directus 9.9.1 → 9.11.1

package/dist/utils/apply-snapshot.js

@@ -4,13 +4,13 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.isNestedMetaUpdate = exports.applySnapshot = void 0;
-const get_snapshot_1 = require("./get-snapshot");
-const get_snapshot_diff_1 = require("./get-snapshot-diff");
-const database_1 = __importDefault(require("../database"));
-const get_schema_1 = require("./get-schema");
-const services_1 = require("../services");
 const lodash_1 = require("lodash");
+const database_1 = __importDefault(require("../database"));
 const logger_1 = __importDefault(require("../logger"));
+const services_1 = require("../services");
+const get_schema_1 = require("./get-schema");
+const get_snapshot_1 = require("./get-snapshot");
+const get_snapshot_diff_1 = require("./get-snapshot-diff");
 async function applySnapshot(snapshot, options) {
     var _a, _b, _c, _d;
     const database = (_a = options === null || options === void 0 ? void 0 : options.database) !== null && _a !== void 0 ? _a : (0, database_1.default)();
@@ -19,55 +19,70 @@ async function applySnapshot(snapshot, options) {
     const snapshotDiff = (_d = options === null || options === void 0 ? void 0 : options.diff) !== null && _d !== void 0 ? _d : (0, get_snapshot_diff_1.getSnapshotDiff)(current, snapshot);
     await database.transaction(async (trx) => {
         const collectionsService = new services_1.CollectionsService({ knex: trx, schema });
-        for (const { collection, diff } of snapshotDiff.collections) {
-            if ((diff === null || diff === void 0 ? void 0 : diff[0].kind) === 'D') {
-                try {
-                    await collectionsService.deleteOne(collection);
-                }
-                catch (err) {
-                    logger_1.default.error(`Failed to delete collection "${collection}"`);
-                    throw err;
+        const getNestedCollectionsToCreate = (currentLevelCollection) => snapshotDiff.collections.filter(({ diff }) => { var _a, _b; return ((_b = (_a = diff[0].rhs) === null || _a === void 0 ? void 0 : _a.meta) === null || _b === void 0 ? void 0 : _b.group) === currentLevelCollection; });
+        const getNestedCollectionsToDelete = (currentLevelCollection) => snapshotDiff.collections.filter(({ diff }) => { var _a, _b; return ((_b = (_a = diff[0].lhs) === null || _a === void 0 ? void 0 : _a.meta) === null || _b === void 0 ? void 0 : _b.group) === currentLevelCollection; });
+        const createCollections = async (collections) => {
+            for (const { collection, diff } of collections) {
+                if ((diff === null || diff === void 0 ? void 0 : diff[0].kind) === 'N' && diff[0].rhs) {
+                    // We'll nest the to-be-created fields in the same collection creation, to prevent
+                    // creating a collection without a primary key
+                    const fields = snapshotDiff.fields
+                        .filter((fieldDiff) => fieldDiff.collection === collection)
+                        .map((fieldDiff) => fieldDiff.diff[0].rhs)
+                        .map((fieldDiff) => {
+                        // Casts field type to UUID when applying SQLite-based schema on other databases.
+                        // This is needed because SQLite snapshots UUID fields as char with length 36, and
+                        // it will fail when trying to create relation between char field to UUID field
+                        if (!fieldDiff.schema ||
+                            fieldDiff.schema.data_type !== 'char' ||
+                            fieldDiff.schema.max_length !== 36 ||
+                            !fieldDiff.schema.foreign_key_table ||
+                            !fieldDiff.schema.foreign_key_column) {
+                            return fieldDiff;
+                        }
+                        const matchingForeignKeyTable = schema.collections[fieldDiff.schema.foreign_key_table];
+                        if (!matchingForeignKeyTable)
+                            return fieldDiff;
+                        const matchingForeignKeyField = matchingForeignKeyTable.fields[fieldDiff.schema.foreign_key_column];
+                        if (!matchingForeignKeyField || matchingForeignKeyField.type !== 'uuid')
+                            return fieldDiff;
+                        return (0, lodash_1.merge)(fieldDiff, { type: 'uuid', schema: { data_type: 'uuid', max_length: null } });
+                    });
+                    try {
+                        await collectionsService.createOne({
+                            ...diff[0].rhs,
+                            fields,
+                        });
+                    }
+                    catch (err) {
+                        logger_1.default.error(`Failed to create collection "${collection}"`);
+                        throw err;
+                    }
+                    // Now that the fields are in for this collection, we can strip them from the field edits
+                    snapshotDiff.fields = snapshotDiff.fields.filter((fieldDiff) => fieldDiff.collection !== collection);
+                    await createCollections(getNestedCollectionsToCreate(collection));
                 }
             }
-            if ((diff === null || diff === void 0 ? void 0 : diff[0].kind) === 'N' && diff[0].rhs) {
-                // We'll nest the to-be-created fields in the same collection creation, to prevent
-                // creating a collection without a primary key
-                const fields = snapshotDiff.fields
-                    .filter((fieldDiff) => fieldDiff.collection === collection)
-                    .map((fieldDiff) => fieldDiff.diff[0].rhs)
-                    .map((fieldDiff) => {
-                    // Casts field type to UUID when applying SQLite-based schema on other databases.
-                    // This is needed because SQLite snapshots UUID fields as char with length 36, and
-                    // it will fail when trying to create relation between char field to UUID field
-                    if (!fieldDiff.schema ||
-                        fieldDiff.schema.data_type !== 'char' ||
-                        fieldDiff.schema.max_length !== 36 ||
-                        !fieldDiff.schema.foreign_key_table ||
-                        !fieldDiff.schema.foreign_key_column) {
-                        return fieldDiff;
+        };
+        const deleteCollections = async (collections) => {
+            for (const { collection, diff } of collections) {
+                if ((diff === null || diff === void 0 ? void 0 : diff[0].kind) === 'D') {
+                    await deleteCollections(getNestedCollectionsToDelete(collection));
+                    try {
+                        await collectionsService.deleteOne(collection);
+                    }
+                    catch (err) {
+                        logger_1.default.error(`Failed to delete collection "${collection}"`);
+                        throw err;
                     }
-                    const matchingForeignKeyTable = schema.collections[fieldDiff.schema.foreign_key_table];
-                    if (!matchingForeignKeyTable)
-                        return fieldDiff;
-                    const matchingForeignKeyField = matchingForeignKeyTable.fields[fieldDiff.schema.foreign_key_column];
-                    if (!matchingForeignKeyField || matchingForeignKeyField.type !== 'uuid')
-                        return fieldDiff;
-                    return (0, lodash_1.merge)(fieldDiff, { type: 'uuid', schema: { data_type: 'uuid', max_length: null } });
-                });
-                try {
-                    await collectionsService.createOne({
-                        ...diff[0].rhs,
-                        fields,
-                    });
-                }
-                catch (err) {
-                    logger_1.default.error(`Failed to create collection "${collection}"`);
-                    throw err;
                 }
-                // Now that the fields are in for this collection, we can strip them from the field
-                // edits
-                snapshotDiff.fields = snapshotDiff.fields.filter((fieldDiff) => fieldDiff.collection !== collection);
             }
+        };
+        // create top level collections (no group) first, then continue with nested collections recursively
+        await createCollections(snapshotDiff.collections.filter(({ diff }) => { var _a; return diff[0].kind === 'N' && ((_a = diff[0].rhs.meta) === null || _a === void 0 ? void 0 : _a.group) === null; }));
+        // delete top level collections (no group) first, then continue with nested collections recursively
+        await deleteCollections(snapshotDiff.collections.filter(({ diff }) => { var _a; return diff[0].kind === 'D' && ((_a = diff[0].lhs.meta) === null || _a === void 0 ? void 0 : _a.group) === null; }));
+        for (const { collection, diff } of snapshotDiff.collections) {
             if ((diff === null || diff === void 0 ? void 0 : diff[0].kind) === 'E' || (diff === null || diff === void 0 ? void 0 : diff[0].kind) === 'A') {
                 const newValues = snapshot.collections.find((field) => {
                     return field.collection === collection;

package/dist/utils/get-ast-from-query.js

@@ -80,12 +80,6 @@ async function getASTFromQuery(collection, query, schema, options) {
                 if (name in query.alias) {
                     name = query.alias[fieldKey];
                 }
-                // check for junction alias (it is one of the value instead of the key)
-                if (Object.values(query.alias).includes(name)) {
-                    const aliasKey = Object.keys(query.alias).find((key) => { var _a; return ((_a = query.alias) === null || _a === void 0 ? void 0 : _a[key]) === name; });
-                    if (aliasKey && fieldKey !== aliasKey)
-                        name = aliasKey;
-                }
             }
             const isRelational = name.includes('.') ||
                 // We'll always treat top level o2m fields as a related item. This is an alias field, otherwise it won't return
@@ -93,7 +87,7 @@ async function getASTFromQuery(collection, query, schema, options) {
                 !!schema.relations.find((relation) => { var _a; return relation.related_collection === parentCollection && ((_a = relation.meta) === null || _a === void 0 ? void 0 : _a.one_field) === name; });
             if (isRelational) {
                 // field is relational
-                const parts = name.split('.');
+                const parts = fieldKey.split('.');
                 let rootField = parts[0];
                 let collectionScope = null;
                 // a2o related collection scoped field selector `fields=sections.section_id:headings.title`

package/dist/utils/get-column-path.d.ts

@@ -0,0 +1,16 @@
+import { Relation } from '@directus/shared/types';
+declare type AliasMap = string | {
+    [key: string]: AliasMap;
+};
+export declare type ColPathProps = {
+    path: string[];
+    collection: string;
+    aliasMap: AliasMap;
+    relations: Relation[];
+};
+/**
+ * Converts a Directus field list path to the correct SQL names based on the constructed alias map.
+ * For example: ['author', 'role', 'name'] -> 'ljnsv.name'
+ */
+export declare function getColumnPath({ path, collection, aliasMap, relations }: ColPathProps): string | void;
+export {};

package/dist/utils/get-column-path.js

@@ -0,0 +1,46 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getColumnPath = void 0;
+const get_relation_info_1 = require("./get-relation-info");
+const exceptions_1 = require("../exceptions");
+const lodash_1 = require("lodash");
+/**
+ * Converts a Directus field list path to the correct SQL names based on the constructed alias map.
+ * For example: ['author', 'role', 'name'] -> 'ljnsv.name'
+ */
+function getColumnPath({ path, collection, aliasMap, relations }) {
+    return followRelation(path);
+    function followRelation(pathParts, parentCollection = collection, parentAlias) {
+        /**
+         * For A2M fields, the path can contain an optional collection scope <field>:<scope>
+         */
+        const pathRoot = pathParts[0].split(':')[0];
+        const { relation, relationType } = (0, get_relation_info_1.getRelationInfo)(relations, parentCollection, pathRoot);
+        if (!relation) {
+            throw new exceptions_1.InvalidQueryException(`"${parentCollection}.${pathRoot}" is not a relational field`);
+        }
+        const alias = (0, lodash_1.get)(aliasMap, parentAlias ? [parentAlias, ...pathParts] : pathParts);
+        const remainingParts = pathParts.slice(1);
+        let parent;
+        if (relationType === 'a2o') {
+            const pathScope = pathParts[0].split(':')[1];
+            if (!pathScope) {
+                throw new exceptions_1.InvalidQueryException(`You have to provide a collection scope when sorting on a many-to-any item`);
+            }
+            parent = pathScope;
+        }
+        else if (relationType === 'm2o') {
+            parent = relation.related_collection;
+        }
+        else {
+            parent = relation.collection;
+        }
+        if (remainingParts.length === 1) {
+            return `${alias || parent}.${remainingParts[0]}`;
+        }
+        if (remainingParts.length) {
+            return followRelation(remainingParts, parent, alias);
+        }
+    }
+}
+exports.getColumnPath = getColumnPath;

package/dist/utils/get-default-value.js

@@ -3,9 +3,10 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-const get_local_type_1 = __importDefault(require("./get-local-type"));
-const logger_1 = __importDefault(require("../logger"));
 const env_1 = __importDefault(require("../env"));
+const logger_1 = __importDefault(require("../logger"));
+const get_local_type_1 = __importDefault(require("./get-local-type"));
+const parse_json_1 = require("./parse-json");
 function getDefaultValue(column) {
     var _a;
     const type = (0, get_local_type_1.default)(column);
@@ -59,7 +60,7 @@ function castToObject(value) {
         return value;
     if (typeof value === 'string') {
         try {
-            return JSON.parse(value);
+            return (0, parse_json_1.parseJSON)(value);
         }
         catch (err) {
             if (env_1.default.NODE_ENV === 'development') {

package/dist/utils/get-permissions.d.ts

@@ -1,2 +1,2 @@
-import { Permission, Accountability, SchemaOverview } from '@directus/shared/types';
+import { Accountability, Permission, SchemaOverview } from '@directus/shared/types';
 export declare function getPermissions(accountability: Accountability, schema: SchemaOverview): Promise<Permission[]>;

package/dist/utils/get-permissions.js

@@ -6,15 +6,16 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.getPermissions = void 0;
 const utils_1 = require("@directus/shared/utils");
 const lodash_1 = require("lodash");
+const object_hash_1 = __importDefault(require("object-hash"));
+const cache_1 = require("../cache");
 const database_1 = __importDefault(require("../database"));
 const app_access_permissions_1 = require("../database/system-data/app-access-permissions");
+const env_1 = __importDefault(require("../env"));
+const roles_1 = require("../services/roles");
+const users_1 = require("../services/users");
 const merge_permissions_1 = require("../utils/merge-permissions");
 const merge_permissions_for_share_1 = require("./merge-permissions-for-share");
-const users_1 = require("../services/users");
-const roles_1 = require("../services/roles");
-const cache_1 = require("../cache");
-const object_hash_1 = __importDefault(require("object-hash"));
-const env_1 = __importDefault(require("../env"));
+const parse_json_1 = require("./parse-json");
 async function getPermissions(accountability, schema) {
     const database = (0, database_1.default)();
     const { systemCache, cache } = (0, cache_1.getCache)();
@@ -84,19 +85,19 @@ function parsePermissions(permissions) {
     permissions = permissions.map((permissionRaw) => {
         const permission = (0, lodash_1.cloneDeep)(permissionRaw);
         if (permission.permissions && typeof permission.permissions === 'string') {
-            permission.permissions = JSON.parse(permission.permissions);
+            permission.permissions = (0, parse_json_1.parseJSON)(permission.permissions);
         }
         else if (permission.permissions === null) {
             permission.permissions = {};
         }
         if (permission.validation && typeof permission.validation === 'string') {
-            permission.validation = JSON.parse(permission.validation);
+            permission.validation = (0, parse_json_1.parseJSON)(permission.validation);
         }
         else if (permission.validation === null) {
             permission.validation = {};
         }
         if (permission.presets && typeof permission.presets === 'string') {
-            permission.presets = JSON.parse(permission.presets);
+            permission.presets = (0, parse_json_1.parseJSON)(permission.presets);
         }
         else if (permission.presets === null) {
             permission.presets = {};

package/dist/utils/get-relation-info.d.ts

@@ -0,0 +1,7 @@
+import { Relation } from '@directus/shared/types';
+declare type RelationInfo = {
+    relation: Relation | null;
+    relationType: string | null;
+};
+export declare function getRelationInfo(relations: Relation[], collection: string, field: string): RelationInfo;
+export {};

package/dist/utils/get-relation-info.js

@@ -0,0 +1,45 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getRelationInfo = void 0;
+const get_relation_type_1 = require("./get-relation-type");
+function getRelationInfo(relations, collection, field) {
+    var _a, _b;
+    if (field.startsWith('$FOLLOW') && field.length > 500) {
+        throw new Error(`Implicit $FOLLOW statement is too big to parse. Got: "${field.substring(500)}..."`);
+    }
+    const implicitRelation = (_a = field.match(/^\$FOLLOW\((.*?),(.*?)(?:,(.*?))?\)$/)) === null || _a === void 0 ? void 0 : _a.slice(1);
+    if (implicitRelation) {
+        if (implicitRelation[2] === undefined) {
+            const [m2oCollection, m2oField] = implicitRelation;
+            const relation = {
+                collection: m2oCollection.trim(),
+                field: m2oField.trim(),
+                related_collection: collection,
+                schema: null,
+                meta: null,
+            };
+            return { relation, relationType: 'o2m' };
+        }
+        else {
+            const [a2oCollection, a2oItemField, a2oCollectionField] = implicitRelation;
+            const relation = {
+                collection: a2oCollection.trim(),
+                field: a2oItemField.trim(),
+                related_collection: collection,
+                schema: null,
+                meta: {
+                    one_collection_field: a2oCollectionField.trim(),
+                },
+            };
+            return { relation, relationType: 'o2a' };
+        }
+    }
+    const relation = (_b = relations.find((relation) => {
+        var _a;
+        return ((relation.collection === collection && relation.field === field) ||
+            (relation.related_collection === collection && ((_a = relation.meta) === null || _a === void 0 ? void 0 : _a.one_field) === field));
+    })) !== null && _b !== void 0 ? _b : null;
+    const relationType = relation ? (0, get_relation_type_1.getRelationType)({ relation, collection, field }) : null;
+    return { relation, relationType };
+}
+exports.getRelationInfo = getRelationInfo;

package/dist/utils/get-relation-type.d.ts

@@ -1,6 +1,6 @@
 import { Relation } from '@directus/shared/types';
 export declare function getRelationType(getRelationOptions: {
-    relation: Relation;
+    relation?: Relation | null;
     collection: string | null;
     field: string;
 }): 'm2o' | 'o2m' | 'a2o' | null;

package/dist/utils/get-schema.js

@@ -17,6 +17,7 @@ const logger_1 = __importDefault(require("../logger"));
 const services_1 = require("../services");
 const get_default_value_1 = __importDefault(require("./get-default-value"));
 const get_local_type_1 = __importDefault(require("./get-local-type"));
+const parse_json_1 = require("./parse-json");
 async function getSchema(options) {
     const database = (options === null || options === void 0 ? void 0 : options.database) || (0, database_1.default)();
     const schemaInspector = (0, schema_1.default)(database);
@@ -119,7 +120,7 @@ async function getDatabaseSchema(database, schemaInspector) {
         const type = (existing && (0, get_local_type_1.default)(column, { special })) || 'alias';
         let validation = (_a = field.validation) !== null && _a !== void 0 ? _a : null;
         if (validation && typeof validation === 'string')
-            validation = JSON.parse(validation);
+            validation = (0, parse_json_1.parseJSON)(validation);
         result.collections[field.collection].fields[field.field] = {
             field: field.field,
             defaultValue: (_b = existing === null || existing === void 0 ? void 0 : existing.defaultValue) !== null && _b !== void 0 ? _b : null,

package/dist/utils/get-snapshot.js

@@ -16,17 +16,23 @@ async function getSnapshot(options) {
     const collectionsService = new services_1.CollectionsService({ knex: database, schema });
     const fieldsService = new services_1.FieldsService({ knex: database, schema });
     const relationsService = new services_1.RelationsService({ knex: database, schema });
-    const [collections, fields, relations] = await Promise.all([
+    const [collectionsRaw, fieldsRaw, relationsRaw] = await Promise.all([
         collectionsService.readByQuery(),
         fieldsService.readAll(),
         relationsService.readAll(),
     ]);
+    const collectionsFiltered = collectionsRaw.filter((item) => excludeSystem(item));
+    const fieldsFiltered = fieldsRaw.filter((item) => excludeSystem(item)).map(omitID);
+    const relationsFiltered = relationsRaw.filter((item) => excludeSystem(item)).map(omitID);
+    const collectionsSorted = (0, lodash_1.sortBy)((0, lodash_1.mapValues)(collectionsFiltered, sortDeep), ['collection']);
+    const fieldsSorted = (0, lodash_1.sortBy)((0, lodash_1.mapValues)(fieldsFiltered, sortDeep), ['collection', 'field']);
+    const relationsSorted = (0, lodash_1.sortBy)((0, lodash_1.mapValues)(relationsFiltered, sortDeep), ['collection', 'field']);
     return {
         version: 1,
         directus: package_json_1.version,
-        collections: collections.filter((item) => excludeSystem(item)),
-        fields: fields.filter((item) => excludeSystem(item)).map(omitID),
-        relations: relations.filter((item) => excludeSystem(item)).map(omitID),
+        collections: collectionsSorted,
+        fields: fieldsSorted,
+        relations: relationsSorted,
     };
 }
 exports.getSnapshot = getSnapshot;
@@ -39,3 +45,15 @@ function excludeSystem(item) {
 function omitID(item) {
     return (0, lodash_1.omit)(item, 'meta.id');
 }
+function sortDeep(raw) {
+    if ((0, lodash_1.isPlainObject)(raw)) {
+        const mapped = (0, lodash_1.mapValues)(raw, sortDeep);
+        const pairs = (0, lodash_1.toPairs)(mapped);
+        const sorted = (0, lodash_1.sortBy)(pairs);
+        return (0, lodash_1.fromPairs)(sorted);
+    }
+    if ((0, lodash_1.isArray)(raw)) {
+        return (0, lodash_1.sortBy)(raw);
+    }
+    return raw;
+}

package/dist/utils/merge-permissions-for-share.js

@@ -48,7 +48,7 @@ function mergePermissionsForShare(currentPermissions, accountability, schema) {
         }
     }
     // Explicitly filter out permissions to collections unrelated to the root parent item.
-    const limitedPermissions = currentPermissions.filter(({ collection }) => allowedCollections.includes(collection));
+    const limitedPermissions = currentPermissions.filter(({ action, collection }) => allowedCollections.includes(collection) && action === 'read');
     return (0, merge_permissions_1.mergePermissions)('and', limitedPermissions, generatedPermissions);
 }
 exports.mergePermissionsForShare = mergePermissionsForShare;

package/dist/utils/parse-json.d.ts

@@ -0,0 +1,5 @@
+/**
+ * Run JSON.parse, but ignore `__proto__` properties. This prevents prototype pollution attacks
+ */
+export declare function parseJSON(input: string): any;
+export declare function noproto<T>(key: string, value: T): T | void;

package/dist/utils/parse-json.js

@@ -0,0 +1,19 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noproto = exports.parseJSON = void 0;
+/**
+ * Run JSON.parse, but ignore `__proto__` properties. This prevents prototype pollution attacks
+ */
+function parseJSON(input) {
+    if (String(input).includes('__proto__')) {
+        return JSON.parse(input, noproto);
+    }
+    return JSON.parse(input);
+}
+exports.parseJSON = parseJSON;
+function noproto(key, value) {
+    if (key !== '__proto__') {
+        return value;
+    }
+}
+exports.noproto = noproto;

package/dist/utils/reduce-schema.js

@@ -10,7 +10,7 @@ const lodash_1 = require("lodash");
  * @returns Reduced schema
  */
 function reduceSchema(schema, permissions, actions = ['create', 'read', 'update', 'delete']) {
-    var _a, _b, _c, _d, _e;
+    var _a, _b, _c;
     const reduced = {
         collections: {},
         relations: [],
@@ -34,10 +34,9 @@ function reduceSchema(schema, permissions, actions = ['create', 'read', 'update'
                 !((_c = allowedFieldsInCollection[collectionName]) === null || _c === void 0 ? void 0 : _c.includes(fieldName))) {
                 continue;
             }
-            const relatedCollection = ((_d = schema.relations.find((relation) => relation.collection === collectionName && relation.field === fieldName)) === null || _d === void 0 ? void 0 : _d.related_collection) ||
-                ((_e = schema.relations.find((relation) => { var _a; return relation.related_collection === collectionName && ((_a = relation.meta) === null || _a === void 0 ? void 0 : _a.one_field) === fieldName; })) === null || _e === void 0 ? void 0 : _e.collection);
-            if (relatedCollection &&
-                !(permissions === null || permissions === void 0 ? void 0 : permissions.some((permission) => permission.collection === relatedCollection && actions.includes(permission.action)))) {
+            const o2mRelation = schema.relations.find((relation) => { var _a; return relation.related_collection === collectionName && ((_a = relation.meta) === null || _a === void 0 ? void 0 : _a.one_field) === fieldName; });
+            if (o2mRelation &&
+                !(permissions === null || permissions === void 0 ? void 0 : permissions.some((permission) => permission.collection === o2mRelation.collection && actions.includes(permission.action)))) {
                 continue;
             }
             fields[fieldName] = field;

package/dist/utils/sanitize-query.d.ts

@@ -1,3 +1,2 @@
-import { Query } from '@directus/shared/types';
-import { Accountability } from '@directus/shared/types';
+import { Accountability, Query } from '@directus/shared/types';
 export declare function sanitizeQuery(rawQuery: Record<string, any>, accountability?: Accountability | null): Query;

package/dist/utils/sanitize-query.js

@@ -4,10 +4,11 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.sanitizeQuery = void 0;
+const utils_1 = require("@directus/shared/utils");
 const lodash_1 = require("lodash");
 const logger_1 = __importDefault(require("../logger"));
 const types_1 = require("../types");
-const utils_1 = require("@directus/shared/utils");
+const parse_json_1 = require("./parse-json");
 function sanitizeQuery(rawQuery, accountability) {
     const query = {};
     if (rawQuery.limit !== undefined) {
@@ -82,7 +83,7 @@ function sanitizeAggregate(rawAggregate) {
     let aggregate = rawAggregate;
     if (typeof rawAggregate === 'string') {
         try {
-            aggregate = JSON.parse(rawAggregate);
+            aggregate = (0, parse_json_1.parseJSON)(rawAggregate);
         }
         catch {
             logger_1.default.warn('Invalid value passed for filter query parameter.');
@@ -100,7 +101,7 @@ function sanitizeFilter(rawFilter, accountability) {
     let filters = rawFilter;
     if (typeof rawFilter === 'string') {
         try {
-            filters = JSON.parse(rawFilter);
+            filters = (0, parse_json_1.parseJSON)(rawFilter);
         }
         catch {
             logger_1.default.warn('Invalid value passed for filter query parameter.');
@@ -135,7 +136,7 @@ function sanitizeDeep(deep, accountability) {
     const result = {};
     if (typeof deep === 'string') {
         try {
-            deep = JSON.parse(deep);
+            deep = (0, parse_json_1.parseJSON)(deep);
         }
         catch {
             logger_1.default.warn('Invalid value passed for deep query parameter.');
@@ -169,7 +170,7 @@ function sanitizeAlias(rawAlias) {
     let alias = rawAlias;
     if (typeof rawAlias === 'string') {
         try {
-            alias = JSON.parse(rawAlias);
+            alias = (0, parse_json_1.parseJSON)(rawAlias);
         }
         catch (err) {
             logger_1.default.warn('Invalid value passed for alias query parameter.');

package/dist/utils/validate-keys.d.ts

@@ -0,0 +1,6 @@
+import { SchemaOverview } from '@directus/shared/types';
+import { PrimaryKey } from '../types';
+/**
+ * Validate keys based on its type
+ */
+export declare function validateKeys(schema: SchemaOverview, collection: string, keyField: string, keys: PrimaryKey | PrimaryKey[]): void;

package/dist/utils/validate-keys.js

@@ -0,0 +1,28 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.validateKeys = void 0;
+const exceptions_1 = require("../exceptions");
+const uuid_validate_1 = __importDefault(require("uuid-validate"));
+/**
+ * Validate keys based on its type
+ */
+function validateKeys(schema, collection, keyField, keys) {
+    if (Array.isArray(keys)) {
+        for (const key of keys) {
+            validateKeys(schema, collection, keyField, key);
+        }
+    }
+    else {
+        const primaryKeyFieldType = schema.collections[collection].fields[keyField].type;
+        if (primaryKeyFieldType === 'uuid' && !(0, uuid_validate_1.default)(String(keys))) {
+            throw new exceptions_1.ForbiddenException();
+        }
+        else if (primaryKeyFieldType === 'integer' && !Number.isInteger(Number(keys))) {
+            throw new exceptions_1.ForbiddenException();
+        }
+    }
+}
+exports.validateKeys = validateKeys;

package/dist/utils/validate-query.js

@@ -104,7 +104,7 @@ function validateFilterPrimitive(value, key) {
         false) {
         throw new exceptions_1.InvalidQueryException(`The filter value for "${key}" has to be a string, number, or boolean`);
     }
-    if (typeof value === 'number' && (Number.isNaN(value) || !Number.isSafeInteger(value))) {
+    if (typeof value === 'number' && Number.isNaN(value) && value <= Number.MAX_SAFE_INTEGER) {
         throw new exceptions_1.InvalidQueryException(`The filter value for "${key}" is not a valid number`);
     }
     if (typeof value === 'string' && value.length === 0) {