* move files from directus/visual-editing repo
- exclude tooling such as prettier, eslint, …
- flatten test-website
* docs(visual-editing): update test website readme for monorepo setup
Reflects that the test website now lives inside the Directus monorepo
at packages/visual-editing/test-website, drops the separate-repo clone
step, fixes a few typos, and collapses the multiple example URLs down
to a single versioned entry.
Note: the template URL in the directus-template-cli command still
points at github.com/directus/visual-editing; it will be updated to
the new or updated directus/visual-editing-template repository.
* fix(visual-editing): prevent edit handler firing twice on overlay button clicks
The overlay rect forwarded every click to the edit button, so clicks
that already bubbled up from the edit or AI button triggered the edit
handler a second time. Skip forwarding when the click target is
contained within either button.
* chore(visual-editing): convert package to monorepo workspace conventions
- Point the package repository URL and readme link at the monorepo
and bump the license copyright year.
- Switch runtime/dev dependencies to the workspace catalog, drop the
package-local pnpm-lock.yaml, engines, and packageManager fields,
and add @reach/observe-rect to the root catalog.
- Add explicit return types on the public entry functions to satisfy
the stricter shared tsconfig.
- Swap vitest from jsdom to happy-dom to match the rest of the repo.
- Review note: Rebuild \`pnpm build\`
* refactor: share visual-editing types between package and studio app
The Studio app used to keep a duplicated copy of EditConfig, SavedData,
and related postMessage types, with a comment instructing maintainers
to keep them in sync with the visual-editing package. Now that both
live in the same repo, expose them from a dedicated @directus/visual-
editing/types subpath and consume them from the app instead.
- Add src/types.ts as the public types entry and update tsdown to emit
it as a second dual-format build, alongside the main entry.
- Reuse PrimaryKey from @directus/types in the shared type file
instead of duplicating it locally.
- Declare @directus/visual-editing as a workspace dependency of the
app and import the shared types from @directus/visual-editing/types
in the Studio editing layer.
- Review note: Rebuild \`pnpm build\`
* chore(visual-editing): clean up test-website workspace setup
- Relink @directus/visual-editing from link:../../.. to link:.. to
match the new in-repo location and drop the package-local engines
and packageManager fields.
- Ignore the generated pnpm-lock.yaml and tell Nuxt to ignore .DS_Store
so macOS dev runs stay quiet.
- Add an empty pnpm-workspace.yaml with an unimport 6.0.2 override to
work around the nitropack/@nuxt/nitro-server duplicate-import
warning so the test-website install stays clean.
- Fix an indentation glitch on @tailwindcss/typography in package.json.
* chore(visual-editing): update stylelint and eslint to ignore test-website files
* set isolatedDeclarations to false in compilerOptions
* lint
* update ignore patterns for test-website files
* rename license
* remove LICENSE
* add license to stylelintignore
* share sameOrigin via @directus/utils/browser
* fix hydration error
* update test-website readme
* add @directus/utils to changeset
---------
Co-authored-by: Rob Luton <rob.luton@gmail.com>
* fix: defer translation form render until related items are loaded
* build: add changeset
* feat: describe bug instead of simple v-if test
* fix: unmount translation v-form on field/lang change to avoid WYSIWYG crashing
* fix: use flushPromise instead of nextTick
* fix: guard block editor destroy against pre-init unmount
---------
Co-authored-by: Rob Luton <rob.luton@gmail.com>
* move over load tests
* initial commit
* separate code from loadtests into separate sandbox package
* make command run parallel many times
* start with blackbox v2
* remove old loadtests
* add scale option and work on tests
* restructure and github workflow
* update workflow
* fmt
* update tests
* fix tests
* make vitest run everything
* fix lock
* fix test
* tests
* add tmpfs
* no tmpfs oracle
* optimize installing and building for tests
* update packages
* update building
* fix build
* update build
* fix pnpm lock
* fix deps
* fix building api
* fmt
* fix types build
* fix oas
* fix oas build
* no app
* undo package changes
* undo faster building tests
* cleanup
* fix
* fix lock
* update packages
* lot of improvements
* add first proper tests
* no tmpfs for mssql
* test
* speedup oracle and improve sandbox
* add more primitive tests
* small tweak
* make collection names unique and add auto exporting of schema to sandbox
* fix type gen
* temp commit
* prevent snapshot apply collisions
* fix oracle schema apply
* add healthchecks and cleanup deps
* fix setup
* fix lock
* fmt
* add retries to schema apply
* unused import...
* ups
* update healthcheck times
* fix imports and work on relational tests
* add all relational tests
* finish relational tests and start with basic auth tests
* somewhat fix sandbox for windows
* cleanup and make workflows run
* test password resetting
* add schema option to sandbox and add basic filter tests
* restructure sandbox, link globally and add basic fields tests
* fmt
* make sure to sort
* exclude oracle test cause oracle
* add files test and cleanup expects
* start testing assets
* add tests for assets and websocket subscriptions
* run fmt
* fix mssql tests
* update options of snadbox
* fix building sandbox
* log auth creds when starting api
* log creds for db
* color creds
* start with perm tests and fix dev watch
* finish perm tests, add inspect option and fix dev and watch
* add port detection and killing
* fix port allocation
* add gql tests
* finish up horrizontal testing
* start testing collections
* test collection crud
* update coll tests
* add readmes to sandbox and e2e tests
* update readme
* update readme
* add test for log redacting
* work on auth tests
* add files tests
* fix killing processes, rerunning test:all and add health/ping tests
* add silent option to sandbox, fix files tests, improve health tests
* format
* run github action tests in parallel
* improve testing across dbs
* fix assets and gql tests
* fix healthchecks and clean up logs
* increase horriz timeout
* fix types
* add permission/me tests and improve sandbox
* restructure tests
* add flow/webhook tests
* add saml tests
* add flow sync test
* add cache tests and update sandbox
* add old files tests
* port schema cache tests
* start migrating cache-purge
* fix cache purge tests
* make database and port into constants
* simplify useSnapshot and add getUID function
* add schema tests
* fix schema tests
* migrate all websocket tests
* finish migrationg field change tests
* fix tests and don't kill ports
* cleanup
* test
* format
* use non colliding ports on sandbox
* fix sandbox cli
* fix
* add version option to sandbox
* find api folder automatically
* fix docker imports
* remove killPorts
* add project owner env
* try adding flamegraph
* Revert "try adding flamegraph"
This reverts commit 2f3010f84a.
* fix ts
* add app option to sandbox
* fix app
* fix docker pulling on arm64
* update
* fmt imports and cleanup
* fix sandbox building
* more test improvements
* more updates
* docs
* fix gql test
* fix, thanks AI
* update readme
* make bb tests run consistently
* more fixes
* test docker availability and cleanup
* fix flows reloading being awaited
* fix assets endpoint
* add new sandbox test system
* cleanup SchemaApplyOrder
* improve readme and cleanup all tests
* update sandbox desc and cli
* hardcode platform
* update runners
* fmt
* add changeset
* cleanup
* fix test
* update runner
* update health tests
* fix health checks
* update asset test
* fmt
* fix tests on maria
* add console.logs
* run tests parallel
* fix health tests
* increase test timeout
* run tests seq again
* clean up and remove some sb tests
* update e2e runner
* update sb tests
* don't edit system fields in snapshots
* fix test
* remove schema snapshot tests
* cleanup
* dont postinstall link
* cleanup deps
* update timeouts
* undo cherry picked changes
* update package.json
* Adjust changeset
* Fix cli bin not found
* fix
* add back duplicate dep
* move up dep on more placement :)
* improve flakyness
* fix2
* remove unused imports
---------
Co-authored-by: judda <44623501+ComfortablyCoding@users.noreply.github.com>
* Improve user token flows with immediate save and safer actions
* Cleanup redudant code, make route logic generic
* Remove now invalid translation key
* Add in en-GB translation strings
---------
Co-authored-by: Alex Gaillard <alex@directus.io>
* fix(api): respect collection accountability on content version save
The VersionsService.save() method was always writing activity and revision
records for content version saves, ignoring the accountability configuration
of the underlying collection. As a result, collections configured to "Do Not
Track Anything" still produced activity and revision rows whenever a version
was saved.
Check the underlying collection's accountability setting before writing:
- accountability === null -> skip both activity and revision
- accountability === 'activity' -> create activity, skip revision
- accountability === 'all' -> create both (existing behaviour)
This matches the gate already used by ItemsService.createOne/updateMany
for regular item mutations.
Fixes#25894
* Address review feedback on version accountability tracking
- Inline activity/revisions service instantiation to match flows.ts pattern
- Reword changeset summary for clarity
- Share test schema across tracking cases via per-collection fixtures
- Use mockItemsService test-utils for consistent items-service mocking
- Sign CLA
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* default accountability to null
* rename to trackingAccountability to reduce confusion
* improve tests
* Apply suggestion from @ComfortablyCoding
* Apply suggestion from @AlexGaillard
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: daedalus <44623501+ComfortablyCoding@users.noreply.github.com>
Co-authored-by: Alex Gaillard <alex@directus.io>
* fix(sdk): reflect policies permission system in policy/user types
directus_policies.users, directus_policies.roles and directus_users.policies
are M2M relations through directus_access, but the SDK types had them typed
as direct arrays of DirectusUser / DirectusRole / DirectusPolicy. That meant
payloads built from these types didn't match the API at runtime (e.g.
creating a policy with users required each entry to be a { user: id } access
item, not a user id).
Retype them as DirectusAccess[] to match the schema.
Closes#25757
* Fix SDK types for user access relations
Updated SDK types to correctly link to the directus_access junction collection, reflecting the policies permission system.
---------
Co-authored-by: Nitwel <mail@nitwel.de>
* fix(api): reject collection names containing "/"
Collection names with "/" break URL routing because Express interprets
the slash as a path separator, making the collection unreachable via
REST API. Add input validation at creation time to reject "/" in
collection names, following the existing directus_ prefix validation
pattern.
Closes#27093
* add changeset
---------
Co-authored-by: Nitwel <mail@nitwel.de>
* Fix MSSQL schema application failing for text fields with MAX length (-1)
* Add begsaquib to contributors list
* fix: Normalize MSSQL text field `MAX` length to `null` in `parseMaxLength` during schema introspection to prevent invalid SQL during schema application, and introduce a new `apply-diff` utility
* fix: Normalize MSSQL text field MAX length (`-1`) to `null` in `parseMaxLength` to prevent invalid SQL during schema application.
* test: Add comprehensive tests for the `applyDiff` utility, covering snapshot application to collections and fields.
* feat: Introduce `FieldsService` for comprehensive field metadata, schema, and permission management, including a new test file.
* update changeset
---------
Co-authored-by: Nitwel <mail@nitwel.de>
* In app\src\components\v-list-item.vue, change the type of `to` from RouteLocation to RouteLocationRaw.
* In app\src\modules\settings\index.ts, name two paths: 'ai' and 'extensions'.
* Update ai-conversation.vue
* Update app\src\composables\use-collab.ts
* Update app\src\modules\activity\routes\item.vue
* Update app\src\modules\content
* Update app\src\modules\deployment
* Update app\src\modules\files\
* Update app\src\modules\insights\
* Update app\src\modules\users\
* Update app\src\views\private\
* Update app\src\modules\settings\
* Create good-geckos-ask.md
* Fix format problems
* Fix unit test in app\src\composables\use-collab.test.ts.
* Fix format problem.
* Update previously missed files.
app\src\modules\deployment\routes\provider\dashboard.vue
app\src\modules\files\routes\add-new.vue
app\src\modules\settings\routes\flows\overview.vue
* Modify app\src\modules\settings\routes\flows\overview.test.ts
* Fix format issues.
* Fix formt issue.
* In app\src\modules\deployment\components\navigation.vue, use `if-else` instead of ternary operator to set `link`'s value.
* fix item
* fix user nav
---------
Co-authored-by: Rijk van Zanten <rijkvanzanten@me.com>
Co-authored-by: Nitwel <mail@nitwel.de>
* fix(api): include custom query params in cache key
The cache key only used req.sanitizedQuery which strips non-Directus
query params. This caused Flow webhook endpoints and custom endpoints
to return stale cached responses when called with different custom
query parameters.
Include req.query in the cache key hash for non-GraphQL requests so
requests with different custom params produce different cache keys.
Fixes#26929
* fix: only include rawQuery when query params exist
Skip adding rawQuery to cache key when req.query is empty ({}),
preserving existing cache keys for standard requests without
custom query params. This avoids unnecessary cache invalidation
on deploy.
* fix(api): scope raw query param cache key inclusion to flow triggers
Address review feedback from @Nitwel: including all raw query params
globally made it trivial to bypass cache on standard REST endpoints.
Now only /flows/trigger endpoints include raw query params in the
cache key, since those endpoints pass arbitrary query params to the
flow execution context. Standard REST endpoints rely on sanitizedQuery
which already captures all Directus-recognized parameters.
* feat(api): add configurable cache query params for flow triggers
Allow admins to configure which query parameters should affect the
cache key for webhook flow triggers. When cacheQueryParams is set in
the flow trigger options, only those params are included in the cache
key. When not configured, all query params are included (preserving
the fix for #26929).
This prevents unexpected cache busting while still supporting
query-param-dependent flow responses.
Changes:
- FlowManager: store flow options alongside webhook handlers, expose
getWebhookFlowOptions() for cache key computation
- getCacheKey: extract flow UUID from path, look up flow options,
filter req.query by the configured allowlist
- Admin UI: add "Cache Query Parameters" tags input on webhook
trigger options, visible when Cache is enabled
* fix: validate cacheQueryParams type, fix UI visibility, add app changeset
- Add runtime Array.isArray validation for cacheQueryParams to prevent
silent cache key corruption from non-array values
- Fix hidden condition: use cacheEnabled === false instead of
!cacheEnabled so the field shows when cache defaults to enabled
- Add @directus/app to changeset (UI changes require it)
* style: add blank line to satisfy padding-line-between-statements
* test(app): add tests for cacheQueryParams UI visibility
* fix: use typed function signature instead of Function type
* fix: use inline labels instead of missing translation keys for cache query params field
* simplify and cleanup
* update tests
* update text
* update changeset
* test(api): add FlowManager.getFlow unit tests
* style: format flows.test.ts with prettier
---------
Co-authored-by: Nitwel <mail@nitwel.de>
* fix(app): deduplicate aggregate count requests on content navigation
When navigating to /content/:collection, the useItems composable fired
two separate watchers with immediate:true, causing 2-3 redundant
aggregate[countDistinct] API calls. This merges both watchers into a
single coordinated watcher and reuses the totalCount result for
itemCount when no user filters or search are active (or when the user
filter matches the system filter).
Fixes#25194
* address review feedback: simplify with until, separate watchers, remove spread
* fix lockfile
* refactor: use useMemoize to prevent duplicate aggregate calls
Replace loadingTotalCount/until logic with useMemoize from vueuse,
which automatically deduplicates concurrent calls with the same
arguments by reusing active promises.
* cleanup code
* chore: sign CLA
* fix: guard against race conditions in getTotalCount and getItemCount
Use generation counters to discard stale responses when rapid
navigation or filter changes cause overlapping requests. This
prevents an older response from overwriting a newer result.
* Add om-singh-D to contributors list
---------
Co-authored-by: Nitwel <mail@nitwel.de>
* suffix file health checks with machine id
* add changeset
* add ttl support for local cache
* improve configurability of healthcheck and cache results
* add cahngesets
* restrict `/server/health` to authenticated users
* tweaks
* Ensure consistent bracket usage
* Apply suggestion from @ComfortablyCoding
* add notice for dropping cache/ratelimiter/ratelimiterglobal
* move unauthenticated check to service
* add bb tests
* improve server health return type
* Update shaggy-news-check.md
* fix vendor db check
* Update shaggy-news-check.md
* Fix bb tests
* fix: use nullish coalescing for overwriteDefaults in payload transformers
* Revert "fix: use nullish coalescing for overwriteDefaults in payload transformers"
This reverts commit 79e1e86be6.
* fix: return undefined defaultOverwrites for primitive arrays in splitRecursive
* fix: propagate parent overwrite defaults to primitive arrays in splitRecursive
* Update moody-papers-help.md
---------
Co-authored-by: daedalus <44623501+ComfortablyCoding@users.noreply.github.com>
* sanitize search query - remove trailing spaces and punctuation
* changeset
* simplify and detect only unicode punctuation
* update changeset
* just trim leading and trailing spaces
* Add case for whitespace only search
* Fix formatting errors
* Allow for white space only search
* Fix formatting
* More formatting fixes
---------
Co-authored-by: Alex Gaillard <alex@directus.io>
* Add save as new file option to image editor
* Add changeset
* Update .changeset/old-chairs-end.md
* Fix file not creating in correct folder
---------
Co-authored-by: Alex Gaillard <alex@directus.io>
* separate all users view into active, suspended, and invited
* mitigate zero state flicker
* design feedback - update icons
* changeset
* fix changeset
* make default layout for user list tabular
* change copy
* Adjust copy again
---------
Co-authored-by: Alex Gaillard <alex@directus.io>
* Replace INTERNAL_SERVER_ERROR with SERVICE_UNAVAILABLE and provide user-friendly messages (#22416)
Was partially addressed by #22379, which fixed error objects being used as the message.
* Add changeset for #22416
* Update contributors.yml
Adds Eric Penneçot as a contributor
* Improve error handling for registry endpoints
* Add tests for handleRegistryError
* api/assets: clean up stream when client disconnects
When streaming large objects from S3, if a client disconnects midway through the download, the stream may still have pending data that is not consumed. This leads to sockets being left open with pending receive data in the TCP queue, which will no longer be consumed by the client.
Fixes: #26991
Signed-off-by: Champ-Goblem <cameron@northflank.com>
* prefer archive.abort over destroy
* cleanup
* no-op on abort
* add test
* Update wild-breads-relax.md
* Update wild-breads-relax.md
* Update .changeset/wild-breads-relax.md
---------
Signed-off-by: Champ-Goblem <cameron@northflank.com>
Co-authored-by: daedalus <44623501+ComfortablyCoding@users.noreply.github.com>
Co-authored-by: Alex Gaillard <alex@directus.io>
* Update readme with license revision notice
Added a note about the upcoming Directus source code license update and a link for community feedback.
* Update note about Directus source code license
* fix(api): handle countAll aggregate with empty fields array
When countAll is invoked via GraphQL, the fields array is empty ([]),
causing the inner loop to never execute and the countAll operation to
be skipped. This results in SELECT * instead of SELECT COUNT(*).
Move the countAll check before the fields iteration so it executes
regardless of whether fields are provided.
Fixes#26768
* fix(app): exclude alias fields from export Select All
When clicking 'Select All' in the export field picker, alias fields
(e.g. accordion groups, dividers) were included in the selection.
These fields don't correspond to actual database columns and cause
API errors when included in export requests.
Filter out disabled fields and alias-type fields in the addAll
function of v-field-list.
Fixes#26766
* chore: sign CLA
* add changeset
* Update .changeset/fix-export-alias-fields.md
* Update .changeset/fix-export-alias-fields.md
Co-authored-by: Hugo Torzuoli <torzuoli.hugo@gmail.com>
* exclude alias fields but not disabled fields
---------
Co-authored-by: Alex Gaillard <alex@directus.io>
Co-authored-by: Rijk van Zanten <rijkvanzanten@me.com>
Co-authored-by: Rob Luton <rob.luton@gmail.com>
Co-authored-by: Hugo Torzuoli <torzuoli.hugo@gmail.com>
* fix(api,app): show actual error reason on invite acceptance page
The accept-invite page displayed generic error code translations (e.g.,
'Invalid payload') instead of the actual API error reason. This made it
impossible for users to understand why invite acceptance failed.
Changes:
- Backend: Replace email-leaking error message with generic 'This invite
is no longer valid' to prevent account enumeration
- Frontend: Extract and display the error reason from the API response
instead of only showing the translated error code
- Tests: Add acceptInvite tests for generic error and scope validation
Fixes#26699
* chore: sign Directus CLA
* refactor: address review feedback from LZylstra
- Refactored backend test to use catch pattern for cleaner assertions
- Added extensions.reason assertion to pin the specific error message
- Extracted error formatting logic into getErrorReason utility function
- Added unit tests for both branches (reason present vs translateAPIError fallback)
* fix: correct import order in get-error-reason test
* fix: correct import order -- relative before aliased path
* ci: re-trigger CI after flaky date-picker test failure
* Update .changeset/fix-invite-error-display.md
* refactor(errors): add InvalidInvite error code with i18n translation support
- Add ErrorCode.InvalidInvite = 'INVALID_INVITE' to codes.ts
- Create InvalidInviteError class in invalid-invite.ts (no extensions, HTTP 400)
- Export InvalidInviteError from errors/index.ts
- Replace InvalidPayloadError in users.ts acceptInvite with InvalidInviteError
- Add INVALID_INVITE translation key to en-US.yaml
- Replace getErrorReason() with translateAPIError() in accept-invite.vue
- Remove getErrorReason utility (bypassed i18n translation system)
- Update users.test.ts to assert InvalidInviteError instead of InvalidPayloadError
- Update changeset to include @directus/errors package
* refactor(errors): wire InvalidInvite error across api, app, and errors packages
* Update .changeset/fix-invite-error-display.md
---------
Co-authored-by: Alex Gaillard <alex@directus.io>
* fix(app): close search area on keyboard focus out
* Add Zhey-on to contributors list
* fix(app): close search area when keyboard focus leaves
* test(app): add focusout v-menu-content stay-open case
* Amend test structure
* Update .changeset/sharp-toys-taste.md
---------
Co-authored-by: Alex Gaillard <alex@directus.io>
* add show only modified fields checkbox
* changeset
* tests
* change checkbox label
* Update app/src/components/v-form/v-form.vue
Co-authored-by: Alex Gaillard <alex@directus.io>
* reset checkbox with watcher plus add test
* test round trip Show Differences toggle
* change variable name to align with early copy change from design
---------
Co-authored-by: Alex Gaillard <alex@directus.io>
