directus 9.9.1 → 9.10.0

package/README.md

@@ -16,7 +16,7 @@ view, author, and manage your raw database content. Our performant and flexible
 schema, and includes rule-based permissions, event/web hooks, custom endpoints, numerous auth options, configurable
 storage adapters, and much more.
 
-Current database support includes: PostgreSQL, MySQL, SQLite, MS-SQL Server, OracleDB, MariaDB, and varients such as AWS
+Current database support includes: PostgreSQL, MySQL, SQLite, MS-SQL Server, OracleDB, MariaDB, and variants such as AWS
 Aurora/Redshift or Google Cloud Platform SQL.
 
 Learn more at...

package/dist/app.js

@@ -119,6 +119,9 @@ async function createApp() {
             connectSrc: ["'self'", 'https://*'],
         },
     }, (0, get_config_from_env_1.getConfigFromEnv)('CONTENT_SECURITY_POLICY_'))));
+    if (env_1.default.HSTS_ENABLED) {
+        app.use(helmet_1.default.hsts((0, get_config_from_env_1.getConfigFromEnv)('HSTS_', ['HSTS_ENABLED'])));
+    }
     await emitter_1.default.emitInit('app.before', { app });
     await emitter_1.default.emitInit('middlewares.before', { app });
     app.use(logger_1.expressLogger);

package/dist/auth/drivers/oauth2.js

@@ -78,7 +78,7 @@ class OAuth2AuthDriver extends local_1.LocalAuthDriver {
         return user === null || user === void 0 ? void 0 : user.id;
     }
     async getUserID(payload) {
-        var _a;
+        var _a, _b;
         if (!payload.code || !payload.codeVerifier) {
             logger_1.default.trace('[OAuth2] No code or codeVerifier in payload');
             throw new exceptions_1.InvalidCredentialsException();
@@ -97,7 +97,7 @@ class OAuth2AuthDriver extends local_1.LocalAuthDriver {
         const { provider, emailKey, identifierKey, allowPublicRegistration } = this.config;
         const email = userInfo[emailKey !== null && emailKey !== void 0 ? emailKey : 'email'];
         // Fallback to email if explicit identifier not found
-        const identifier = (_a = userInfo[identifierKey]) !== null && _a !== void 0 ? _a : email;
+        const identifier = (_b = ((_a = userInfo[identifierKey]) !== null && _a !== void 0 ? _a : email)) === null || _b === void 0 ? void 0 : _b.toString();
         if (!identifier) {
             logger_1.default.warn(`[OAuth2] Failed to find user identifier for provider "${provider}"`);
             throw new exceptions_1.InvalidCredentialsException();

package/dist/auth/drivers/openid.js

@@ -85,7 +85,7 @@ class OpenIDAuthDriver extends local_1.LocalAuthDriver {
         return user === null || user === void 0 ? void 0 : user.id;
     }
     async getUserID(payload) {
-        var _a;
+        var _a, _b;
         if (!payload.code || !payload.codeVerifier) {
             logger_1.default.trace('[OpenID] No code or codeVerifier in payload');
             throw new exceptions_1.InvalidCredentialsException();
@@ -111,7 +111,7 @@ class OpenIDAuthDriver extends local_1.LocalAuthDriver {
         const { provider, identifierKey, allowPublicRegistration, requireVerifiedEmail } = this.config;
         const email = userInfo.email;
         // Fallback to email if explicit identifier not found
-        const identifier = (_a = userInfo[identifierKey !== null && identifierKey !== void 0 ? identifierKey : 'sub']) !== null && _a !== void 0 ? _a : email;
+        const identifier = (_b = (_a = userInfo[identifierKey !== null && identifierKey !== void 0 ? identifierKey : 'sub']) === null || _a === void 0 ? void 0 : _a.toString()) !== null && _b !== void 0 ? _b : email;
         if (!identifier) {
             logger_1.default.warn(`[OpenID] Failed to find user identifier for provider "${provider}"`);
             throw new exceptions_1.InvalidCredentialsException();

package/dist/env.js

@@ -70,6 +70,7 @@ const defaults = {
     RELATIONAL_BATCH_SIZE: 25000,
     EXPORT_BATCH_SIZE: 5000,
     FILE_METADATA_ALLOW_LIST: 'ifd0.Make,ifd0.Model,exif.FNumber,exif.ExposureTime,exif.FocalLength,exif.ISO',
+    GRAPHQL_INTROSPECTION: true,
 };
 // Allows us to force certain environment variable into a type, instead of relying
 // on the auto-parsed type in processValues. ref #3705
@@ -84,6 +85,7 @@ const typeMap = {
     DB_EXCLUDE_TABLES: 'array',
     IMPORT_IP_DENY_LIST: 'array',
     FILE_METADATA_ALLOW_LIST: 'array',
+    GRAPHQL_INTROSPECTION: 'boolean',
 };
 let env = {
     ...defaults,
@@ -209,6 +211,8 @@ function processValues(env) {
                 case 'json':
                     env[key] = tryJSON(value);
                     break;
+                case 'boolean':
+                    env[key] = value === 'true' || value === true || value === '1' || value === 1;
             }
             continue;
         }

package/dist/services/graphql.js

@@ -89,7 +89,16 @@ class GraphQLService {
     async execute({ document, variables, operationName, contextValue, }) {
         var _a;
         const schema = this.getSchema();
-        const validationErrors = (0, graphql_1.validate)(schema, document, graphql_1.specifiedRules);
+        const validationErrors = (0, graphql_1.validate)(schema, document, [
+            ...graphql_1.specifiedRules,
+            (context) => ({
+                Field(node) {
+                    if (env_1.default.GRAPHQL_INTROSPECTION === false && (node.name.value === '__schema' || node.name.value === '__type')) {
+                        context.reportError(new graphql_1.GraphQLError('GraphQL introspection is not allowed. The query contained __schema or __type.', [node]));
+                    }
+                },
+            }),
+        ]);
         if (validationErrors.length > 0) {
             throw new exceptions_1.GraphQLValidationException({ graphqlErrors: validationErrors });
         }
@@ -1287,8 +1296,10 @@ class GraphQLService {
      */
     formatError(error) {
         if (Array.isArray(error)) {
+            error[0].extensions.code = error[0].code;
             return new graphql_1.GraphQLError(error[0].message, undefined, undefined, undefined, undefined, error[0]);
         }
+        error.extensions.code = error.code;
         return new graphql_1.GraphQLError(error.message, undefined, undefined, undefined, undefined, error);
     }
     /**

package/dist/services/import-export.js

@@ -22,6 +22,7 @@ const get_date_formatted_1 = require("../utils/get-date-formatted");
 const utils_1 = require("@directus/shared/utils");
 const notifications_1 = require("./notifications");
 const logger_1 = __importDefault(require("../logger"));
+const strip_bom_stream_1 = __importDefault(require("strip-bom-stream"));
 class ImportService {
     constructor(options) {
         this.knex = options.knex || (0, database_1.default)();
@@ -91,6 +92,7 @@ class ImportService {
             });
             return new Promise((resolve, reject) => {
                 stream
+                    .pipe((0, strip_bom_stream_1.default)())
                     .pipe((0, csv_parser_1.default)())
                     .on('data', (value) => {
                     const obj = (0, lodash_1.transform)(value, (result, value, key) => {

package/dist/services/items.js

@@ -90,8 +90,13 @@ class ItemsService {
             // In case of manual string / UUID primary keys, the PK already exists in the object we're saving.
             let primaryKey = payloadWithTypeCasting[primaryKeyField];
             try {
-                const result = await trx.insert(payloadWithoutAliases).into(this.collection).returning(primaryKeyField);
-                primaryKey = primaryKey !== null && primaryKey !== void 0 ? primaryKey : result[0];
+                const result = await trx
+                    .insert(payloadWithoutAliases)
+                    .into(this.collection)
+                    .returning(primaryKeyField)
+                    .then((result) => result[0]);
+                const returnedKey = typeof result === 'object' ? result[primaryKeyField] : result;
+                primaryKey = primaryKey !== null && primaryKey !== void 0 ? primaryKey : returnedKey;
             }
             catch (err) {
                 throw await (0, translate_1.translateDatabaseError)(err);

package/dist/services/payload.js

@@ -318,7 +318,7 @@ class PayloadService {
             }
             const allowedCollections = relation.meta.one_allowed_collections;
             if (allowedCollections.includes(relatedCollection) === false) {
-                throw new exceptions_1.InvalidPayloadException(`"${relation.collection}.${relation.field}" can't be linked to collection "${relatedCollection}`);
+                throw new exceptions_1.InvalidPayloadException(`"${relation.collection}.${relation.field}" can't be linked to collection "${relatedCollection}"`);
             }
             const itemsService = new items_1.ItemsService(relatedCollection, {
                 accountability: this.accountability,

package/dist/utils/apply-query.d.ts

@@ -1,9 +1,10 @@
-import { Knex } from 'knex';
 import { Aggregate, Filter, Query, SchemaOverview } from '@directus/shared/types';
+import { Knex } from 'knex';
 /**
  * Apply the Query to a given Knex query builder instance
  */
 export default function applyQuery(knex: Knex, collection: string, dbQuery: Knex.QueryBuilder, query: Query, schema: SchemaOverview, subQuery?: boolean): Knex.QueryBuilder;
+export declare function applySort(knex: Knex, schema: SchemaOverview, rootQuery: Knex.QueryBuilder, rootSort: string[], collection: string, subQuery?: boolean): void;
 export declare function applyFilter(knex: Knex, schema: SchemaOverview, rootQuery: Knex.QueryBuilder, rootFilter: Filter, collection: string, subQuery?: boolean): Knex.QueryBuilder<any, any>;
 export declare function applySearch(schema: SchemaOverview, dbQuery: Knex.QueryBuilder, searchQuery: string, collection: string): Promise<void>;
 export declare function applyAggregate(dbQuery: Knex.QueryBuilder, aggregate: Aggregate, collection: string): void;

package/dist/utils/apply-query.js

@@ -3,33 +3,23 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.applyAggregate = exports.applySearch = exports.applyFilter = void 0;
+exports.applyAggregate = exports.applySearch = exports.applyFilter = exports.applySort = void 0;
+const utils_1 = require("@directus/shared/utils");
 const lodash_1 = require("lodash");
 const nanoid_1 = require("nanoid");
 const uuid_validate_1 = __importDefault(require("uuid-validate"));
+const helpers_1 = require("../database/helpers");
 const exceptions_1 = require("../exceptions");
 const get_column_1 = require("./get-column");
-const get_relation_type_1 = require("./get-relation-type");
-const helpers_1 = require("../database/helpers");
-const utils_1 = require("@directus/shared/utils");
+const get_column_path_1 = require("./get-column-path");
+const get_relation_info_1 = require("./get-relation-info");
 const generateAlias = (0, nanoid_1.customAlphabet)('abcdefghijklmnopqrstuvwxyz', 5);
 /**
  * Apply the Query to a given Knex query builder instance
  */
 function applyQuery(knex, collection, dbQuery, query, schema, subQuery = false) {
     if (query.sort) {
-        dbQuery.orderBy(query.sort.map((sortField) => {
-            let column = sortField;
-            let order = 'asc';
-            if (sortField.startsWith('-')) {
-                column = column.substring(1);
-                order = 'desc';
-            }
-            return {
-                order,
-                column: (0, get_column_1.getColumn)(knex, collection, column, false, schema),
-            };
-        }));
+        applySort(knex, schema, dbQuery, query.sort, collection, subQuery);
     }
     if (typeof query.limit === 'number' && query.limit !== -1) {
         dbQuery.limit(query.limit);
@@ -55,44 +45,109 @@ function applyQuery(knex, collection, dbQuery, query, schema, subQuery = false)
     return dbQuery;
 }
 exports.default = applyQuery;
-function getRelationInfo(relations, collection, field) {
-    var _a, _b;
-    const implicitRelation = (_a = field.match(/^\$FOLLOW\((.*?),(.*?)(?:,(.*?))?\)$/)) === null || _a === void 0 ? void 0 : _a.slice(1);
-    if (implicitRelation) {
-        if (implicitRelation[2] === undefined) {
-            const [m2oCollection, m2oField] = implicitRelation;
-            const relation = {
-                collection: m2oCollection,
-                field: m2oField,
-                related_collection: collection,
-                schema: null,
-                meta: null,
-            };
-            return { relation, relationType: 'o2m' };
+function addJoin({ path, collection, aliasMap, rootQuery, subQuery, schema, relations, knex }) {
+    path = (0, lodash_1.clone)(path);
+    followRelation(path);
+    function followRelation(pathParts, parentCollection = collection, parentAlias) {
+        /**
+         * For A2M fields, the path can contain an optional collection scope <field>:<scope>
+         */
+        const pathRoot = pathParts[0].split(':')[0];
+        const { relation, relationType } = (0, get_relation_info_1.getRelationInfo)(relations, parentCollection, pathRoot);
+        if (!relation) {
+            return;
         }
-        else {
-            const [a2oCollection, a2oItemField, a2oCollectionField] = implicitRelation;
-            const relation = {
-                collection: a2oCollection,
-                field: a2oItemField,
-                related_collection: collection,
-                schema: null,
-                meta: {
-                    one_collection_field: a2oCollectionField,
-                    one_field: field,
-                },
-            };
-            return { relation, relationType: 'o2a' };
+        const alias = generateAlias();
+        (0, lodash_1.set)(aliasMap, parentAlias ? [parentAlias, ...pathParts] : pathParts, alias);
+        if (relationType === 'm2o') {
+            rootQuery.leftJoin({ [alias]: relation.related_collection }, `${parentAlias || parentCollection}.${relation.field}`, `${alias}.${schema.collections[relation.related_collection].primary}`);
+        }
+        if (relationType === 'a2o') {
+            const pathScope = pathParts[0].split(':')[1];
+            if (!pathScope) {
+                throw new exceptions_1.InvalidQueryException(`You have to provide a collection scope when sorting or filtering on a many-to-any item`);
+            }
+            rootQuery.leftJoin({ [alias]: pathScope }, (joinClause) => {
+                joinClause
+                    .onVal(relation.meta.one_collection_field, '=', pathScope)
+                    .andOn(`${parentAlias || parentCollection}.${relation.field}`, '=', knex.raw(`CAST(?? AS CHAR(255))`, `${alias}.${schema.collections[pathScope].primary}`));
+            });
+        }
+        if (relationType === 'o2a') {
+            rootQuery.leftJoin({ [alias]: relation.collection }, (joinClause) => {
+                joinClause
+                    .onVal(relation.meta.one_collection_field, '=', parentCollection)
+                    .andOn(`${alias}.${relation.field}`, '=', knex.raw(`CAST(?? AS CHAR(255))`, `${parentAlias || parentCollection}.${schema.collections[parentCollection].primary}`));
+            });
+        }
+        // Still join o2m relations when in subquery OR when the o2m relation is not at the root level
+        if (relationType === 'o2m' && (subQuery === true || parentAlias !== undefined)) {
+            rootQuery.leftJoin({ [alias]: relation.collection }, `${parentAlias || parentCollection}.${schema.collections[relation.related_collection].primary}`, `${alias}.${relation.field}`);
+        }
+        if (relationType === 'm2o' || subQuery === true || (relationType === 'o2m' && parentAlias !== undefined)) {
+            let parent;
+            if (relationType === 'm2o') {
+                parent = relation.related_collection;
+            }
+            else if (relationType === 'a2o') {
+                const pathScope = pathParts[0].split(':')[1];
+                if (!pathScope) {
+                    throw new exceptions_1.InvalidQueryException(`You have to provide a collection scope when sorting or filtering on a many-to-any item`);
+                }
+                parent = pathScope;
+            }
+            else {
+                parent = relation.collection;
+            }
+            pathParts.shift();
+            if (pathParts.length) {
+                followRelation(pathParts, parent, alias);
+            }
         }
     }
-    const relation = (_b = relations.find((relation) => {
-        var _a;
-        return ((relation.collection === collection && relation.field === field) ||
-            (relation.related_collection === collection && ((_a = relation.meta) === null || _a === void 0 ? void 0 : _a.one_field) === field));
-    })) !== null && _b !== void 0 ? _b : null;
-    const relationType = relation ? (0, get_relation_type_1.getRelationType)({ relation, collection, field }) : null;
-    return { relation, relationType };
 }
+function applySort(knex, schema, rootQuery, rootSort, collection, subQuery = false) {
+    const relations = schema.relations;
+    const aliasMap = {};
+    rootQuery.orderBy(rootSort.map((sortField) => {
+        const column = sortField.split('.');
+        let order = 'asc';
+        if (column.length > 1) {
+            if (sortField.startsWith('-')) {
+                order = 'desc';
+            }
+            if (column[0].startsWith('-')) {
+                column[0] = column[0].substring(1);
+            }
+            addJoin({
+                path: column,
+                collection,
+                aliasMap,
+                rootQuery,
+                subQuery,
+                schema,
+                relations,
+                knex,
+            });
+            const colPath = (0, get_column_path_1.getColumnPath)({ path: column, collection, aliasMap, relations }) || '';
+            const [alias, field] = colPath.split('.');
+            return {
+                order,
+                column: (0, get_column_1.getColumn)(knex, alias, field, false, schema),
+            };
+        }
+        let col = column[0];
+        if (sortField.startsWith('-')) {
+            col = column[0].substring(1);
+            order = 'desc';
+        }
+        return {
+            order,
+            column: (0, get_column_1.getColumn)(knex, collection, col, false, schema),
+        };
+    }));
+}
+exports.applySort = applySort;
 function applyFilter(knex, schema, rootQuery, rootFilter, collection, subQuery = false) {
     const helpers = (0, helpers_1.getHelpers)(knex);
     const relations = schema.relations;
@@ -114,68 +169,16 @@ function applyFilter(knex, schema, rootQuery, rootFilter, collection, subQuery =
             }
             const filterPath = getFilterPath(key, value);
             if (filterPath.length > 1) {
-                addJoin(filterPath, collection);
-            }
-        }
-        function addJoin(path, collection) {
-            path = (0, lodash_1.clone)(path);
-            followRelation(path);
-            function followRelation(pathParts, parentCollection = collection, parentAlias) {
-                /**
-                 * For A2M fields, the path can contain an optional collection scope <field>:<scope>
-                 */
-                const pathRoot = pathParts[0].split(':')[0];
-                const { relation, relationType } = getRelationInfo(relations, parentCollection, pathRoot);
-                if (!relation) {
-                    return;
-                }
-                const alias = generateAlias();
-                (0, lodash_1.set)(aliasMap, parentAlias ? [parentAlias, ...pathParts] : pathParts, alias);
-                if (relationType === 'm2o') {
-                    dbQuery.leftJoin({ [alias]: relation.related_collection }, `${parentAlias || parentCollection}.${relation.field}`, `${alias}.${schema.collections[relation.related_collection].primary}`);
-                }
-                if (relationType === 'a2o') {
-                    const pathScope = pathParts[0].split(':')[1];
-                    if (!pathScope) {
-                        throw new exceptions_1.InvalidQueryException(`You have to provide a collection scope when filtering on a many-to-any item`);
-                    }
-                    dbQuery.leftJoin({ [alias]: pathScope }, (joinClause) => {
-                        joinClause
-                            .onVal(relation.meta.one_collection_field, '=', pathScope)
-                            .andOn(`${parentAlias || parentCollection}.${relation.field}`, '=', knex.raw(`CAST(?? AS CHAR(255))`, `${alias}.${schema.collections[pathScope].primary}`));
-                    });
-                }
-                if (relationType === 'o2a') {
-                    dbQuery.leftJoin({ [alias]: relation.collection }, (joinClause) => {
-                        joinClause
-                            .onVal(relation.meta.one_collection_field, '=', parentCollection)
-                            .andOn(`${alias}.${relation.field}`, '=', knex.raw(`CAST(?? AS CHAR(255))`, `${parentAlias || parentCollection}.${schema.collections[parentCollection].primary}`));
-                    });
-                }
-                // Still join o2m relations when in subquery OR when the o2m relation is not at the root level
-                if (relationType === 'o2m' && (subQuery === true || parentAlias !== undefined)) {
-                    dbQuery.leftJoin({ [alias]: relation.collection }, `${parentAlias || parentCollection}.${schema.collections[relation.related_collection].primary}`, `${alias}.${relation.field}`);
-                }
-                if (relationType === 'm2o' || subQuery === true || (relationType === 'o2m' && parentAlias !== undefined)) {
-                    let parent;
-                    if (relationType === 'm2o') {
-                        parent = relation.related_collection;
-                    }
-                    else if (relationType === 'a2o') {
-                        const pathScope = pathParts[0].split(':')[1];
-                        if (!pathScope) {
-                            throw new exceptions_1.InvalidQueryException(`You have to provide a collection scope when filtering on a many-to-any item`);
-                        }
-                        parent = pathScope;
-                    }
-                    else {
-                        parent = relation.collection;
-                    }
-                    pathParts.shift();
-                    if (pathParts.length) {
-                        followRelation(pathParts, parent, alias);
-                    }
-                }
+                addJoin({
+                    path: filterPath,
+                    collection,
+                    knex,
+                    schema,
+                    relations,
+                    subQuery,
+                    rootQuery,
+                    aliasMap,
+                });
             }
         }
     }
@@ -201,11 +204,11 @@ function applyFilter(knex, schema, rootQuery, rootFilter, collection, subQuery =
              * For A2M fields, the path can contain an optional collection scope <field>:<scope>
              */
             const pathRoot = filterPath[0].split(':')[0];
-            const { relation, relationType } = getRelationInfo(relations, collection, pathRoot);
+            const { relation, relationType } = (0, get_relation_info_1.getRelationInfo)(relations, collection, pathRoot);
             const { operator: filterOperator, value: filterValue } = getOperation(key, value);
             if (relationType === 'm2o' || relationType === 'a2o' || relationType === null) {
                 if (filterPath.length > 1) {
-                    const columnName = getWhereColumn(filterPath, collection);
+                    const columnName = (0, get_column_path_1.getColumnPath)({ path: filterPath, collection, relations, aliasMap });
                     if (!columnName)
                         continue;
                     applyFilterToQuery(columnName, filterOperator, filterValue, logical);
@@ -382,41 +385,6 @@ function applyFilter(knex, schema, rootQuery, rootFilter, collection, subQuery =
                 dbQuery[logical].whereRaw(helpers.st.nintersects_bbox(key, compareValue));
             }
         }
-        function getWhereColumn(path, collection) {
-            return followRelation(path);
-            function followRelation(pathParts, parentCollection = collection, parentAlias) {
-                /**
-                 * For A2M fields, the path can contain an optional collection scope <field>:<scope>
-                 */
-                const pathRoot = pathParts[0].split(':')[0];
-                const { relation, relationType } = getRelationInfo(relations, parentCollection, pathRoot);
-                if (!relation) {
-                    throw new exceptions_1.InvalidQueryException(`"${parentCollection}.${pathRoot}" is not a relational field`);
-                }
-                const alias = (0, lodash_1.get)(aliasMap, parentAlias ? [parentAlias, ...pathParts] : pathParts);
-                const remainingParts = pathParts.slice(1);
-                let parent;
-                if (relationType === 'a2o') {
-                    const pathScope = pathParts[0].split(':')[1];
-                    if (!pathScope) {
-                        throw new exceptions_1.InvalidQueryException(`You have to provide a collection scope when filtering on a many-to-any item`);
-                    }
-                    parent = pathScope;
-                }
-                else if (relationType === 'm2o') {
-                    parent = relation.related_collection;
-                }
-                else {
-                    parent = relation.collection;
-                }
-                if (remainingParts.length === 1) {
-                    return `${alias || parent}.${remainingParts[0]}`;
-                }
-                if (remainingParts.length) {
-                    return followRelation(remainingParts, parent, alias);
-                }
-            }
-        }
     }
 }
 exports.applyFilter = applyFilter;

package/dist/utils/get-column-path.d.ts

@@ -0,0 +1,16 @@
+import { Relation } from '@directus/shared/types';
+declare type AliasMap = string | {
+    [key: string]: AliasMap;
+};
+export declare type ColPathProps = {
+    path: string[];
+    collection: string;
+    aliasMap: AliasMap;
+    relations: Relation[];
+};
+/**
+ * Converts a Directus field list path to the correct SQL names based on the constructed alias map.
+ * For example: ['author', 'role', 'name'] -> 'ljnsv.name'
+ */
+export declare function getColumnPath({ path, collection, aliasMap, relations }: ColPathProps): string | void;
+export {};

package/dist/utils/get-column-path.js

@@ -0,0 +1,46 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getColumnPath = void 0;
+const get_relation_info_1 = require("./get-relation-info");
+const exceptions_1 = require("../exceptions");
+const lodash_1 = require("lodash");
+/**
+ * Converts a Directus field list path to the correct SQL names based on the constructed alias map.
+ * For example: ['author', 'role', 'name'] -> 'ljnsv.name'
+ */
+function getColumnPath({ path, collection, aliasMap, relations }) {
+    return followRelation(path);
+    function followRelation(pathParts, parentCollection = collection, parentAlias) {
+        /**
+         * For A2M fields, the path can contain an optional collection scope <field>:<scope>
+         */
+        const pathRoot = pathParts[0].split(':')[0];
+        const { relation, relationType } = (0, get_relation_info_1.getRelationInfo)(relations, parentCollection, pathRoot);
+        if (!relation) {
+            throw new exceptions_1.InvalidQueryException(`"${parentCollection}.${pathRoot}" is not a relational field`);
+        }
+        const alias = (0, lodash_1.get)(aliasMap, parentAlias ? [parentAlias, ...pathParts] : pathParts);
+        const remainingParts = pathParts.slice(1);
+        let parent;
+        if (relationType === 'a2o') {
+            const pathScope = pathParts[0].split(':')[1];
+            if (!pathScope) {
+                throw new exceptions_1.InvalidQueryException(`You have to provide a collection scope when sorting on a many-to-any item`);
+            }
+            parent = pathScope;
+        }
+        else if (relationType === 'm2o') {
+            parent = relation.related_collection;
+        }
+        else {
+            parent = relation.collection;
+        }
+        if (remainingParts.length === 1) {
+            return `${alias || parent}.${remainingParts[0]}`;
+        }
+        if (remainingParts.length) {
+            return followRelation(remainingParts, parent, alias);
+        }
+    }
+}
+exports.getColumnPath = getColumnPath;

package/dist/utils/get-relation-info.d.ts

@@ -0,0 +1,7 @@
+import { Relation } from '@directus/shared/types';
+declare type RelationInfo = {
+    relation: Relation | null;
+    relationType: string | null;
+};
+export declare function getRelationInfo(relations: Relation[], collection: string, field: string): RelationInfo;
+export {};

package/dist/utils/get-relation-info.js

@@ -0,0 +1,45 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getRelationInfo = void 0;
+const get_relation_type_1 = require("./get-relation-type");
+function getRelationInfo(relations, collection, field) {
+    var _a, _b;
+    if (field.startsWith('$FOLLOW') && field.length > 500) {
+        throw new Error(`Implicit $FOLLOW statement is too big to parse. Got: "${field.substring(500)}..."`);
+    }
+    const implicitRelation = (_a = field.match(/^\$FOLLOW\((.*?),(.*?)(?:,(.*?))?\)$/)) === null || _a === void 0 ? void 0 : _a.slice(1);
+    if (implicitRelation) {
+        if (implicitRelation[2] === undefined) {
+            const [m2oCollection, m2oField] = implicitRelation;
+            const relation = {
+                collection: m2oCollection.trim(),
+                field: m2oField.trim(),
+                related_collection: collection,
+                schema: null,
+                meta: null,
+            };
+            return { relation, relationType: 'o2m' };
+        }
+        else {
+            const [a2oCollection, a2oItemField, a2oCollectionField] = implicitRelation;
+            const relation = {
+                collection: a2oCollection.trim(),
+                field: a2oItemField.trim(),
+                related_collection: collection,
+                schema: null,
+                meta: {
+                    one_collection_field: a2oCollectionField.trim(),
+                },
+            };
+            return { relation, relationType: 'o2a' };
+        }
+    }
+    const relation = (_b = relations.find((relation) => {
+        var _a;
+        return ((relation.collection === collection && relation.field === field) ||
+            (relation.related_collection === collection && ((_a = relation.meta) === null || _a === void 0 ? void 0 : _a.one_field) === field));
+    })) !== null && _b !== void 0 ? _b : null;
+    const relationType = relation ? (0, get_relation_type_1.getRelationType)({ relation, collection, field }) : null;
+    return { relation, relationType };
+}
+exports.getRelationInfo = getRelationInfo;

package/dist/utils/get-relation-type.d.ts

@@ -1,6 +1,6 @@
 import { Relation } from '@directus/shared/types';
 export declare function getRelationType(getRelationOptions: {
-    relation: Relation;
+    relation?: Relation | null;
     collection: string | null;
     field: string;
 }): 'm2o' | 'o2m' | 'a2o' | null;

package/dist/utils/merge-permissions-for-share.js

@@ -48,7 +48,7 @@ function mergePermissionsForShare(currentPermissions, accountability, schema) {
         }
     }
     // Explicitly filter out permissions to collections unrelated to the root parent item.
-    const limitedPermissions = currentPermissions.filter(({ collection }) => allowedCollections.includes(collection));
+    const limitedPermissions = currentPermissions.filter(({ action, collection }) => allowedCollections.includes(collection) && action === 'read');
     return (0, merge_permissions_1.mergePermissions)('and', limitedPermissions, generatedPermissions);
 }
 exports.mergePermissionsForShare = mergePermissionsForShare;

package/dist/utils/reduce-schema.js

@@ -10,7 +10,7 @@ const lodash_1 = require("lodash");
  * @returns Reduced schema
  */
 function reduceSchema(schema, permissions, actions = ['create', 'read', 'update', 'delete']) {
-    var _a, _b, _c, _d, _e;
+    var _a, _b, _c;
     const reduced = {
         collections: {},
         relations: [],
@@ -34,10 +34,9 @@ function reduceSchema(schema, permissions, actions = ['create', 'read', 'update'
                 !((_c = allowedFieldsInCollection[collectionName]) === null || _c === void 0 ? void 0 : _c.includes(fieldName))) {
                 continue;
             }
-            const relatedCollection = ((_d = schema.relations.find((relation) => relation.collection === collectionName && relation.field === fieldName)) === null || _d === void 0 ? void 0 : _d.related_collection) ||
-                ((_e = schema.relations.find((relation) => { var _a; return relation.related_collection === collectionName && ((_a = relation.meta) === null || _a === void 0 ? void 0 : _a.one_field) === fieldName; })) === null || _e === void 0 ? void 0 : _e.collection);
-            if (relatedCollection &&
-                !(permissions === null || permissions === void 0 ? void 0 : permissions.some((permission) => permission.collection === relatedCollection && actions.includes(permission.action)))) {
+            const o2mRelation = schema.relations.find((relation) => { var _a; return relation.related_collection === collectionName && ((_a = relation.meta) === null || _a === void 0 ? void 0 : _a.one_field) === fieldName; });
+            if (o2mRelation &&
+                !(permissions === null || permissions === void 0 ? void 0 : permissions.some((permission) => permission.collection === o2mRelation.collection && actions.includes(permission.action)))) {
                 continue;
             }
             fields[fieldName] = field;

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "directus",
-	"version": "9.9.1",
+	"version": "9.10.0",
 	"license": "GPL-3.0-only",
 	"homepage": "https://github.com/directus/directus#readme",
 	"description": "Directus is a real-time API and App dashboard for managing SQL database content.",
@@ -78,16 +78,16 @@
 	],
 	"dependencies": {
 		"@aws-sdk/client-ses": "^3.40.0",
-		"@directus/app": "9.9.1",
-		"@directus/drive": "9.9.1",
-		"@directus/drive-azure": "9.9.1",
-		"@directus/drive-gcs": "9.9.1",
-		"@directus/drive-s3": "9.9.1",
-		"@directus/extensions-sdk": "9.9.1",
-		"@directus/format-title": "9.9.1",
-		"@directus/schema": "9.9.1",
-		"@directus/shared": "9.9.1",
-		"@directus/specs": "9.9.1",
+		"@directus/app": "9.10.0",
+		"@directus/drive": "9.10.0",
+		"@directus/drive-azure": "9.10.0",
+		"@directus/drive-gcs": "9.10.0",
+		"@directus/drive-s3": "9.10.0",
+		"@directus/extensions-sdk": "9.10.0",
+		"@directus/format-title": "9.10.0",
+		"@directus/schema": "9.10.0",
+		"@directus/shared": "9.10.0",
+		"@directus/specs": "9.10.0",
 		"@godaddy/terminus": "^4.9.0",
 		"@rollup/plugin-alias": "^3.1.9",
 		"@rollup/plugin-virtual": "^2.0.3",
@@ -124,7 +124,7 @@
 		"json2csv": "^5.0.3",
 		"jsonwebtoken": "^8.5.1",
 		"keyv": "^4.0.3",
-		"knex": "^0.95.14",
+		"knex": "^2.0.0",
 		"knex-schema-inspector": "1.7.3",
 		"ldapjs": "^2.3.1",
 		"liquidjs": "^9.25.0",
@@ -152,6 +152,7 @@
 		"sanitize-html": "^2.6.0",
 		"sharp": "^0.30.3",
 		"stream-json": "^1.7.1",
+		"strip-bom-stream": "^4.0.0",
 		"supertest": "^6.1.6",
 		"tmp-promise": "^3.0.3",
 		"update-check": "^1.5.4",
@@ -161,19 +162,16 @@
 	},
 	"optionalDependencies": {
 		"@keyv/redis": "^2.1.2",
-		"connect-memcached": "^1.0.0",
-		"connect-redis": "^6.0.0",
-		"connect-session-knex": "^2.1.0",
 		"ioredis": "^4.27.6",
 		"keyv-memcache": "^1.2.5",
 		"memcached": "^2.2.2",
 		"mysql": "^2.18.1",
 		"nodemailer-mailgun-transport": "^2.1.3",
 		"pg": "^8.6.0",
-		"sqlite3": "^5.0.2",
+		"sqlite3": "^5.0.6",
 		"tedious": "^13.0.0"
 	},
-	"gitHead": "ed780aceba707c714e0b0aa01a953d141a5c800e",
+	"gitHead": "e3a7a7d8879fb7959fb15802734d830001108fbb",
 	"devDependencies": {
 		"@types/async": "3.2.10",
 		"@types/body-parser": "1.19.2",
@@ -216,7 +214,7 @@
 		"cross-env": "7.0.3",
 		"form-data": "^4.0.0",
 		"jest": "27.5.1",
-		"knex-mock-client": "1.6.1",
+		"knex-mock-client": "1.7.0",
 		"ts-jest": "27.1.3",
 		"ts-node-dev": "1.1.8",
 		"typescript": "4.5.2"