Implement permission policies in the API

api/package.json

@@ -61,7 +61,8 @@
 		"build": "tsc --project tsconfig.prod.json && copyfiles \"src/**/*.{yaml,liquid}\" -u 1 dist",
 		"cli": "NODE_ENV=development SERVE_APP=false tsx src/cli/run.ts",
 		"dev": "NODE_ENV=development SERVE_APP=true tsx watch --ignore extensions --clear-screen=false src/start.ts",
-		"test": "vitest --watch=false"
+		"test": "vitest run",
+		"test:watch": "vitest"
 	},
 	"dependencies": {
 		"@authenio/samlify-node-xmllint": "2.0.0",

api/src/app.ts

@@ -57,7 +57,6 @@ import { checkIP } from './middleware/check-ip.js';
 import cors from './middleware/cors.js';
 import errorHandler from './middleware/error-handler.js';
 import extractToken from './middleware/extract-token.js';
-import getPermissions from './middleware/get-permissions.js';
 import rateLimiterGlobal from './middleware/rate-limiter-global.js';
 import rateLimiter from './middleware/rate-limiter-ip.js';
 import sanitizeQuery from './middleware/sanitize-query.js';
@@ -267,8 +266,6 @@ export default async function createApp(): Promise<express.Application> {
 
 	app.use(schema);
 
-	app.use(getPermissions);
-
 	await emitter.emitInit('middlewares.after', { app });
 
 	await emitter.emitInit('routes.before', { app });

api/src/auth/drivers/ldap.ts

@@ -420,6 +420,10 @@ export function createLDAPAuthRouter(provider: string): Router {
 			const accountability: Accountability = {
 				ip: getIPFromReq(req),
 				role: null,
+				user: null,
+				roles: [],
+				admin: false,
+				app: false,
 			};
 
 			const userAgent = req.get('user-agent')?.substring(0, 1024);

api/src/auth/drivers/local.ts

@@ -65,6 +65,10 @@ export function createLocalAuthRouter(provider: string): Router {
 			const accountability: Accountability = {
 				ip: getIPFromReq(req),
 				role: null,
+				user: null,
+				roles: [],
+				admin: false,
+				app: false,
 			};
 
 			const userAgent = req.get('user-agent')?.substring(0, 1024);

api/src/auth/drivers/oauth2.ts

@@ -356,6 +356,10 @@ export function createOAuth2AuthRouter(providerName: string): Router {
 			const accountability: Accountability = {
 				ip: getIPFromReq(req),
 				role: null,
+				user: null,
+				roles: [],
+				admin: false,
+				app: false,
 			};
 
 			const userAgent = req.get('user-agent')?.substring(0, 1024);

api/src/auth/drivers/openid.ts

@@ -386,6 +386,10 @@ export function createOpenIDAuthRouter(providerName: string): Router {
 			const accountability: Accountability = {
 				ip: getIPFromReq(req),
 				role: null,
+				roles: [],
+				user: null,
+				admin: false,
+				app: false,
 			};
 
 			const userAgent = req.get('user-agent')?.substring(0, 1024);

api/src/controllers/auth.ts

@@ -105,6 +105,10 @@ router.post(
 		const accountability: Accountability = {
 			ip: getIPFromReq(req),
 			role: null,
+			roles: [],
+			user: null,
+			admin: false,
+			app: false,
 		};
 
 		const userAgent = req.get('user-agent')?.substring(0, 1024);
@@ -159,6 +163,10 @@ router.post(
 		const accountability: Accountability = {
 			ip: getIPFromReq(req),
 			role: null,
+			roles: [],
+			user: null,
+			admin: false,
+			app: false,
 		};
 
 		const userAgent = req.get('user-agent')?.substring(0, 1024);
@@ -206,6 +214,10 @@ router.post(
 		const accountability: Accountability = {
 			ip: getIPFromReq(req),
 			role: null,
+			roles: [],
+			admin: false,
+			app: false,
+			user: null,
 		};
 
 		const userAgent = req.get('user-agent')?.substring(0, 1024);
@@ -245,6 +257,10 @@ router.post(
 		const accountability: Accountability = {
 			ip: getIPFromReq(req),
 			role: null,
+			user: null,
+			roles: [],
+			admin: false,
+			app: false,
 		};
 
 		const userAgent = req.get('user-agent')?.substring(0, 1024);

api/src/controllers/users.ts

@@ -5,15 +5,14 @@ import {
 	InvalidPayloadError,
 	isDirectusError,
 } from '@directus/errors';
-import type { PrimaryKey, Role } from '@directus/types';
+import type { PrimaryKey } from '@directus/types';
 import express from 'express';
 import Joi from 'joi';
 import { respond } from '../middleware/respond.js';
 import useCollection from '../middleware/use-collection.js';
 import { validateBatch } from '../middleware/validate-batch.js';
 import { AuthenticationService } from '../services/authentication.js';
 import { MetaService } from '../services/meta.js';
-import { RolesService } from '../services/roles.js';
 import { TFAService } from '../services/tfa.js';
 import { UsersService } from '../services/users.js';
 import asyncHandler from '../utils/async-handler.js';
@@ -375,38 +374,6 @@ router.post(
 			throw new InvalidPayloadError({ reason: `"otp" is required` });
 		}
 
-		// Override permissions only when enforce TFA is enabled in role
-		if (req.accountability.role) {
-			const rolesService = new RolesService({
-				schema: req.schema,
-			});
-
-			const role = (await rolesService.readOne(req.accountability.role)) as Role;
-
-			if (role && role.enforce_tfa) {
-				const existingPermission = await req.accountability.permissions?.find(
-					(p) => p.collection === 'directus_users' && p.action === 'update',
-				);
-
-				if (existingPermission) {
-					existingPermission.fields = ['tfa_secret'];
-					existingPermission.permissions = { id: { _eq: req.accountability.user } };
-					existingPermission.presets = null;
-					existingPermission.validation = null;
-				} else {
-					(req.accountability.permissions || (req.accountability.permissions = [])).push({
-						action: 'update',
-						collection: 'directus_users',
-						fields: ['tfa_secret'],
-						permissions: { id: { _eq: req.accountability.user } },
-						presets: null,
-						role: req.accountability.role,
-						validation: null,
-					});
-				}
-			}
-		}
-
 		const service = new TFAService({
 			accountability: req.accountability,
 			schema: req.schema,
@@ -430,38 +397,6 @@ router.post(
 			throw new InvalidPayloadError({ reason: `"otp" is required` });
 		}
 
-		// Override permissions only when enforce TFA is enabled in role
-		if (req.accountability.role) {
-			const rolesService = new RolesService({
-				schema: req.schema,
-			});
-
-			const role = (await rolesService.readOne(req.accountability.role)) as Role;
-
-			if (role && role.enforce_tfa) {
-				const existingPermission = await req.accountability.permissions?.find(
-					(p) => p.collection === 'directus_users' && p.action === 'update',
-				);
-
-				if (existingPermission) {
-					existingPermission.fields = ['tfa_secret'];
-					existingPermission.permissions = { id: { _eq: req.accountability.user } };
-					existingPermission.presets = null;
-					existingPermission.validation = null;
-				} else {
-					(req.accountability.permissions || (req.accountability.permissions = [])).push({
-						action: 'update',
-						collection: 'directus_users',
-						fields: ['tfa_secret'],
-						permissions: { id: { _eq: req.accountability.user } },
-						presets: null,
-						role: req.accountability.role,
-						validation: null,
-					});
-				}
-			}
-		}
-
 		const service = new TFAService({
 			accountability: req.accountability,
 			schema: req.schema,

api/src/database/get-ast-from-query/get-ast-from-query.ts

@@ -0,0 +1,98 @@
+/**
+ * Generate an AST based on a given collection and query
+ */
+
+import type { Accountability, Query, SchemaOverview } from '@directus/types';
+import { cloneDeep, uniq } from 'lodash-es';
+import { AccessService } from '../../services/access.js';
+import { PermissionsService } from '../../services/index.js';
+import type { AST } from '../../types/index.js';
+import { parseFields } from './lib/parse-fields.js';
+
+export async function getAstFromQuery(
+	accessService: AccessService,
+	permissionsService: PermissionsService,
+	collection: string,
+	query: Query,
+	schema: SchemaOverview,
+	accountability: Accountability | null,
+): Promise<AST> {
+	query = cloneDeep(query);
+
+	const ast: AST = {
+		type: 'root',
+		name: collection,
+		query: query,
+		children: [],
+		cases: [],
+	};
+
+	let fields = ['*'];
+
+	if (query.fields) {
+		fields = query.fields;
+	}
+
+	/**
+	 * When using aggregate functions, you can't have any other regular fields
+	 * selected. This makes sure you never end up in a non-aggregate fields selection error
+	 */
+	if (Object.keys(query.aggregate || {}).length > 0) {
+		fields = [];
+	}
+
+	/**
+	 * Similarly, when grouping on a specific field, you can't have other non-aggregated fields.
+	 * The group query will override the fields query
+	 */
+	if (query.group) {
+		fields = query.group;
+	}
+
+	fields = uniq(fields);
+
+	const deep = query.deep || {};
+
+	// Prevent fields/deep from showing up in the query object in further use
+	delete query.fields;
+	delete query.deep;
+
+	if (!query.sort) {
+		// We'll default to the primary key for the standard sort output
+		let sortField = schema.collections[collection]!.primary;
+
+		// If a custom manual sort field is configured, use that
+		if (schema.collections[collection]?.sortField) {
+			sortField = schema.collections[collection]!.sortField as string;
+		}
+
+		// When group by is used, default to the first column provided in the group by clause
+		if (query.group?.[0]) {
+			sortField = query.group[0];
+		}
+
+		query.sort = [sortField];
+	}
+
+	// When no group by is supplied, but an aggregate function is used, only a single row will be
+	// returned. In those cases, we'll ignore the sort field altogether
+	if (query.aggregate && Object.keys(query.aggregate).length && !query.group?.[0]) {
+		delete query.sort;
+	}
+
+	ast.children = await parseFields(
+		{
+			parentCollection: collection,
+			fields,
+			query,
+			deep,
+		},
+		{ schema, accountability },
+		{
+			accessService,
+			permissionsService,
+		},
+	);
+
+	return ast;
+}