UNPKG

@directus/api

Version:

Directus is a real-time API and App dashboard for managing SQL database content

directus.io

directus/directus

85 lines (84 loc) 4.25 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
import { parseFilter, validatePayload } from '@directus/utils'; import { FailedValidationError, joiValidationErrorItemToErrorExtensions } from '@directus/validation'; import { assign, difference, uniq } from 'lodash-es'; import { fetchPermissions } from '../../lib/fetch-permissions.js'; import { fetchPolicies } from '../../lib/fetch-policies.js'; import { extractRequiredDynamicVariableContext } from '../../utils/extract-required-dynamic-variable-context.js'; import { fetchDynamicVariableData } from '../../utils/fetch-dynamic-variable-data.js'; import { contextHasDynamicVariables } from '../process-ast/utils/context-has-dynamic-variables.js'; import { isFieldNullable } from './lib/is-field-nullable.js'; import { createCollectionForbiddenError, createFieldsForbiddenError, } from '../process-ast/utils/validate-path/create-error.js'; /** * @note this only validates the top-level fields. The expectation is that this function is called * for each level of nested insert separately */ export async function processPayload(options, context) { let permissions; let permissionValidationRules = []; let policies = []; if (!options.accountability.admin) { policies = await fetchPolicies(options.accountability, context); permissions = await fetchPermissions({ action: options.action, policies, collections: [options.collection], accountability: options.accountability }, context); if (permissions.length === 0) { throw createCollectionForbiddenError('', options.collection); } const fieldsAllowed = uniq(permissions.map(({ fields }) => fields ?? []).flat()); if (fieldsAllowed.includes('*') === false) { const fieldsUsed = Object.keys(options.payload); const notAllowed = difference(fieldsUsed, fieldsAllowed); if (notAllowed.length > 0) { throw createFieldsForbiddenError('', options.collection, notAllowed); } } permissionValidationRules = permissions.map(({ validation }) => validation); } const fields = Object.values(context.schema.collections[options.collection]?.fields ?? {}); const fieldValidationRules = []; for (const field of fields) { if (!isFieldNullable(field)) { const isSubmissionRequired = options.action === 'create' && field.defaultValue === null; if (isSubmissionRequired) { fieldValidationRules.push({ [field.field]: { _submitted: true, }, }); } fieldValidationRules.push({ [field.field]: { _nnull: true, }, }); } if (field.validation) { const permissionContext = extractRequiredDynamicVariableContext(field.validation); const filterContext = contextHasDynamicVariables(permissionContext) ? await fetchDynamicVariableData({ accountability: options.accountability, policies, dynamicVariableContext: permissionContext, }, context) : undefined; const validationFilter = parseFilter(field.validation, options.accountability, filterContext); fieldValidationRules.push(validationFilter); } } const presets = (permissions ?? []).map((permission) => permission.presets); const payloadWithPresets = assign({}, ...presets, options.payload); const validationRules = [...fieldValidationRules, ...permissionValidationRules].filter((rule) => { if (rule === null) return false; if (Object.keys(rule).length === 0) return false; return true; }); if (validationRules.length > 0) { const validationErrors = []; validationErrors.push(...validatePayload({ _and: validationRules }, payloadWithPresets) .map((error) => error.details.map((details) => new FailedValidationError(joiValidationErrorItemToErrorExtensions(details, options.nested)))) .flat()); if (validationErrors.length > 0) throw validationErrors; } return payloadWithPresets; }