UNPKG

@directus/api

Version:

Directus is a real-time API and App dashboard for managing SQL database content

directus.io

directus/directus

41 lines (40 loc) 1.96 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
import { ForbiddenError } from '@directus/errors'; import { validateCollectionAccess } from './lib/validate-collection-access.js'; import { validateItemAccess } from './lib/validate-item-access.js'; import { createCollectionForbiddenError } from '../process-ast/utils/validate-path/create-error.js'; /** * Validate if the current user has access to perform action against the given collection and * optional primary keys. This is done by reading the item from the database using the access * control rules and checking if we got the expected result back */ export async function validateAccess(options, context) { // Skip further validation if the collection does not exist if (!options.skipCollectionExistsCheck && options.collection in context.schema.collections === false) { throw createCollectionForbiddenError('', options.collection); } if (options.accountability.admin === true) { return; } let access; // If primary keys are passed, we have to confirm the access by actually trying to read the items // from the database. If no keys are passed, we can simply check if the collection+action combo // exists within permissions if (options.primaryKeys) { access = await validateItemAccess(options, context); } else { access = await validateCollectionAccess(options, context); } if (!access) { if (options.fields?.length ?? 0 > 0) { throw new ForbiddenError({ reason: `You don't have permissions to perform "${options.action}" for the field(s) ${options .fields.map((field) => `"${field}"`) .join(', ')} in collection "${options.collection}" or it does not exist.`, }); } throw new ForbiddenError({ reason: `You don't have permission to perform "${options.action}" for collection "${options.collection}" or it does not exist.`, }); } }