sanitize query in item read/update/delete (#13900)

api/src/operations/item-delete/index.ts

@@ -1,8 +1,9 @@
 import { Accountability, PrimaryKey } from '@directus/shared/types';
 import { defineOperationApi, toArray } from '@directus/shared/utils';
 import { ItemsService } from '../../services';
-import { optionToObject } from '../../utils/operation-options';
 import { getAccountabilityForRole } from '../../utils/get-accountability-for-role';
+import { optionToObject } from '../../utils/operation-options';
+import { sanitizeQuery } from '../../utils/sanitize-query';
 
 type Options = {
 	collection: string;
@@ -36,11 +37,12 @@ export default defineOperationApi<Options>({
 		});
 
 		const queryObject = query ? optionToObject(query) : {};
+		const sanitizedQueryObject = sanitizeQuery(queryObject, customAccountability);
 
 		let result: PrimaryKey | PrimaryKey[] | null;
 
 		if (!key) {
-			result = await itemsService.deleteByQuery(queryObject);
+			result = await itemsService.deleteByQuery(sanitizedQueryObject);
 		} else {
 			const keys = toArray(key);
 

api/src/operations/item-read/index.ts

@@ -2,8 +2,9 @@ import { Accountability, PrimaryKey } from '@directus/shared/types';
 import { defineOperationApi, toArray } from '@directus/shared/utils';
 import { ItemsService } from '../../services';
 import { Item } from '../../types';
-import { optionToObject } from '../../utils/operation-options';
 import { getAccountabilityForRole } from '../../utils/get-accountability-for-role';
+import { optionToObject } from '../../utils/operation-options';
+import { sanitizeQuery } from '../../utils/sanitize-query';
 
 type Options = {
 	collection: string;
@@ -37,18 +38,19 @@ export default defineOperationApi<Options>({
 		});
 
 		const queryObject = query ? optionToObject(query) : {};
+		const sanitizedQueryObject = sanitizeQuery(queryObject, customAccountability);
 
 		let result: Item | Item[] | null;
 
 		if (!key) {
-			result = await itemsService.readByQuery(queryObject);
+			result = await itemsService.readByQuery(sanitizedQueryObject);
 		} else {
 			const keys = toArray(key);
 
 			if (keys.length === 1) {
-				result = await itemsService.readOne(keys[0], queryObject);
+				result = await itemsService.readOne(keys[0], sanitizedQueryObject);
 			} else {
-				result = await itemsService.readMany(keys, queryObject);
+				result = await itemsService.readMany(keys, sanitizedQueryObject);
 			}
 		}
 

api/src/operations/item-update/index.ts

@@ -2,8 +2,9 @@ import { Accountability, PrimaryKey } from '@directus/shared/types';
 import { defineOperationApi, toArray } from '@directus/shared/utils';
 import { ItemsService } from '../../services';
 import { Item } from '../../types';
-import { optionToObject } from '../../utils/operation-options';
 import { getAccountabilityForRole } from '../../utils/get-accountability-for-role';
+import { optionToObject } from '../../utils/operation-options';
+import { sanitizeQuery } from '../../utils/sanitize-query';
 
 type Options = {
 	collection: string;
@@ -40,6 +41,7 @@ export default defineOperationApi<Options>({
 		const payloadObject: Partial<Item> | Partial<Item>[] | null = optionToObject(payload) ?? null;
 
 		const queryObject = query ? optionToObject(query) : {};
+		const sanitizedQueryObject = sanitizeQuery(queryObject, customAccountability);
 
 		if (!payloadObject) {
 			return null;
@@ -48,7 +50,7 @@ export default defineOperationApi<Options>({
 		let result: PrimaryKey | PrimaryKey[] | null;
 
 		if (!key) {
-			result = await itemsService.updateByQuery(queryObject, payloadObject);
+			result = await itemsService.updateByQuery(sanitizedQueryObject, payloadObject);
 		} else {
 			const keys = toArray(key);