npm - directus - Versions diffs - 9.6.0 → 9.8.0 - Mend

directus 9.6.0 → 9.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (99) hide show

package/dist/app.js +3 -1
package/dist/auth/drivers/oauth2.js +3 -0
package/dist/auth/drivers/openid.js +3 -0
package/dist/cache.d.ts +4 -1
package/dist/cache.js +29 -7
package/dist/cli/commands/schema/apply.d.ts +1 -0
package/dist/cli/commands/schema/apply.js +9 -5
package/dist/cli/index.js +1 -0
package/dist/controllers/assets.js +9 -1
package/dist/controllers/utils.js +18 -1
package/dist/database/helpers/date/dialects/default.d.ts +3 -0
package/dist/database/helpers/date/dialects/default.js +7 -0
package/dist/database/helpers/date/dialects/sqlite.d.ts +0 -9
package/dist/database/helpers/date/dialects/sqlite.js +0 -24
package/dist/database/helpers/date/index.d.ts +6 -6
package/dist/database/helpers/date/index.js +13 -13
package/dist/database/helpers/date/types.d.ts +0 -9
package/dist/database/helpers/{date → fn}/dialects/mssql.d.ts +3 -2
package/dist/database/helpers/{date → fn}/dialects/mssql.js +14 -3
package/dist/database/helpers/{date → fn}/dialects/mysql.d.ts +3 -2
package/dist/database/helpers/{date → fn}/dialects/mysql.js +14 -3
package/dist/database/helpers/{date → fn}/dialects/oracle.d.ts +3 -2
package/dist/database/helpers/{date → fn}/dialects/oracle.js +14 -3
package/dist/database/helpers/{date → fn}/dialects/postgres.d.ts +3 -2
package/dist/database/helpers/{date → fn}/dialects/postgres.js +14 -3
package/dist/database/helpers/fn/dialects/sqlite.d.ts +13 -0
package/dist/database/helpers/fn/dialects/sqlite.js +42 -0
package/dist/database/helpers/fn/index.d.ts +7 -0
package/dist/database/helpers/fn/index.js +17 -0
package/dist/database/helpers/fn/types.d.ts +18 -0
package/dist/database/helpers/fn/types.js +27 -0
package/dist/database/helpers/index.d.ts +4 -1
package/dist/database/helpers/index.js +7 -1
package/dist/database/index.js +0 -3
package/dist/database/migrations/20220308A-add-bookmark-icon-and-color.d.ts +3 -0
package/dist/database/migrations/20220308A-add-bookmark-icon-and-color.js +17 -0
package/dist/database/migrations/20220314A-add-translation-strings.d.ts +3 -0
package/dist/database/migrations/20220314A-add-translation-strings.js +15 -0
package/dist/database/migrations/20220322A-rename-field-typecast-flags.d.ts +3 -0
package/dist/database/migrations/20220322A-rename-field-typecast-flags.js +77 -0
package/dist/database/migrations/20220323A-add-field-validation.d.ts +3 -0
package/dist/database/migrations/20220323A-add-field-validation.js +17 -0
package/dist/database/migrations/20220325A-fix-typecast-flags.d.ts +3 -0
package/dist/database/migrations/20220325A-fix-typecast-flags.js +49 -0
package/dist/database/migrations/20220325B-add-default-language.d.ts +3 -0
package/dist/database/migrations/20220325B-add-default-language.js +28 -0
package/dist/database/migrations/run.js +1 -1
package/dist/database/run-ast.js +11 -3
package/dist/database/system-data/fields/activity.yaml +4 -4
package/dist/database/system-data/fields/collections.yaml +4 -4
package/dist/database/system-data/fields/fields.yaml +17 -8
package/dist/database/system-data/fields/files.yaml +2 -2
package/dist/database/system-data/fields/panels.yaml +2 -2
package/dist/database/system-data/fields/permissions.yaml +4 -4
package/dist/database/system-data/fields/presets.yaml +17 -3
package/dist/database/system-data/fields/relations.yaml +1 -1
package/dist/database/system-data/fields/revisions.yaml +2 -2
package/dist/database/system-data/fields/roles.yaml +4 -4
package/dist/database/system-data/fields/settings.yaml +19 -4
package/dist/database/system-data/fields/users.yaml +2 -2
package/dist/database/system-data/fields/webhooks.yaml +4 -4
package/dist/env.js +6 -2
package/dist/exceptions/database/dialects/mysql.js +23 -17
package/dist/logger.js +2 -1
package/dist/middleware/respond.js +7 -28
package/dist/services/activity.js +4 -1
package/dist/services/authorization.d.ts +1 -1
package/dist/services/authorization.js +156 -14
package/dist/services/collections.js +222 -198
package/dist/services/fields.js +184 -173
package/dist/services/files.js +69 -3
package/dist/services/graphql.js +2 -2
package/dist/services/import-export.d.ts +34 -0
package/dist/services/import-export.js +270 -0
package/dist/services/index.d.ts +2 -1
package/dist/services/index.js +2 -1
package/dist/services/items.js +1 -0
package/dist/services/payload.js +11 -9
package/dist/services/permissions.js +10 -10
package/dist/services/relations.js +93 -78
package/dist/services/server.js +1 -0
package/dist/services/shares.js +2 -1
package/dist/services/users.js +3 -1
package/dist/utils/apply-query.js +21 -3
package/dist/utils/get-column.d.ts +6 -5
package/dist/utils/get-column.js +16 -8
package/dist/utils/get-date-formatted.d.ts +1 -0
package/dist/utils/get-date-formatted.js +14 -0
package/dist/utils/get-local-type.js +2 -2
package/dist/utils/get-permissions.js +1 -1
package/dist/utils/get-schema.d.ts +1 -1
package/dist/utils/get-schema.js +16 -11
package/dist/utils/track.js +3 -2
package/dist/utils/url.d.ts +1 -1
package/dist/utils/url.js +1 -1
package/dist/utils/validate-storage.js +3 -1
package/package.json +13 -12
package/dist/services/import.d.ts +0 -13
package/dist/services/import.js +0 -118

package/dist/services/authorization.js CHANGED Viewed

@@ -4,14 +4,14 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.AuthorizationService = void 0;
+const exceptions_1 = require("@directus/shared/exceptions");
+const utils_1 = require("@directus/shared/utils");
 const lodash_1 = require("lodash");
 const database_1 = __importDefault(require("../database"));
-const exceptions_1 = require("../exceptions");
-const exceptions_2 = require("@directus/shared/exceptions");
-const utils_1 = require("@directus/shared/utils");
+const exceptions_2 = require("../exceptions");
+const strip_function_1 = require("../utils/strip-function");
 const items_1 = require("./items");
 const payload_1 = require("./payload");
-const strip_function_1 = require("../utils/strip-function");
 class AuthorizationService {
     constructor(options) {
         this.knex = options.knex || (0, database_1.default)();
@@ -32,9 +32,10 @@ class AuthorizationService {
         // If the permissions don't match the collections, you don't have permission to read all of them
         const uniqueCollectionsRequestedCount = (0, lodash_1.uniq)(collectionsRequested.map(({ collection }) => collection)).length;
         if (uniqueCollectionsRequestedCount !== permissionsForCollections.length) {
-            throw new exceptions_1.ForbiddenException();
+            throw new exceptions_2.ForbiddenException();
         }
         validateFields(ast);
+        validateFilterPermissions(ast, this.schema, this.accountability);
         applyFilters(ast, this.accountability);
         return ast;
         /**
@@ -87,7 +88,7 @@ class AuthorizationService {
                             continue;
                         for (const column of Object.values(aliasMap)) {
                             if (allowedFields.includes(column) === false)
-                                throw new exceptions_1.ForbiddenException();
+                                throw new exceptions_2.ForbiddenException();
                         }
                     }
                 }
@@ -100,7 +101,136 @@ class AuthorizationService {
                         continue;
                     const fieldKey = (0, strip_function_1.stripFunction)(childNode.name);
                     if (allowedFields.includes(fieldKey) === false) {
-                        throw new exceptions_1.ForbiddenException();
+                        throw new exceptions_2.ForbiddenException();
+                    }
+                }
+            }
+        }
+        function validateFilterPermissions(ast, schema, accountability) {
+            var _a, _b, _c, _d, _e;
+            let requiredFieldPermissions = {};
+            if (ast.type !== 'field') {
+                if (ast.type === 'a2o') {
+                    for (const collection of Object.keys(ast.children)) {
+                        requiredFieldPermissions = mergeRequiredFieldPermissions(requiredFieldPermissions, extractRequiredFieldPermissions(collection, (_c = (_b = (_a = ast.query) === null || _a === void 0 ? void 0 : _a[collection]) === null || _b === void 0 ? void 0 : _b.filter) !== null && _c !== void 0 ? _c : {}));
+                        for (const child of ast.children[collection]) {
+                            // Always add relational field as a deep child may have a filter
+                            if (child.type !== 'field') {
+                                (requiredFieldPermissions[collection] || (requiredFieldPermissions[collection] = new Set())).add(child.fieldKey);
+                            }
+                            requiredFieldPermissions = mergeRequiredFieldPermissions(requiredFieldPermissions, validateFilterPermissions(child, schema, accountability));
+                        }
+                    }
+                }
+                else {
+                    requiredFieldPermissions = mergeRequiredFieldPermissions(requiredFieldPermissions, extractRequiredFieldPermissions(ast.name, (_e = (_d = ast.query) === null || _d === void 0 ? void 0 : _d.filter) !== null && _e !== void 0 ? _e : {}));
+                    for (const child of ast.children) {
+                        // Always add relational field as a deep child may have a filter
+                        if (child.type !== 'field') {
+                            (requiredFieldPermissions[ast.name] || (requiredFieldPermissions[ast.name] = new Set())).add(child.fieldKey);
+                        }
+                        requiredFieldPermissions = mergeRequiredFieldPermissions(requiredFieldPermissions, validateFilterPermissions(child, schema, accountability));
+                    }
+                }
+            }
+            if (ast.type === 'root') {
+                // Validate all required permissions once at the root level
+                checkFieldPermissions(requiredFieldPermissions);
+            }
+            return requiredFieldPermissions;
+            function extractRequiredFieldPermissions(collection, filter, parentCollection, parentField) {
+                return (0, lodash_1.reduce)(filter, function (result, filterValue, filterKey) {
+                    if (filterKey.startsWith('_')) {
+                        if (filterKey === '_and' || filterKey === '_or') {
+                            if ((0, lodash_1.isArray)(filterValue)) {
+                                for (const filter of filterValue) {
+                                    const requiredPermissions = extractRequiredFieldPermissions(collection, filter, parentCollection, parentField);
+                                    result = mergeRequiredFieldPermissions(result, requiredPermissions);
+                                }
+                            }
+                            return result;
+                        }
+                        // Filter value is not a filter, so we should skip it
+                        return result;
+                    }
+                    else {
+                        if (collection) {
+                            (result[collection] || (result[collection] = new Set())).add(filterKey);
+                        }
+                        else {
+                            const relation = schema.relations.find((relation) => {
+                                var _a;
+                                return ((relation.collection === parentCollection && relation.field === parentField) ||
+                                    (relation.related_collection === parentCollection && ((_a = relation.meta) === null || _a === void 0 ? void 0 : _a.one_field) === parentField));
+                            });
+                            if (relation) {
+                                if (relation.related_collection === parentCollection) {
+                                    (result[relation.collection] || (result[relation.collection] = new Set())).add(filterKey);
+                                    parentCollection = relation.collection;
+                                }
+                                else {
+                                    (result[relation.related_collection] || (result[relation.related_collection] = new Set())).add(filterKey);
+                                    parentCollection = relation.related_collection;
+                                }
+                            }
+                            else {
+                                // Filter key not found in parent collection
+                                throw new exceptions_2.ForbiddenException();
+                            }
+                        }
+                        if (typeof filterValue === 'object') {
+                            // Parent collection is undefined when we process the top level filter
+                            if (!parentCollection)
+                                parentCollection = collection;
+                            for (const [childFilterKey, childFilterValue] of Object.entries(filterValue)) {
+                                if (childFilterKey.startsWith('_')) {
+                                    if (childFilterKey === '_and' || childFilterKey === '_or') {
+                                        if ((0, lodash_1.isArray)(childFilterValue)) {
+                                            for (const filter of childFilterValue) {
+                                                const requiredPermissions = extractRequiredFieldPermissions('', filter, parentCollection, filterKey);
+                                                result = mergeRequiredFieldPermissions(result, requiredPermissions);
+                                            }
+                                        }
+                                    }
+                                }
+                                else {
+                                    const requiredPermissions = extractRequiredFieldPermissions('', filterValue, parentCollection, filterKey);
+                                    result = mergeRequiredFieldPermissions(result, requiredPermissions);
+                                }
+                            }
+                        }
+                    }
+                    return result;
+                }, {});
+            }
+            function mergeRequiredFieldPermissions(current, child) {
+                for (const collection of Object.keys(child)) {
+                    if (!current[collection]) {
+                        current[collection] = child[collection];
+                    }
+                    else {
+                        current[collection] = new Set([...current[collection], ...child[collection]]);
+                    }
+                }
+                return current;
+            }
+            function checkFieldPermissions(requiredPermissions) {
+                var _a;
+                if ((accountability === null || accountability === void 0 ? void 0 : accountability.admin) === true)
+                    return;
+                for (const collection of Object.keys(requiredPermissions)) {
+                    const permission = (_a = accountability === null || accountability === void 0 ? void 0 : accountability.permissions) === null || _a === void 0 ? void 0 : _a.find((permission) => permission.collection === collection && permission.action === 'read');
+                    if (!permission || !permission.fields)
+                        throw new exceptions_2.ForbiddenException();
+                    const allowedFields = permission.fields;
+                    if (allowedFields.includes('*'))
+                        continue;
+                    // Allow legacy permissions with an empty fields array, where id can be accessed
+                    if (allowedFields.length === 0)
+                        allowedFields.push('id');
+                    for (const field of requiredPermissions[collection]) {
+                        if (!allowedFields.includes(field))
+                            throw new exceptions_2.ForbiddenException();
                     }
                 }
             }
@@ -164,20 +294,24 @@ class AuthorizationService {
                 return permission.collection === collection && permission.action === action;
             });
             if (!permission)
-                throw new exceptions_1.ForbiddenException();
+                throw new exceptions_2.ForbiddenException();
             // Check if you have permission to access the fields you're trying to access
             const allowedFields = permission.fields || [];
             if (allowedFields.includes('*') === false) {
                 const keysInData = Object.keys(payload);
                 const invalidKeys = keysInData.filter((fieldKey) => allowedFields.includes(fieldKey) === false);
                 if (invalidKeys.length > 0) {
-                    throw new exceptions_1.ForbiddenException();
+                    throw new exceptions_2.ForbiddenException();
                 }
             }
         }
         const preset = (_e = permission.presets) !== null && _e !== void 0 ? _e : {};
         const payloadWithPresets = (0, lodash_1.merge)({}, preset, payload);
+        const fieldValidationRules = Object.values(this.schema.collections[collection].fields)
+            .map((field) => field.validation)
+            .filter((v) => v);
         const hasValidationRules = (0, lodash_1.isNil)(permission.validation) === false && Object.keys((_f = permission.validation) !== null && _f !== void 0 ? _f : {}).length > 0;
+        const hasFieldValidationRules = fieldValidationRules && fieldValidationRules.length > 0;
         const requiredColumns = [];
         for (const field of Object.values(this.schema.collections[collection].fields)) {
             const specials = (_g = field === null || field === void 0 ? void 0 : field.special) !== null && _g !== void 0 ? _g : [];
@@ -187,7 +321,7 @@ class AuthorizationService {
                 requiredColumns.push(field);
             }
         }
-        if (hasValidationRules === false && requiredColumns.length === 0) {
+        if (hasValidationRules === false && hasFieldValidationRules === false && requiredColumns.length === 0) {
             return payloadWithPresets;
         }
         if (requiredColumns.length > 0) {
@@ -207,8 +341,16 @@ class AuthorizationService {
                 });
             }
         }
+        if (hasFieldValidationRules) {
+            if (permission.validation) {
+                permission.validation = { _and: [permission.validation, ...fieldValidationRules] };
+            }
+            else {
+                permission.validation = { _and: fieldValidationRules };
+            }
+        }
         const validationErrors = [];
-        validationErrors.push(...(0, lodash_1.flatten)((0, utils_1.validatePayload)(permission.validation, payloadWithPresets).map((error) => error.details.map((details) => new exceptions_2.FailedValidationException(details)))));
+        validationErrors.push(...(0, lodash_1.flatten)((0, utils_1.validatePayload)(permission.validation, payloadWithPresets).map((error) => error.details.map((details) => new exceptions_1.FailedValidationException(details)))));
         if (validationErrors.length > 0)
             throw validationErrors;
         return payloadWithPresets;
@@ -228,14 +370,14 @@ class AuthorizationService {
         if (Array.isArray(pk)) {
             const result = await itemsService.readMany(pk, { ...query, limit: pk.length }, { permissionsAction: action });
             if (!result)
-                throw new exceptions_1.ForbiddenException();
+                throw new exceptions_2.ForbiddenException();
             if (result.length !== pk.length)
-                throw new exceptions_1.ForbiddenException();
+                throw new exceptions_2.ForbiddenException();
         }
         else {
             const result = await itemsService.readOne(pk, query, { permissionsAction: action });
             if (!result)
-                throw new exceptions_1.ForbiddenException();
+                throw new exceptions_2.ForbiddenException();
         }
     }
 }