieldsService.addColumnToTable(table, field);
                         }
-                    });
+                    }
+                });
+                const fieldItemsService = new items_1.ItemsService('directus_fields', {
+                    knex: trx,
+                    accountability: this.accountability,
+                    schema: this.schema,
                 });
                 const fieldPayloads = payload.fields.filter((field) => field.meta).map((field) => field.meta);
                 await fieldItemsService.createMany(fieldPayloads);
             }
+            if (payload.meta) {
+                const collectionItemsService = new items_1.ItemsService('directus_collections', {
+                    knex: trx,
+                    accountability: this.accountability,
+                    schema: this.schema,
+                });
+                await collectionItemsService.createOne({
+                    ...payload.meta,
+                    collection: payload.collection,
+                });
+            }
             return payload.collection;
         });
         if (this.cache && env_1.default.CACHE_AUTO_PURGE && (opts === null || opts === void 0 ? void 0 : opts.autoPurgeCache) !== false) {
@@ -318,6 +316,9 @@ class CollectionsService {
         }
         await this.knex.transaction(async (trx) => {
             var _a;
+            if (collectionToBeDeleted.schema) {
+                await trx.schema.dropTable(collectionKey);
+            }
             // Make sure this collection isn't used as a group in any other collections
             await trx('directus_collections').update({ group: null }).where({ group: collectionKey });
             if (collectionToBeDeleted.meta) {
@@ -373,9 +374,6 @@ class CollectionsService {
                         .update({ one_allowed_collections: newAllowedCollections })
                         .where({ id: relation.meta.id });
                 }
-                await trx.transaction(async (schemaTrx) => {
-                    await schemaTrx.schema.dropTable(collectionKey);
-                });
             }
         });
         if (this.cache && env_1.default.CACHE_AUTO_PURGE && (opts === null || opts === void 0 ? void 0 : opts.autoPurgeCache) !== false) {

package/dist/services/fields.js

@@ -224,10 +224,8 @@ class FieldsService {
                     this.addColumnToTable(table, hookAdjustedField);
                 }
                 else {
-                    await trx.transaction(async (schemaTrx) => {
-                        await schemaTrx.schema.alterTable(collection, (table) => {
-                            this.addColumnToTable(table, hookAdjustedField);
-                        });
+                    await trx.schema.alterTable(collection, (table) => {
+                        this.addColumnToTable(table, hookAdjustedField);
                     });
                 }
             }
@@ -327,6 +325,13 @@ class FieldsService {
         });
         await this.knex.transaction(async (trx) => {
             var _a, _b;
+            if (this.schema.collections[collection] &&
+                field in this.schema.collections[collection].fields &&
+                this.schema.collections[collection].fields[field].alias === false) {
+                await trx.schema.table(collection, (table) => {
+                    table.dropColumn(field);
+                });
+            }
             const relations = this.schema.relations.filter((relation) => {
                 var _a;
                 return ((relation.collection === collection && relation.field === field) ||
@@ -386,15 +391,6 @@ class FieldsService {
                     .where({ group: metaRow.field, collection: metaRow.collection });
             }
             await trx('directus_fields').delete().where({ collection, field });
-            if (this.schema.collections[collection] &&
-                field in this.schema.collections[collection].fields &&
-                this.schema.collections[collection].fields[field].alias === false) {
-                await trx.transaction(async (schemaTrx) => {
-                    await schemaTrx.schema.table(collection, (table) => {
-                        table.dropColumn(field);
-                    });
-                });
-            }
         });
         if (this.cache && env_1.default.CACHE_AUTO_PURGE) {
             await this.cache.clear();
@@ -456,11 +452,15 @@ class FieldsService {
                 column.defaultTo(field.schema.default_value);
             }
         }
-        if (((_g = field.schema) === null || _g === void 0 ? void 0 : _g.is_nullable) !== undefined && field.schema.is_nullable === false) {
-            column.notNullable();
+        if (((_g = field.schema) === null || _g === void 0 ? void 0 : _g.is_nullable) === false) {
+            if (!alter || alter.is_nullable === true) {
+                column.notNullable();
+            }
         }
         else {
-            column.nullable();
+            if (!alter || alter.is_nullable === false) {
+                column.nullable();
+            }
         }
         if ((_h = field.schema) === null || _h === void 0 ? void 0 : _h.is_primary_key) {
             column.primary().notNullable();

package/dist/services/mail/templates/base.liquid

@@ -35,7 +35,7 @@ a[x-apple-data-detectors] {
    line-height: inherit !important;
 }
 body a {
-    color: #00C897;
+    color: #6644ff;
     text-decoration: none;
 }
 hr {
@@ -74,7 +74,7 @@ hr {
         color: #FFFFFF !important;
     }
     .link {
-    	color: #00c897 !important;
+    	color: #6644ff !important;
     }
     .button {
     	background-color:#0BA582 !important;

package/dist/services/payload.js

@@ -100,12 +100,16 @@ class PayloadService {
                 return value;
             },
             async csv({ action, value }) {
-                if (!value)
+                if (Array.isArray(value) === false && typeof value !== 'string')
                     return;
-                if (action === 'read' && Array.isArray(value) === false)
+                if (action === 'read' && Array.isArray(value) === false) {
+                    if (value === '')
+                        return [];
                     return value.split(',');
-                if (Array.isArray(value))
+                }
+                if (Array.isArray(value)) {
                     return value.join(',');
+                }
                 return value;
             },
         };

package/dist/services/relations.js

@@ -135,6 +135,10 @@ class RelationsService {
         if (relation.field in this.schema.collections[relation.collection].fields === false) {
             throw new exceptions_1.InvalidPayloadException(`Field "${relation.field}" doesn't exist in collection "${relation.collection}"`);
         }
+        // A primary key should not be a foreign key
+        if (this.schema.collections[relation.collection].primary === relation.field) {
+            throw new exceptions_1.InvalidPayloadException(`Field "${relation.field}" in collection "${relation.collection}" is a primary key`);
+        }
         if (relation.related_collection && relation.related_collection in this.schema.collections === false) {
             throw new exceptions_1.InvalidPayloadException(`Collection "${relation.related_collection}" doesn't exist`);
         }

package/dist/services/utils.js

@@ -7,6 +7,7 @@ exports.UtilsService = void 0;
 const database_1 = __importDefault(require("../database"));
 const collections_1 = require("../database/system-data/collections");
 const exceptions_1 = require("../exceptions");
+const emitter_1 = __importDefault(require("../emitter"));
 class UtilsService {
     constructor(options) {
         this.knex = options.knex || (0, database_1.default)();
@@ -98,6 +99,15 @@ class UtilsService {
                 .andWhere(sortField, '<=', sourceSortValue)
                 .andWhereNot({ [primaryKeyField]: item });
         }
+        emitter_1.default.emitAction(['items.sort', `${collection}.items.sort`], {
+            collection,
+            item,
+            to,
+        }, {
+            database: this.knex,
+            schema: this.schema,
+            accountability: this.accountability,
+        });
     }
 }
 exports.UtilsService = UtilsService;

package/dist/utils/apply-query.js

@@ -48,29 +48,7 @@ function applyQuery(knex, collection, dbQuery, query, schema, subQuery = false)
     if (query.aggregate) {
         applyAggregate(dbQuery, query.aggregate, collection);
     }
-    if (query.union && query.union[1].length > 0) {
-        const [field, keys] = query.union;
-        const queries = keys.map((key) => {
-            const unionFilter = { [field]: { _eq: key } };
-            let filter = (0, lodash_1.cloneDeep)(query.filter);
-            if (filter) {
-                if ('_and' in filter) {
-                    filter._and.push(unionFilter);
-                }
-                else {
-                    filter = {
-                        _and: [filter, unionFilter],
-                    };
-                }
-            }
-            else {
-                filter = unionFilter;
-            }
-            return knex.select('*').from(applyFilter(knex, schema, dbQuery.clone(), filter, collection, subQuery).as('foo'));
-        });
-        dbQuery = knex.unionAll(queries);
-    }
-    else if (query.filter) {
+    if (query.filter) {
         applyFilter(knex, schema, dbQuery, query.filter, collection, subQuery);
     }
     return dbQuery;
@@ -234,7 +212,7 @@ function applyFilter(knex, schema, rootQuery, rootFilter, collection, subQuery =
                     applyFilterToQuery(`${collection}.${filterPath[0]}`, filterOperator, filterValue, logical);
                 }
             }
-            else if (subQuery === false) {
+            else if (subQuery === false || filterPath.length > 1) {
                 if (!relation)
                     continue;
                 let pkField = `${collection}.${schema.collections[relation.related_collection].primary}`;

package/dist/utils/get-permissions.js

@@ -145,7 +145,7 @@ function processPermissions(accountability, permissions, filterContext) {
     return permissions.map((permission) => {
         permission.permissions = (0, utils_1.parseFilter)(permission.permissions, accountability, filterContext);
         permission.validation = (0, utils_1.parseFilter)(permission.validation, accountability, filterContext);
-        permission.presets = (0, utils_1.parseFilter)(permission.presets, accountability, filterContext);
+        permission.presets = (0, utils_1.parsePreset)(permission.presets, accountability, filterContext);
         return permission;
     });
 }

package/dist/utils/is-directus-jwt.js

@@ -3,37 +3,20 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-const atob_1 = __importDefault(require("atob"));
-const logger_1 = __importDefault(require("../logger"));
+const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
 /**
  * Check if a given string conforms to the structure of a JWT
  * and whether it is issued by Directus.
  */
 function isDirectusJWT(string) {
-    const parts = string.split('.');
-    // JWTs have the structure header.payload.signature
-    if (parts.length !== 3)
-        return false;
-    // Check if all segments are base64 encoded
-    try {
-        (0, atob_1.default)(parts[0]);
-        (0, atob_1.default)(parts[1]);
-        (0, atob_1.default)(parts[2]);
-    }
-    catch (err) {
-        logger_1.default.error(err);
-        return false;
-    }
-    // Check if the header and payload are valid JSON
     try {
-        JSON.parse((0, atob_1.default)(parts[0]));
-        const payload = JSON.parse((0, atob_1.default)(parts[1]));
-        if (payload.iss !== 'directus')
+        const payload = jsonwebtoken_1.default.decode(string, { json: true });
+        if ((payload === null || payload === void 0 ? void 0 : payload.iss) !== 'directus')
             return false;
+        return true;
     }
     catch {
         return false;
     }
-    return true;
 }
 exports.default = isDirectusJWT;

package/dist/utils/jwt.d.ts

@@ -0,0 +1,2 @@
+import { DirectusTokenPayload } from '../types';
+export declare function verifyAccessJWT(token: string, secret: string): DirectusTokenPayload;

package/dist/utils/jwt.js

@@ -0,0 +1,49 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.verifyAccessJWT = void 0;
+const jsonwebtoken_1 = __importStar(require("jsonwebtoken"));
+const exceptions_1 = require("../exceptions");
+function verifyAccessJWT(token, secret) {
+    let payload;
+    try {
+        payload = jsonwebtoken_1.default.verify(token, secret, {
+            issuer: 'directus',
+        });
+    }
+    catch (err) {
+        if (err instanceof jsonwebtoken_1.TokenExpiredError) {
+            throw new exceptions_1.InvalidTokenException('Token expired.');
+        }
+        else if (err instanceof jsonwebtoken_1.JsonWebTokenError) {
+            throw new exceptions_1.InvalidTokenException('Token invalid.');
+        }
+        else {
+            throw new exceptions_1.ServiceUnavailableException(`Couldn't verify token.`, { service: 'jwt' });
+        }
+    }
+    const { id, role, app_access, admin_access, share, share_scope } = payload;
+    if (role === undefined || app_access === undefined || admin_access === undefined) {
+        throw new exceptions_1.InvalidTokenException('Invalid token payload.');
+    }
+    return { id, role, app_access, admin_access, share, share_scope };
+}
+exports.verifyAccessJWT = verifyAccessJWT;

package/dist/utils/md.js

@@ -10,6 +10,6 @@ const sanitize_html_1 = __importDefault(require("sanitize-html"));
  * Render and sanitize a markdown string
  */
 function md(str) {
-    return (0, sanitize_html_1.default)((0, marked_1.parse)(str));
+    return (0, sanitize_html_1.default)((0, marked_1.marked)(str));
 }
 exports.md = md;

package/dist/utils/merge-permissions.js

@@ -31,9 +31,15 @@ function mergePermission(strategy, currentPerm, newPerm) {
             };
         }
         else if (currentPerm.permissions) {
-            permissions = {
-                [logicalKey]: [currentPerm.permissions, newPerm.permissions],
-            };
+            // Empty {} supersedes other permissions in _OR merge
+            if (strategy === 'or' && ((0, lodash_1.isEqual)(currentPerm.permissions, {}) || (0, lodash_1.isEqual)(newPerm.permissions, {}))) {
+                permissions = {};
+            }
+            else {
+                permissions = {
+                    [logicalKey]: [currentPerm.permissions, newPerm.permissions],
+                };
+            }
         }
         else {
             permissions = {
@@ -51,9 +57,15 @@ function mergePermission(strategy, currentPerm, newPerm) {
             };
         }
         else if (currentPerm.validation) {
-            validation = {
-                [logicalKey]: [currentPerm.validation, newPerm.validation],
-            };
+            // Empty {} supersedes other validations in _OR merge
+            if (strategy === 'or' && ((0, lodash_1.isEqual)(currentPerm.validation, {}) || (0, lodash_1.isEqual)(newPerm.validation, {}))) {
+                validation = {};
+            }
+            else {
+                validation = {
+                    [logicalKey]: [currentPerm.validation, newPerm.validation],
+                };
+            }
         }
         else {
             validation = {

package/example.env

@@ -1,6 +1,7 @@
 ####################################################################################################
 # General
 
+HOST="0.0.0.0"
 PORT=8055
 PUBLIC_URL="http://localhost:8055"
 LOG_LEVEL="info"