Skip to content

Fixed missing accountability for files.upload when TUS is enabled#26247

Merged
AlexGaillard merged 6 commits intomainfrom
br41nslug/cms-1519-flowshooks-accountability-is-missing-when-triggered-as
Nov 24, 2025
Merged

Fixed missing accountability for files.upload when TUS is enabled#26247
AlexGaillard merged 6 commits intomainfrom
br41nslug/cms-1519-flowshooks-accountability-is-missing-when-triggered-as

Conversation

@br41nslug
Copy link
Member

@br41nslug br41nslug commented Nov 24, 2025
edited
Loading

Scope

What's changed:

After the @tus/server dependency update it looks like the Directus request object no longer gets properly propagated to its callback functions.

  • The createTusServer receives the proper request object containing accountability, schema and token from our middleware
  • But the onUploadFinish callback however seems to be lacking our custom properties listed above

To fix this issue I am using the context object provided to the createTusServer function as the data for emitting the event instead of relying on the req parameter of the callback.

Potential Risks / Drawbacks

  • Small fix i dont see many risks

Tested Scenarios

  • Lorem ipsum dolor sit amet
  • Consectetur adipiscing elit

Review Notes / Questions

  • I would like to lorem ipsum
  • Special attention should be paid to dolor sit amet

Checklist

  • Added or updated tests

Fixes #26242

@linear
Copy link

linear bot commented Nov 24, 2025

CMS-1519 flows/hooks: accountability is missing when triggered as tenant admin after upgrade to 11.13.2

ComfortablyCoding
ComfortablyCoding previously requested changes Nov 24, 2025
View reviewed changes
Copy link
Member

@ComfortablyCoding ComfortablyCoding left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems this is due to using srvx, per the PR for node environments we should be able to do req.node.req.accountability to access the original request. This looks to work, thoughts?

@br41nslug
Copy link
Member Author

br41nslug commented Nov 24, 2025
edited
Loading

per the PR for node environments we should be able to do req.node.req.accountability to access the original request. This looks to work, thoughts?

That does indeed seem to work as a new way to access the underlying request (with our custom properties). I think however that using our own context (where we explicitly provide the correct accountability) is more future proof. If they ever decide to update this internal logic again then the context based approach will likely not break.

@ComfortablyCoding ComfortablyCoding dismissed their stale review November 24, 2025 16:34

Agreeable response

@codecov
Copy link

codecov bot commented Nov 24, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 59.39%. Comparing base (f74b2c1) to head (5a7826c).
⚠️ Report is 3 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #26247      +/-   ##
==========================================
+ Coverage   59.16%   59.39%   +0.22%     
==========================================
  Files        2079     2079              
  Lines      131577   131592      +15     
  Branches     7930     7984      +54     
==========================================
+ Hits        77844    78154     +310     
+ Misses      53733    53438     -295
Flag Coverage Δ
api 43.78% <100.00%> (+0.25%) ⬆️
app 70.61% <ø> (+0.25%) ⬆️
composables 82.25% <ø> (ø)
create-directus-extension 94.44% <ø> (ø)
create-directus-project 98.43% <ø> (ø)
env 99.67% <ø> (ø)
errors 97.47% <ø> (ø)
extensions 35.63% <ø> (ø)
extensions-registry 95.27% <ø> (ø)
extensions-sdk 14.38% <ø> (ø)
format-title 100.00% <ø> (ø)
memory 95.75% <ø> (ø)
pressure 77.63% <ø> (ø)
release-notes-generator 81.14% <ø> (ø)
schema-builder 80.59% <ø> (ø)
sdk 8.33% <ø> (ø)
storage 92.00% <ø> (ø)
storage-driver-azure 76.76% <ø> (ø)
storage-driver-cloudinary 81.14% <ø> (ø)
storage-driver-gcs 69.72% <ø> (ø)
storage-driver-local 69.76% <ø> (ø)
storage-driver-s3 46.73% <ø> (ø)
storage-driver-supabase 68.20% <ø> (ø)
system-data 71.81% <ø> (ø)
update-check 55.67% <ø> (ø)
utils 87.16% <ø> (ø)
validation 44.50% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@ComfortablyCoding ComfortablyCoding self-requested a review November 24, 2025 18:15
@ComfortablyCoding ComfortablyCoding self-assigned this Nov 24, 2025
ComfortablyCoding
ComfortablyCoding reviewed Nov 24, 2025
View reviewed changes
@ComfortablyCoding ComfortablyCoding changed the title Event hooks missing accountability for TUS uploads Fixed missing accountability for files.upload when TUS is enabled Nov 24, 2025
AlexGaillard
AlexGaillard approved these changes Nov 24, 2025
View reviewed changes
Copy link
Member

@AlexGaillard AlexGaillard left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TESTS!

@AlexGaillard AlexGaillard enabled auto-merge (squash) November 24, 2025 19:18
@AlexGaillard AlexGaillard merged commit 5b9c580 into main Nov 24, 2025
77 checks passed
@AlexGaillard AlexGaillard deleted the br41nslug/cms-1519-flowshooks-accountability-is-missing-when-triggered-as branch November 24, 2025 19:25
@github-actions github-actions bot added this to the Next Release milestone Nov 24, 2025
alexlebens pushed a commit to alexlebens/infrastructure that referenced this pull request Dec 11, 2025
@alexlebens
Update directus/directus Docker tag to v11.14.0 (#2365)
4a03b90 
This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [directus/directus](https://github.com/directus/directus) | minor | `11.13.4` -> `11.14.0` |

---

### Release Notes

<details>
<summary>directus/directus (directus/directus)</summary>

### [`v11.14.0`](https://github.com/directus/directus/releases/tag/v11.14.0)

[Compare Source](directus/directus@v11.13.4...v11.14.0)

##### ⚠️ Potential Breaking Changes

- **[@&#8203;directus/stores](https://github.com/directus/stores)**
  - Removed sidebar states from app store ([#&#8203;26259](directus/directus#26259) by [@&#8203;rijkvanzanten](https://github.com/rijkvanzanten))

##### ✨ New Features & Improvements

- **[@&#8203;directus/app](https://github.com/directus/app)**
  - Added support for downloading multiple files and entire folder trees ([#&#8203;26006](directus/directus#26006) by [@&#8203;Nitwel](https://github.com/Nitwel))
  - Added AI chat sidebar ([#&#8203;26259](directus/directus#26259) by [@&#8203;rijkvanzanten](https://github.com/rijkvanzanten))
  - Added support for float intervals and min/max warnings for number inputs ([#&#8203;26190](directus/directus#26190) by [@&#8203;gaetansenn](https://github.com/gaetansenn))
  - Made both sidebars resizable ([#&#8203;26259](directus/directus#26259) by [@&#8203;rijkvanzanten](https://github.com/rijkvanzanten))
  - Added header interface ([#&#8203;26302](directus/directus#26302) by [@&#8203;AlexGaillard](https://github.com/AlexGaillard))
- **[@&#8203;directus/api](https://github.com/directus/api)**
  - Added support for downloading multiple files and entire folder trees ([#&#8203;26006](directus/directus#26006) by [@&#8203;Nitwel](https://github.com/Nitwel))
  - Added AI chat sidebar ([#&#8203;26259](directus/directus#26259) by [@&#8203;rijkvanzanten](https://github.com/rijkvanzanten))
- **[@&#8203;directus/types](https://github.com/directus/types)**
  - Added support for downloading multiple files and entire folder trees ([#&#8203;26006](directus/directus#26006) by [@&#8203;Nitwel](https://github.com/Nitwel))
  - Added AI chat sidebar ([#&#8203;26259](directus/directus#26259) by [@&#8203;rijkvanzanten](https://github.com/rijkvanzanten))
- **[@&#8203;directus/utils](https://github.com/directus/utils)**
  - Added support for downloading multiple files and entire folder trees ([#&#8203;26006](directus/directus#26006) by [@&#8203;Nitwel](https://github.com/Nitwel))
  - Moved `fetchRolesTree`,`fetchGlobalAccess`, `fetchGlobalAccessForUser` and `fetchGlobalAccessForRoles` to the public utility package ([#&#8203;26248](directus/directus#26248) by [@&#8203;ComfortablyCoding](https://github.com/ComfortablyCoding))
- **[@&#8203;directus/sdk](https://github.com/directus/sdk)**
  - Added support for downloading multiple files and entire folder trees ([#&#8203;26006](directus/directus#26006) by [@&#8203;Nitwel](https://github.com/Nitwel))
- **[@&#8203;directus/system-data](https://github.com/directus/system-data)**
  - Added AI chat sidebar ([#&#8203;26259](directus/directus#26259) by [@&#8203;rijkvanzanten](https://github.com/rijkvanzanten))
- **[@&#8203;directus/errors](https://github.com/directus/errors)**
  - Added AI chat sidebar ([#&#8203;26259](directus/directus#26259) by [@&#8203;rijkvanzanten](https://github.com/rijkvanzanten))
- **[@&#8203;directus/themes](https://github.com/directus/themes)**
  - Added AI chat sidebar ([#&#8203;26259](directus/directus#26259) by [@&#8203;rijkvanzanten](https://github.com/rijkvanzanten))

##### 🐛 Bug Fixes & Optimizations

- **[@&#8203;directus/app](https://github.com/directus/app)**
  - Fixed an issue where input focus ring disappears on hover ([#&#8203;26315](directus/directus#26315) by [@&#8203;formfcw](https://github.com/formfcw))
  - Fixed display template not appearing for relations inside translations on new items ([#&#8203;26219](directus/directus#26219) by [@&#8203;gaetansenn](https://github.com/gaetansenn))
  - Ensured the created revision uses the correct label ([#&#8203;26289](directus/directus#26289) by [@&#8203;vizzv](https://github.com/vizzv))
  - Added reactive primaryKey prop to useFlows composable ([#&#8203;26287](directus/directus#26287) by [@&#8203;AlexGaillard](https://github.com/AlexGaillard))
- **[@&#8203;directus/api](https://github.com/directus/api)**
  - Added redirect validation ([#&#8203;26346](directus/directus#26346) by [@&#8203;br41nslug](https://github.com/br41nslug))
  - Moved `fetchRolesTree`,`fetchGlobalAccess`, `fetchGlobalAccessForUser` and `fetchGlobalAccessForRoles` to the public utility package ([#&#8203;26248](directus/directus#26248) by [@&#8203;ComfortablyCoding](https://github.com/ComfortablyCoding))
  - Updated synchronization of remotely stored extensions ([#&#8203;26192](directus/directus#26192) by [@&#8203;br41nslug](https://github.com/br41nslug))
  - Fixed missing accountability for `files.upload` when TUS is enabled ([#&#8203;26247](directus/directus#26247) by [@&#8203;br41nslug](https://github.com/br41nslug))
- **[@&#8203;directus/types](https://github.com/directus/types)**
  - Moved `fetchRolesTree`,`fetchGlobalAccess`, `fetchGlobalAccessForUser` and `fetchGlobalAccessForRoles` to the public utility package ([#&#8203;26248](directus/directus#26248) by [@&#8203;ComfortablyCoding](https://github.com/ComfortablyCoding))
  - Updated synchronization of remotely stored extensions ([#&#8203;26192](directus/directus#26192) by [@&#8203;br41nslug](https://github.com/br41nslug))
- **[@&#8203;directus/storage-driver-cloudinary](https://github.com/directus/storage-driver-cloudinary)**
  - Updated synchronization of remotely stored extensions ([#&#8203;26192](directus/directus#26192) by [@&#8203;br41nslug](https://github.com/br41nslug))
- **[@&#8203;directus/storage-driver-supabase](https://github.com/directus/storage-driver-supabase)**
  - Updated synchronization of remotely stored extensions ([#&#8203;26192](directus/directus#26192) by [@&#8203;br41nslug](https://github.com/br41nslug))
- **[@&#8203;directus/extensions-sdk](https://github.com/directus/extensions-sdk)**
  - Updated `esbuild` dependency from 0.25.12 to 0.26.0 ([#&#8203;26215](directus/directus#26215) by [@&#8203;dependabot](https://github.com/dependabot))
- **[@&#8203;directus/system-data](https://github.com/directus/system-data)**
  - Updated `esbuild` dependency from 0.25.12 to 0.26.0 ([#&#8203;26215](directus/directus#26215) by [@&#8203;dependabot](https://github.com/dependabot))
- **[@&#8203;directus/sdk](https://github.com/directus/sdk)**
  - Updated `esbuild` dependency from 0.25.12 to 0.26.0 ([#&#8203;26215](directus/directus#26215) by [@&#8203;dependabot](https://github.com/dependabot))
- **[@&#8203;directus/themes](https://github.com/directus/themes)**
  - Made both sidebars resizable ([#&#8203;26259](directus/directus#26259) by [@&#8203;rijkvanzanten](https://github.com/rijkvanzanten))
- **[@&#8203;directus/utils](https://github.com/directus/utils)**
  - Preserved Error when passed to run-script operation ([#&#8203;26234](directus/directus#26234) by [@&#8203;gaetansenn](https://github.com/gaetansenn))
- **[@&#8203;directus/composables](https://github.com/directus/composables)**
  - Set default sidebar shadow to false ([#&#8203;26259](directus/directus#26259) by [@&#8203;rijkvanzanten](https://github.com/rijkvanzanten))

##### 📦 Published Versions

- `@directus/[email protected]`
- `@directus/[email protected]`
- `@directus/[email protected]`
- `[email protected]`
- `@directus/[email protected]`
- `@directus/[email protected]`
- `@directus/[email protected]`
- `@directus/[email protected]`
- `@directus/[email protected]`
- `@directus/[email protected]`
- `@directus/[email protected]`
- `@directus/[email protected]`
- `@directus/[email protected]`
- `@directus/[email protected]`
- `@directus/[email protected]`
- `@directus/storage-driver-s3@&#8203;12.0.13`
- `@directus/[email protected]`
- `@directus/[email protected]`
- `@directus/[email protected]`
- `@directus/[email protected]`
- `@directus/[email protected]`
- `@directus/[email protected]`
- `@directus/[email protected]`
- `@directus/[email protected]`

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi4zOS4xIiwidXBkYXRlZEluVmVyIjoiNDIuMzkuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiaW1hZ2UiXX0=-->

Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/2365
Co-authored-by: Renovate Bot <[email protected]>
Co-committed-by: Renovate Bot <[email protected]>
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jan 24, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@ComfortablyCoding ComfortablyCoding ComfortablyCoding approved these changes

@AlexGaillard AlexGaillard AlexGaillard approved these changes

Assignees

@ComfortablyCoding ComfortablyCoding

Labels

Run Blackbox

Projects

None yet

Milestone

v11.14.0

Development

Successfully merging this pull request may close these issues.

flows/hooks: accountability is missing when triggered as tenant admin after upgrade to 11.13.2

3 participants

@br41nslug @ComfortablyCoding @AlexGaillard