* initial metrics implementation
* secure endpoint
* move metric generation to cron
* update directus env var list
* remove additional space in output
* prefer histogram over gauge
* add defaults
* add tests
* metric generation should be done on a per instance basis
* add docs
* simplify docs
* add changeset
* add proper capitalization
* do not attempt to access redis cache if redis is not available
* Update api/src/schedules/metrics.test.ts
Co-authored-by: ian <licitdev@gmail.com>
* metric lock should not be synchronized
* utilize prometheus client
* update typing
* check db metrics enabled before observe
* refactor get/track metric calls
* add cluster support
* add pm2 aggregation support
* rework pm2 aggregation
* Update api/src/schedules/metrics.ts
Co-authored-by: Pascal Jufer <pascal-jufer@bluewin.ch>
* ensure errors are caught
* add metrics bearer type to be inline with auth spec
* utilize early returns in access check
* at sensible default histogram bucket timeframe
* Update docs/self-hosted/config-options.md
Co-authored-by: Pascal Jufer <pascal-jufer@bluewin.ch>
* Update docs/reference/system/metrics.md
Co-authored-by: Pascal Jufer <pascal-jufer@bluewin.ch>
* do not initialize metrics when it isnt enabled
Co-Authored-By: Pascal Jufer <5363448+paescuj@users.noreply.github.com>
* fix api build
* return null for disabled metrics to be inline with other services
* prefere single service metric list env
Co-Authored-By: Pascal Jufer <5363448+paescuj@users.noreply.github.com>
* Update api/src/metrics/lib/create-metrics.test.ts
Co-authored-by: Pascal Jufer <pascal-jufer@bluewin.ch>
* update METRIC_TOKENS description
* update create metrics test wording
* reorg metric types
* Update create-metrics.ts
* Enable all metrics services by default
* Add full metrics output example
* Move enabled check to useMetrics & save results
* Adjust types in changeset
* metrics is REST API only
* update default cron to every minute
* update documented metric default schedule
* update metric schedule desc to be inline with default
* clarify metrics are returned from generated values and not at runtime
* add aggregation within pm2 context warning
* fix spellcheck
* Small grammar fixes for metrics aggregation notice
* Add `directus` minor bump
Co-authored-by: ian <licitdev@gmail.com>
---------
Co-authored-by: ian <licitdev@gmail.com>
Co-authored-by: Pascal Jufer <pascal-jufer@bluewin.ch>
Co-authored-by: Pascal Jufer <5363448+paescuj@users.noreply.github.com>
* feat(api): add index support
Co-Authored-By: Mahendra Kumar <22556323+mahendraHegde@users.noreply.github.com>
* fix(primary key): do not all mutating unique or index
* feat(app): add index selection
* refactor `dopIndex` to use array entry
* add docs
* add changeset
* add missing properties from field object spec
* simplify index checks
* formatting
* fix mssql index query
* fix additional fields being returned in schema
* fix oracle indexing
* only set nullable/not nullable if specifically requested
* Update app/src/lang/translations/en-US.yaml
Co-authored-by: Hannes Küttner <kuettner.hannes@gmail.com>
* Revert "only set nullable/not nullable if specifically requested"
This reverts commit 4726dbb8cf.
* make changeset more explicit
---------
Co-authored-by: Mahendra Kumar <22556323+mahendraHegde@users.noreply.github.com>
Co-authored-by: Daniel Biegler <DanielBiegler@users.noreply.github.com>
Co-authored-by: Hannes Küttner <kuettner.hannes@gmail.com>
* Update date fields on directus_files
* Add changeset
* Use knex update instead of raw
---------
Co-authored-by: Rijk van Zanten <rijkvanzanten@me.com>
* WIP start on migrations
* Add migration
* Don't insert if there's no rows
* Use service to read/write permissions
* Use payload service rather than itemsservice
* Start on downgrade command
* Update system data structure
* Update migrations to keep structure flat
* Remove icon from policies
* Drop policies table on downgrade
* Rearchitect migrations to structure v3
* Add down migration
* Update system fields
* Add policy to fields import
* Fix public role attachment
* Update packages/system-data/src/fields/index.ts
Co-authored-by: Daniel Biegler <DanielBiegler@users.noreply.github.com>
* Update packages/system-data/src/fields/policies.yaml
Co-authored-by: Daniel Biegler <DanielBiegler@users.noreply.github.com>
* Add nested roles
* Remove unused step
* Use two o2ms instead of m2a for attachments
* Update system data
* Implement permission policies in the API (#22384)
* Update system data structure
* Update migrations to keep structure flat
* Remove icon from policies
* Drop policies table on downgrade
* Rearchitect migrations to structure v3
* Add down migration
* Update system fields
* Add policy to fields import
* Fix public role attachment
* Update packages/system-data/src/fields/index.ts
Co-authored-by: Daniel Biegler <DanielBiegler@users.noreply.github.com>
* Update packages/system-data/src/fields/policies.yaml
Co-authored-by: Daniel Biegler <DanielBiegler@users.noreply.github.com>
* Add nested roles
* Remove unused step
* Use two o2ms instead of m2a for attachments
* Update system data
* [WIP] Start reorging permissions handling
* Setup field extraction
* Remove watch from vitest
* Finish fieldMap creation logic
* Add tests for utils
* Improve tests
* Improve coverage
* Split test and test:watch
* Continue on this fun
* [WIP] Setup processing
* Sort roles
* Restructure to util files for org
* Add missing util tests
* More tests
* Add cases/whencase to ast
* Start on injection logic
* Add tests for inject cases
* Add tests for process
* Add todo
* Organize run-ast
* Add clear method to kv
* Remove reliance on acc.perm
* Restructure permissions setup
* Drop perm from acc, add roles/policies
* Remove get-permissions in middleware
* Remove/comment use of acc.perm
* Add default roles/permissions
* Use knex
So we don't have to initialize the schema before we want to use the accountability system
* Use new fetching logic in get accountability
* Add new fetch global access utils
* Gotta redo based on new setup
* Replaced with new util
* Remove dropping of perm in acc
It's no longer there by default, so no need to remove here
* Temporarily comment out the enforce tfa check
* Update usage of fetch tree to use knex
* Don't store policies on accountability
* Feed in roles thru acc
* Bit of whitespace
* Rename role->policy
* Wreck some more stuff
Jk, this is splitting up the large get-ast-from-query function into smaller individual functions to make it easier to update the wildcard conversion to use permissions
* Add ability to lookup all allowed fields in col+ac
* Add note so I don't forget stuff which i will
* Handle null acc
* Introduce parseAst to itemsservice
* That cleans things up
* Replace checkAccess with validateAccess
* Remove checkaccess from service
* cleanup imports
* Whoops one more
* Leave crumbs for next time
* Implement most of the fn
* Fix various tests
* Start on test for fetch roles tree
* Add tests for fetch roles tree
* Fix process tests
* All. of. the. tests.
* Update uses of validateAccess
* Fix name in runAst
* Fix use of accountability in gql sub
* Deprecate authorization service
* Remove getPermissions use
* Drop old getpermissions
* Pass services
* Replace admin/app uses with fetch global
* Update fetch user count to pull from policies
* Remove broken admin existence checks
* Update min accountability
* Remove unused import
* Drop permissions override from controller
* Refactor reliance on acc.perm
* Replace usage of permissions in fields
* Replace usage of permissions in import/export
* Drop permissions use from relations
* Drop no longer used method
* Remove unused import
* fix type usage of pk in validate
* Fix default acc in user
* Replace use of permissions in utils
* Update reduceSchema in specs/gql
* Remove old share merging
* Remove empty file
* Remove outdated comment
* Use ctx objects for large param fns
* Add with-cache memoize util
* Add cache to fetchpermissions
* Update caching use in fetchRolesTree
* Add caching to fetchAllowedFieldMap
* Add more cache
* Refactor call signatures
* Move call signature updates
* Handle presets
* Update process call sig
* Prevent infinite recursion in roles tree lookup
* Use create util for acc
* Remove old checkIp
* Fix where equality operator
* Break EVERYTHING!
Jk just cleaning up the structure some more, and removing the dep injection in favor of mocking
* Fix build
* Add missing module tests
* Don't crash on missing parent
* Fix role lookup
* add missing type annotation
* use logical-OR assignment and avoid a memory allocation
* Attach admin policy in default admin creation
* Fix admin check
* Add todo for later
* rm code duplication
* fix test
it was missing the new `roles`
* add types and fix type error
policies dont [yet] have an icon
* move spread order to avoid potential future mishaps
new default keys would override the manually set keys, potentially leading to unintended behavior
* reduce allocations, add escape hatch to loop and type db-row
* Implement case/when
* Clean up comments
* Optimize perm fetching in allowed f
* Move apply case when to util fn
* Optimize fetch-allowed-fields
* Add fetch inconsistent util
* Allow nulls
* Remove obsolete getCacheKey
* Remove unused import
* Update getAccountabilityForRole test
* Update fetchGlobalAccess test with one more test case + fix other test case
* Type cleanup
* Fix "admin access means automatic app access" in fetchGlobalAccessForQuery
* Clean up and expand fetch-inconsistent-field-map.test.ts
* Test uncached functions
* Test uncached
* Remove cases usage in parse-current-level
* Only consider non-null rules in inject cases
* Fix parseCurrentLevel call
* Move service imports into functions to avoid circular imports
* Ensure that we test that an error is thrown in processAst test
* Add failing test case for flattenFilter
* Ensure uniqueness in extractPathsFromQuery
* Early exit in validatePath
* Add additional test case for process payload test
* Update validateCollectionAccess test
* Clean up validate-item-access.test.ts
* Remove redundant initializer
* Use createDefaultAccountability
* Fix fetch-user-count.test.ts
* Cleanup unused default initializer
* Add empty cases to subfilter in _relationCount
* Drop AccessService and PermissionsService usage from services
* Found some more PermissionsServices
* Fix a few more tests
* Add nested role relation
* Fix query invocation in aggregate and group queries
* Fix role property name in auth/refresh
* Add some missing relations for permissions, access and roles
* Add m2o relation from permissions to policy
* Add m2o relation access to role, user, policy
* Allow fetchPermissions to fetch all permissions and not just those limited by an action
* Add parent to Role type
* Make sure that admin users see all fields
* Add access and policies controller, add util methods to policies and access service
* Change name and description of public policy, update description of admin policy and add on delete trigger.
* Make sure access row uuids are auto generated
* optimize kvredis clear function and add a unit test
to be fair: unit test is also testing implementation details but thats a problem there in general and for future us
* Add minimal app permission and dynamic variable injection to the permission fetching
* Fix m2o collection name in extractFieldsFromChildren
* Make sure to clone permission before injecting dynamic variables
* Actually do the cloning in with withAppMinimalPermissions since people might missbehave with the permissions obtained from PermissionsService.readByQuery so it better to go the source of the problem
* Use knex transaction in createOne -> processPayload - otherwise deadlock
* Make sure to respect '*' field in allowed fields
* Fix extractFieldsFromChildren for o2m as well - classic
* Fix allowed field check in `FieldsService.readAll` to account for multiple permissions for collection+action
* Skip case/when if `allowedFields` includes '*'
* Restructure the way the current users permissions are returned
* add ability to clear all keys from memory cache
* add test for clear method
* add await to clear function
* Clear permissions caches on changes to policy attachments (directus_access) and policy updates (directus_policies) and permissions updates (directus_permissions)
* Make the public role a real role rather than a virtual one
* Inject the public role, we're it previously was `null`
* Revert adding a fix public role
* remove unused variable
* Ensure that a user without a role can still use the /me util endpoints
* Make sure that the /me endpoints always return minimal information, similar to /users/me
* Some fixes after merging main
* Update api/src/permissions/utils/with-cache.ts
Co-authored-by: Hannes Küttner <4376726+hanneskuettner@users.noreply.github.com>
* Avoid broken role query for now
* Skip related collection `parseFields` if user has no permissions
* Ensure same call order as in `convertWildcards`
* Create default admin policy and connect it in cli init command
* Remove obsolete middleware mock in app.test.ts
* Add validation against non-existent fields and collections to `validatePath`
* Split up permission and path existence validation and validate path existence for admin users as well
* Make applySearch not async
* Fix relation extraction and permissions for `$FOLLOW` fields
* Fix case when for related collections and query wrapping
* Rework user integrity checks for Auditus (#22737)
* Changes to user counting and integrity checks
* Ensure that user validation happens in both create one and create many
* Rename `checkType` to `flags`
* Update api/src/permissions/modules/validate-remaining-admin/validate-remaining-admin-count.ts
Co-authored-by: Daniel Biegler <DanielBiegler@users.noreply.github.com>
* Update to enum usage
Co-authored-by: Daniel Biegler <DanielBiegler@users.noreply.github.com>
* A few more changes to enum instead of number
* One more enum type update
* Make sure to correctly override the callback when combining options
* Clean up option type
* Update api/src/services/users.ts
Co-authored-by: ian <licitdev@gmail.com>
* Only take validation shortcut for users
We can only be sure that the deletion of users does not increase any other access types count, so in all other cases we need to verify that for example the App or API users have not increased over the limit
* Make both app and admin users count against app access limit
* Update api/src/permissions/modules/validate-remaining-admin/validate-remaining-admin-count.ts
Co-authored-by: Pascal Jufer <pascal-jufer@bluewin.ch>
* One post-merge fix, two small fixes
* Simplify flag updating and callback calling
* Changing app access in a policy only requires user limit checking, not full check
* Only the status of a created user should matter to determine if a check is neccessary
* Add count alias to count query
---------
Co-authored-by: Daniel Biegler <DanielBiegler@users.noreply.github.com>
Co-authored-by: ian <licitdev@gmail.com>
Co-authored-by: Pascal Jufer <pascal-jufer@bluewin.ch>
Co-authored-by: Rijk van Zanten <rijkvanzanten@me.com>
* Add roles and permissions to the app (#22654)
* Initial app changes
* Fix getRelationsForField
* Add changeset
* Remove app-permissions from role settings
* Make sure access row uuids are auto generated
* Move a few things around, set up policies m2m properly
* Show roles as tree in sidebar
Change avatar field query for user
* Show user and role count in policy table
* Default to not adding app access for a policy, makes composability less annoying
* Correctly fall back to 0 for counts
* Change the structure of current user permissions
* Start bringing back the public role
* Make the public role a real role rather than a virtual one
* Revert public role changes
* Extend list-m2m to allow for very custom junction matching and a primary key of `null`
* Remove unused
* Fix public role policy update payload
* Fix app access for users without role (which is a thing now apparently)
* Make sure that the /me endpoints always return minimal information, similar to /users/me
* Tweak nav icons
* Pull policy id from constants
* Update permissions interface design to match
New design language in figma
* Some minor adjustments
- Make chip hover border more consistent
- Add "Remove" button to remove a full row of permissions, as in the UI mockup
- Fix table layout
* Clean up a few more things
* Fix `setFullAccess`
* Align collection view icons with navigation
* Don't query 'admin_access' for role
* Fix relation extraction and permissions for `$FOLLOW` fields
* Don't show `0 Items` for child rows, but `--` instead
* Make policy detail work in nested policy creating use case
* Remove unused v-icon override
* Move system collections to separate visual table
* Navigate before refresh
Prevents a flash of the previous value to be visible in the table
* Move composable to separate file
---------
Co-authored-by: Daniel Biegler <DanielBiegler@users.noreply.github.com>
Co-authored-by: Rijk van Zanten <rijkvanzanten@me.com>
* Optimize types
* Clone query deep
* Optimize type order
* Throw error on invalid role id
* Rename run.js -> run-ast.js
* Re-add filesizes to telemetry report collection that got lost in the merge
* Make `systemCollections` reactive
* Use one column per action to avoid unwanted shifting if some actions are not allowed at all
* Render system and custom together
* Add divider between regular and system permissions if both have elements
* Add AccessService and PoliciesService to `getService`
* Move policy global flags fetching to util
* Move collection access fetching into util
* Remove permissions for `directus_access`, `directus_permissions` and `directus_policies` from schema permissions
* use formatted-value display for name & description in roles & policies
* Rename `process.ts` to `process-ast.ts`
* Fix process-ast import after renaming
* Perform user integrity check on item deletion
* Fix first admin creation on bootstrap
* Revert "Fix first admin creation on bootstrap"
This reverts commit bf480d023c.
Will be fixed by adjusting the check in access service
* Don't perform admin integrity check if a new access row is created. Only check user limits
* Don't set an alias to the raw column value if it is wrapped in a case/when
* Correctly handle aliases when in field map and case injection
---------
Co-authored-by: Pascal Jufer <pascal-jufer@bluewin.ch>
Co-authored-by: Daniel Biegler <DanielBiegler@users.noreply.github.com>
Co-authored-by: Hannes Küttner <kuettner.hannes@gmail.com>
Co-authored-by: Hannes Küttner <4376726+hanneskuettner@users.noreply.github.com>
Co-authored-by: ian <licitdev@gmail.com>
* Remove changeset of already merged PR (#22653)
* Fix multi cache subscribe call to preserve context
Co-authored-by: Brainslug <br41nslug@users.noreply.github.com>
* Add max length to name for policy and role names
Co-authored-by: Brainslug <br41nslug@users.noreply.github.com>
* Update app/src/modules/settings/routes/policies/collection.vue
Co-authored-by: Brainslug <br41nslug@users.noreply.github.com>
* Organize settings sidebar for clarity
* Remove query limit override from access and policies controller
THe query limit was added previously, where the idea was to fetch all policies in the app, but since that is not required anymore we can remove the override again, which in turn fixed pagination for policies. Woop
* Rework MetaService
* Fix filtered counting (previously it did not account for left join caused by permissions filter)
* Collect permissions for current collection and dedupe access to align filter with the one used in the actual query
* Use applyFilter and an _or filter to retrieve permitted items
* Prevent certain skips in _or filters
We can only skip empty filters in `_or` if either they are not equal to the value of `cases` or if _or has exactly only exactly one empty filter
This is needed to prevent dropping joins that are required for the case/when construction. For example when having the permissions `_or: [ {}, {related_item: { id: 1} }]` all joins need to be retained
* Revert unintentional with-cache commit
* Remove check for id in children which fails on some DBs if no children are set
* Show users and roles in policy item view
* Update directus_access policy/roles + policy/users `one_deselect_action`
This ensures that the access rows are cleaned up when removing users or roles from the policy side of the relation
* Merge policy loaded from API with current edits
* Make `app_access` default to false
* Split field map into read specific and other fields
This change is necessary since process-ast is used to verify item access for actions other than `read`.
But, if a user does not have action permissions for fields used in the query filter or sort field the validation for `xByQuery` would have failed until now.
* The fields are verified separately checked against read and action specific permission.
* Updated all the tests accordingly
* Fix `hasCaseWhen` check in `getDBQuery`
Previously it was checking if `cases.length > 0` which was always true, since we always pass in at least one case (`{}`), now it checks if there are actually field nodes with a whenCase property
* Don't expose o2m fields that the user might not have access to for some items
This approach uses a flag that is introduced into the parent item db query, that uses the case/when construct to determine if a user has access to the o2m field on the specific item.
The flag is 1 if the user has access and null otherwise.
It is set in the resulting query object for all o2m fields that have a whenCase (the ones with partial access) and used when merging the nested query items into the parent items.
* Accept O2MNode as fieldNode
* Filter policies in fetchGlobalAccess by ip_access if applicable and use `withCache` util
* Filter the policies influencing the global access by ip_access filter if an ip is available
* Use `withCache` util for top level function and the two lower level functions
Co-authored-by: Daniel Biegler <DanielBiegler@users.noreply.github.com>
* Fix filter in roles. Again. Almost like I didn't properly test it. huh
* Add cache key stability by only picking the props that are relevant from accountability and enforcing an order in the provided options object
* Improve `fetchAllowedFields` to only return fields that are actually in the schema
* Make a local copy of `junctionFilter` in order to prevent reloads on form value changes
* Remove debug log
* Update packages/system-data/src/fields/policies.yaml
Co-authored-by: ian <licitdev@gmail.com>
* Update api/src/permissions/utils/filter-policies-by-ip.ts
Co-authored-by: ian <licitdev@gmail.com>
* Conditionally add IP to request level cache key
Add `accountability.ip` to the request level cache key if, and only if, the IP is matched by any of the `ip_access` filters of the current users policies.
This ensures that, if the request IP influences the request result, it is path of the cache key, but also not included if there are no IP filters configured for the current user.
* Update api/src/permissions/modules/fetch-policies-ip-access/fetch-policies-ip-access.ts
Co-authored-by: ian <licitdev@gmail.com>
* Make sure that fetchAllowedFields does not remove field wildcard '*'
* Temporarily disable cache key picking
* Refine cache key picking + remove `undefined` from Accountability['ip'] type
* Rename `pick` to `prepareArg`
* Define the sort field for the `directus_access` junction table
* Verify that user has access to automatically selected sort field and default to first allowed field if not
* Sort the fetched permissions to match the order of the passed in policies
* Some clean-up of TODOs and unused code
* Take care of a special case, where no fields are requested and we are still interested the correct items being returned
This surfaced when running `validateItemAccess` with an update permission that did not include the primary key field.
* 3 less
* Update api/src/database/migrations/20240328A-permissions-policies.ts
Co-authored-by: ian <licitdev@gmail.com>
* Change /permissions/me response and add corresponding types and constants
* Fix payload validation
- Field validation needs to happen for admin users as well
- Add back injection of validation rules for non-nullable fields
Tests added/adjusted accordingly
* Mark `system-permissions` interface as `system`
* Remove special handling for public policy. It's one of us now.
- Add `icon` field to policies
- Add notice to the public role
* Rename migration to most recent date
* Clear permissions cache in `clearSystemCache`
* Make `getDBQuery` not async
* Set the sort field to `null` if the user does not have any allowed fields, not even the primary key
* Handle the case where `null` is returned as item edits by the permission detail drawer and remove the existing item, if any.
* Prevent role recursion (this is a simple check right now and I would expect it to fail on nested role updates that do funky stuff)
* Add overflow to permissions table
* Ensure fields are always passed to validation-errors
When v-form is used with the `collection` prop, instead of directly
passing fields via `fields` prop, the validation-errors component
didn't receive any field information.
This is fixed, by passing down the "finalFields" from `useForm`.
This is not directly related to 'auditus', but since it seems like this will be the
only place (so far) where we want to show validation-errors on a system
collection, I'm committing here.
* Outsource 'useSave' for roles, exactly as in policies
* Clean-up policies & roles item views
- Remove leftover styles, use clearer naming 'content'
- Fix types (policies was using role type)
- Show validation errors, handle errors on save & delete
- Use loading state of v-form (to have some indicator and less layout shift)
* Mark name field in policy & role as required
That way, an indicator is shown in the form, and value is checked when
editing via drawer
* remove role filter from public registration m2o
roles dont have access fields anymore, simply allow admin roles for now
* Remove overflow again. It broke
* Add cache purging for permission related updates.
* Add `dropForeign` in migration
Fixes migration on MySQL
* Add parsed field name to field map instead of raw field name
This fixes filtering & sorting with function as keys, e.g. `year(date_updated)`
* Account for $FOLLOW field filters earlier and don't confuse them with functions (see prev commit)
* Update migration to also work with CockroachDB
Instead of altering the `policy` column on `directus_permissions` to add the NOT NULL constraint it needs to be created with NOT NULL in the first place, as this will fail in CockroachDB.
That means we need to drop the foreign key constraint for the role column in order to update to `null` `role` to the public policy ID before we copy the values into the `policy` column
* Fix typo
* Add icon to default admin policy
* Be more clear about where the public role applies
* Update api/src/permissions/lib/fetch-policies.ts
Co-authored-by: ian <licitdev@gmail.com>
* Update api/src/permissions/lib/fetch-policies.test.ts
Co-authored-by: ian <licitdev@gmail.com>
* Enable GH workflows
* Make eslint happy, cleanup and improve role sidebar in users view
* Fix wrong suggestion application and move comments in block
* Format files
* Update isFullPermission test
* Clean up policy filter logic
* Flip order in test
* Update mocking in user/flows store tests
* Update expected results of a lot of api tests that changed during development (all stay true to the original idea)
* Update parseFilter test
* Update injectCases test
* Manually set parent to `null` if a role gets deleted and remove the `SET NULL` on delete action.
The `SET NULL` action causes problems problems on OracleDB
* Fix limit check for new users w/o "status" field
status defaults to "active", thus if the field is not in payload, the
user limit check needs to be triggered
* Fixed migration "inconsistent datatypes: expected - got CLOB" error in oracle
* Update extractFieldsFromChildren test
* Fix `count(o2m)` type queries
* Update UsersService tests
- Adapt to new user integrity logic
- Add basic ItemsService tests to ensure user integrity checks take
place
* Move withAppMinimalPermissions to appropriate dir
* Fixed boolean logic error for graphql counting
* Make sure that relational function aliases are recognized as `functionField`
* Fix permission for relational functions
Before this functions that operated on a o2m field like `count(o2m)` did not respect permissions on the related collection.
Now function field nodes have a cases list as well and correctly get the cases injected for the related collection.
The permissions are then correctly injected in the query that is passed down to the relational count function helper.
* Fix mock in withAppMinimalPermissions test
* Update RolesService tests
Copied and commented out old checks from roles to policies, so we can
re-check later on
* Add preliminary changesets
* Reword changeset to "Policies"
* Update .changeset/strong-numbers-warn.md
Co-authored-by: Pascal Jufer <pascal-jufer@bluewin.ch>
* Policies Documentation (#22729)
Co-authored-by: Hannes Küttner <kuettner.hannes@gmail.com>
Co-authored-by: Brainslug <tim@brainslug.nl>
* Reformat docs
* SDK functions for auditus (#22795)
* Updated sdk types
* added policy commands
* prettier
* Added new and missing websocket subscription hooks
* Added missing endpoints
* Added missing graphql endpoints
* prettier
* Added changesets
* updated changesets
* Update .changeset/nine-geckos-jog.md
* Update api/src/services/graphql/index.ts
Co-authored-by: Pascal Jufer <pascal-jufer@bluewin.ch>
* Update sdk/src/rest/commands/create/policies.ts
Co-authored-by: Pascal Jufer <pascal-jufer@bluewin.ch>
* Update sdk/src/rest/commands/create/policies.ts
Co-authored-by: Pascal Jufer <pascal-jufer@bluewin.ch>
* Update sdk/src/rest/commands/read/policies.ts
Co-authored-by: Pascal Jufer <pascal-jufer@bluewin.ch>
* Update sdk/src/rest/commands/read/roles.ts
Co-authored-by: Pascal Jufer <pascal-jufer@bluewin.ch>
* Update sdk/src/rest/commands/read/policies.ts
Co-authored-by: Pascal Jufer <pascal-jufer@bluewin.ch>
* Update sdk/src/rest/commands/read/policies.ts
Co-authored-by: Pascal Jufer <pascal-jufer@bluewin.ch>
* Update sdk/src/rest/commands/read/policies.ts
Co-authored-by: Pascal Jufer <pascal-jufer@bluewin.ch>
* Update sdk/src/schema/policy.ts
Co-authored-by: Pascal Jufer <pascal-jufer@bluewin.ch>
* Update sdk/src/schema/policy.ts
Co-authored-by: Pascal Jufer <pascal-jufer@bluewin.ch>
---------
Co-authored-by: Pascal Jufer <pascal-jufer@bluewin.ch>
---------
Co-authored-by: Daniel Biegler <DanielBiegler@users.noreply.github.com>
Co-authored-by: Hannes Küttner <kuettner.hannes@gmail.com>
Co-authored-by: Pascal Jufer <pascal-jufer@bluewin.ch>
Co-authored-by: Hannes Küttner <4376726+hanneskuettner@users.noreply.github.com>
Co-authored-by: ian <licitdev@gmail.com>
Co-authored-by: Brainslug <br41nslug@users.noreply.github.com>
Co-authored-by: Brainslug <tim@brainslug.nl>
Co-authored-by: Kevin Lewis <kvn@lws.io>
* WIP: add new register dummy-route
* fix notice on register route
* WIP register form
* WIP: registering ui and controller for testing
* fix lint ordering problem
* wip: users service
* add migration, initial style for fields in settings
* redo how emails will be filtered
* WIP add filter in the register handler
* conditionally render register link depending on settings
* WIP: add email validation
* wip add email sending
* make clicking the email link work
* rm console log
* update controller
* dont send emails for existing emails
* add translation
* only show register link when unauthenticated
* add different redirects
* only allow selecting non-admin roles
* redirect to users page
* update translation
* move logic from controller to usersservice
* rm remnant of logic from controller
* add stall time to registration
* update translation
* rm comments
* rm unused var
* add changeset
* update translation for success
* remove sso related stuff from registration
* also allow setting first and last name
* update error check
* add @directus/errors to app
* replace error strings with enum
* rename to public_registration
* rename to public_registration_verify_email
* add notes to fields
* add types package to changeset
* dont stall if no work is being done
* allow null-role and resending of reg. email
* add public registration env vars, rm RATE_LIMITER_GLOBAL_STORE
RATE_LIMITER_GLOBAL_STORE wasnt being used. Lets just stick to RATE_LIMITER_STORE for all rate limiters. TODO: also remove from docs!
* use ratelimiter for registration, use stall time env var
* add registration limiter docs, rm global store variable from docs
* update changeset
* add ignore-notice
Co-authored-by: Hannes Küttner <4376726+hanneskuettner@users.noreply.github.com>
* use and document new `EMAIL_VERIFICATION_TOKEN_TTL`, also doc `REGISTER_STALL_TIME`
* change variable name
Co-authored-by: ian <licitdev@gmail.com>
* apply variable rename to usage
* change backticks to single quote
Co-authored-by: ian <licitdev@gmail.com>
* inline variables
* add fields to server info, update types
- The other ratelimiters also expose points and duration, done
- Add `public_registration_verify_email` so that we can render different success messages
* tiny wording tweak of registration mail
* add new user status 'unverified' and check for it
* add unverified status translation
* decouple email verification and validation
* enable register rate limiter by default and up its config
* add autocomplete=new-password on the registration form
* added sdk functions
* add gql query for new fields
* added register api reference
* updated verify sdk function name
* added reference block for email verify endpoint
* updated reference examples
* WIP: add gql resolvers
* add ratelimiter to mutation
* remove ratelimiter registration point+duration info
* rm points and duration from gql
* Update docs/reference/system/users.md
Co-authored-by: Pascal Jufer <pascal-jufer@bluewin.ch>
---------
Co-authored-by: Hannes Küttner <4376726+hanneskuettner@users.noreply.github.com>
Co-authored-by: ian <licitdev@gmail.com>
Co-authored-by: Brainslug <tim@brainslug.nl>
Co-authored-by: Brainslug <br41nslug@users.noreply.github.com>
Co-authored-by: Pascal Jufer <pascal-jufer@bluewin.ch>
* add report url fields
* update field template to be agnostic
* add changeset
* various fixes
* rename handler to load path level
* add translations
* updated docs
* fix tests
* add placeholder support for system-display-template
* refactor project to report and move to their own settings section
* example urls should be more concrete
Co-Authored-By: Pascal Jufer <5363448+paescuj@users.noreply.github.com>
* move hardcoded default report urls to constants
Co-Authored-By: Pascal Jufer <5363448+paescuj@users.noreply.github.com>
* Make nav reactive, so URL changes are immediate
* change order of report urls
* change icon to feedback
* move composable to top level
* remove ref, use from prop
* Update .changeset/tender-timers-develop.md
Co-authored-by: Pascal Jufer <pascal-jufer@bluewin.ch>
* rm select_a_collection_or_tree_fields translation key
---------
Co-authored-by: Pascal Jufer <5363448+paescuj@users.noreply.github.com>
Co-authored-by: Pascal Jufer <pascal-jufer@bluewin.ch>
Co-authored-by: Daniel Biegler <DanielBiegler@users.noreply.github.com>
* add visual feedback for invalid value
* add focal point MVP
* Revert "add visual feedback for invalid value"
This reverts commit 1df1868342.
Accidently committed some local testing stuff. Pls disregard! :)
* fix wrong cropping
* fix text for new cropping, import correct type
* fix saving
* place initial focal point to saved value or center, display different cancel text
* split up tooltips
* honor rotations & flips when saving focal point
* apply custom cropper styles for focal mode
* Create loud-crews-fix.md
* add test and only crop when covering with fixed dimensions to preserve default behaviour
* linter gods pls forgive me
* replace json field with two int fields
* add focal point to sdk
* fix transformation for the two new db columns
* update test for new columns, add new tests
* wip: saving now differentiates between only img data and focal point and only enable saving if there are changes
but this is not optimal. would be better to check beforehand if we can collapse
to requests to one. Now its bad because
one request might succeed and the other fails.
* refactor image editor change persistence
now we save it in one request!
* Update loud-crews-fix.md
* add `focal_point_x` and `focal_point_y` to possible asset transformations
* fix assigning localdragmode upon cropper init
* reuse fetched fields in type
Co-authored-by: Brainslug <br41nslug@users.noreply.github.com>
* update file type
Co-authored-by: Brainslug <br41nslug@users.noreply.github.com>
* update changeset
Co-authored-by: Pascal Jufer <pascal-jufer@bluewin.ch>
* improve type for `ASSET_TRANSFORM_QUERY_KEYS`
Co-authored-by: Brainslug <br41nslug@users.noreply.github.com>
* Apply suggestions from code review
Trying out the batch change feature from github for the first time. Lets see.
Co-authored-by: Pascal Jufer <pascal-jufer@bluewin.ch>
* rename `persistChanges` to `saveImage`
* Add docs for focal points (#20959)
* Add user guide
* Added to API Reference
* Prettier
* Spellchecker
* default null
Co-authored-by: Daniel Biegler <DanielBiegler@users.noreply.github.com>
* from -> around
Co-authored-by: Daniel Biegler <DanielBiegler@users.noreply.github.com>
* from -> around
---------
Co-authored-by: Daniel Biegler <DanielBiegler@users.noreply.github.com>
* add changeset for docs
* run prettier lets goooooooo
* move & show focal point fields and add divider
---------
Co-authored-by: Brainslug <br41nslug@users.noreply.github.com>
Co-authored-by: Pascal Jufer <pascal-jufer@bluewin.ch>
Co-authored-by: Kevin Lewis <kvn@lws.io>
* Add enable/disable support for bundle type extensions
* added changeset
* Update app/src/modules/settings/routes/extensions/components/extension-item.vue
Co-authored-by: Brainslug <br41nslug@users.noreply.github.com>
* add docs
* bundle with app extensions should display reload on prod
* use early returns for toggle logic
Co-Authored-By: Brainslug <br41nslug@users.noreply.github.com>
* add enable/disable all for partially enabled
* refresh message should work for enable and disable all
* Clearer tooltip for app extensions in dev
---------
Co-authored-by: Brainslug <br41nslug@users.noreply.github.com>
Co-authored-by: Pascal Jufer <pascal-jufer@bluewin.ch>
