fix: filter user attached policy accesses on pull (#207)

* fix: exclude user-attached accesses from public policy detection

* fix: filter user-attached accesses from policy dump and add e2e coverage

* fix: cast filtered policy items to include sync ID and exclude ignored fields

* chore: run format

* fix: add null user field to policy roles across multiple collections

* fix: include user field in policy roles for consistency across collections

* fix: run linter

* chore: run format

---------

Co-authored-by: Edouard Demotes <e.demotes@gmail.com>

Author: legendac

packages/cli/src/lib/services/collections/policies/data-client.ts

@@ -41,8 +41,9 @@ export class PoliciesDataClient extends DataClient<DirectusPolicy> {
     // When role-policy attachments sync is disabled, omit the roles fields
     // entirely from the dump so they are neither tracked nor diffed.
     // See https://github.com/tractr/directus-sync/issues/199
+    // Include roles.user so we can detect and skip user-attached accesses.
     const extraFields = this.config.shouldSyncPolicyRoles()
-      ? ['*', 'roles.role', 'roles.sort']
+      ? ['*', 'roles.role', 'roles.user', 'roles.sort']
       : ['*'];
     return readPolicies(
       deepmerge<Query<BaseDirectusPolicy>>(query, {

packages/cli/src/lib/services/collections/policies/data-mapper.ts

@@ -1,8 +1,8 @@
-import { DataMapper, Field, IdMappers } from '../base';
+import { DataMapper, Field, IdMappers, WithSyncIdAndWithoutId } from '../base';
 import { Container, Service } from 'typedi';
 import { LoggerService } from '../../logger';
 import { POLICIES_COLLECTION } from './constants';
-import { DirectusPolicy } from './interfaces';
+import { DirectusPolicy, DirectusPolicyAccess } from './interfaces';
 import { RolesIdMapperClient } from '../roles';
 import { ConfigService } from '../../config';
 
@@ -27,4 +27,20 @@ export class PoliciesDataMapper extends DataMapper<DirectusPolicy> {
       this.idMappers = {};
     }
   }
+
+  async mapIdsToSyncIdAndRemoveIgnoredFields(
+    items: WithSyncIdAndWithoutId<DirectusPolicy>[],
+  ): Promise<WithSyncIdAndWithoutId<DirectusPolicy>[]> {
+    const filtered = items.map((item) =>
+      Array.isArray(item.roles)
+        ? ({
+            ...item,
+            roles: (item.roles as Partial<DirectusPolicyAccess>[]).filter(
+              (a) => !(a.role === null && a.user != null),
+            ),
+          } as WithSyncIdAndWithoutId<DirectusPolicy>)
+        : item,
+    );
+    return super.mapIdsToSyncIdAndRemoveIgnoredFields(filtered);
+  }
 }

packages/cli/src/lib/services/collections/policies/id-mapper-client.ts

@@ -120,6 +120,9 @@ export class PoliciesIdMapperClient extends IdMapperClient {
           filter: {
             _and: [
               { roles: { role: { _null: true } } },
+              // Exclude user-attached accesses (role=null, user=uuid) so they
+              // are not mistaken for the public policy access (role=null, user=null).
+              { roles: { user: { _null: true } } },
               {
                 _or: [
                   { roles: { sort: { _eq: 1 } } },

packages/e2e/dumps/sources/default-updated/collections/policies.json

@@ -10,6 +10,7 @@
     "roles": [
       {
         "role": "_sync_default_admin_role",
+        "user": null,
         "sort": null
       }
     ],
@@ -26,6 +27,7 @@
     "roles": [
       {
         "role": null,
+        "user": null,
         "sort": 1
       }
     ],

packages/e2e/dumps/sources/dependencies-operations-reversed/collections/policies.json

@@ -10,6 +10,7 @@
     "roles": [
       {
         "role": "_sync_default_admin_role",
+        "user": null,
         "sort": null
       }
     ],
@@ -26,6 +27,7 @@
     "roles": [
       {
         "role": null,
+        "user": null,
         "sort": 1
       }
     ],

packages/e2e/dumps/sources/dependencies-operations/collections/policies.json

@@ -10,6 +10,7 @@
     "roles": [
       {
         "role": "_sync_default_admin_role",
+        "user": null,
         "sort": null
       }
     ],
@@ -26,6 +27,7 @@
     "roles": [
       {
         "role": null,
+        "user": null,
         "sort": 1
       }
     ],

packages/e2e/dumps/sources/dependencies-settings-default-folder/collections/policies.json

@@ -10,6 +10,7 @@
     "roles": [
       {
         "role": "_sync_default_admin_role",
+        "user": null,
         "sort": null
       }
     ],
@@ -26,6 +27,7 @@
     "roles": [
       {
         "role": null,
+        "user": null,
         "sort": 1
       }
     ],

packages/e2e/dumps/sources/dependencies-settings-default-role/collections/policies.json

@@ -10,6 +10,7 @@
     "roles": [
       {
         "role": "_sync_default_admin_role",
+        "user": null,
         "sort": null
       }
     ],
@@ -26,6 +27,7 @@
     "roles": [
       {
         "role": null,
+        "user": null,
         "sort": 1
       }
     ],

packages/e2e/dumps/sources/empty-collections/collections/policies.json

@@ -10,6 +10,7 @@
     "roles": [
       {
         "role": "_sync_default_admin_role",
+        "user": null,
         "sort": null
       }
     ],
@@ -26,6 +27,7 @@
     "roles": [
       {
         "role": null,
+        "user": null,
         "sort": 1
       }
     ],

packages/e2e/dumps/sources/group-and-field-names-conflict/collections/policies.json

@@ -10,6 +10,7 @@
     "roles": [
       {
         "role": "_sync_default_admin_role",
+        "user": null,
         "sort": null
       }
     ],
@@ -26,6 +27,7 @@
     "roles": [
       {
         "role": null,
+        "user": null,
         "sort": 1
       }
     ],