fix: querying virtual fields deeply with draft: true (#12868)

Fixes an issue when querying deeply new relationship virtual fields with
`draft: true`. Changes the method for `where` sanitization, before it
was done in `validateSearchParam` which didn't work with versions
properly, now there's a separate `sanitizeWhereQuery` function that does
this.

Author: r1tsuu

packages/payload/src/collections/operations/count.ts

@@ -6,6 +6,7 @@ import type { Collection } from '../config/types.js'
 import executeAccess from '../../auth/executeAccess.js'
 import { combineQueries } from '../../database/combineQueries.js'
 import { validateQueryPaths } from '../../database/queryValidation/validateQueryPaths.js'
+import { sanitizeWhereQuery } from '../../database/sanitizeWhereQuery.js'
 import { killTransaction } from '../../utilities/killTransaction.js'
 import { buildAfterOperation } from './utils.js'
 
@@ -71,6 +72,7 @@ export const countOperation = async <TSlug extends CollectionSlug>(
     let result: { totalDocs: number }
 
     const fullWhere = combineQueries(where!, accessResult!)
+    sanitizeWhereQuery({ fields: collectionConfig.flattenedFields, payload, where: fullWhere })
 
     await validateQueryPaths({
       collectionConfig,

packages/payload/src/collections/operations/countVersions.ts

@@ -5,6 +5,7 @@ import type { Collection } from '../config/types.js'
 import executeAccess from '../../auth/executeAccess.js'
 import { combineQueries } from '../../database/combineQueries.js'
 import { validateQueryPaths } from '../../database/queryValidation/validateQueryPaths.js'
+import { sanitizeWhereQuery } from '../../database/sanitizeWhereQuery.js'
 import { buildVersionCollectionFields, type CollectionSlug } from '../../index.js'
 import { killTransaction } from '../../utilities/killTransaction.js'
 import { buildAfterOperation } from './utils.js'
@@ -77,6 +78,8 @@ export const countVersionsOperation = async <TSlug extends CollectionSlug>(
 
     const versionFields = buildVersionCollectionFields(payload.config, collectionConfig, true)
 
+    sanitizeWhereQuery({ fields: versionFields, payload, where: fullWhere })
+
     await validateQueryPaths({
       collectionConfig,
       overrideAccess: overrideAccess!,

packages/payload/src/collections/operations/delete.ts

@@ -13,6 +13,7 @@ import type {
 import executeAccess from '../../auth/executeAccess.js'
 import { combineQueries } from '../../database/combineQueries.js'
 import { validateQueryPaths } from '../../database/queryValidation/validateQueryPaths.js'
+import { sanitizeWhereQuery } from '../../database/sanitizeWhereQuery.js'
 import { APIError } from '../../errors/index.js'
 import { afterRead } from '../../fields/hooks/afterRead/index.js'
 import { deleteUserPreferences } from '../../preferences/deleteUserPreferences.js'
@@ -107,6 +108,8 @@ export const deleteOperation = async <
 
     const fullWhere = combineQueries(where, accessResult!)
 
+    sanitizeWhereQuery({ fields: collectionConfig.flattenedFields, payload, where: fullWhere })
+
     const select = sanitizeSelect({
       fields: collectionConfig.flattenedFields,
       forceSelect: collectionConfig.forceSelect,

packages/payload/src/collections/operations/find.ts

@@ -19,6 +19,7 @@ import executeAccess from '../../auth/executeAccess.js'
 import { combineQueries } from '../../database/combineQueries.js'
 import { validateQueryPaths } from '../../database/queryValidation/validateQueryPaths.js'
 import { sanitizeJoinQuery } from '../../database/sanitizeJoinQuery.js'
+import { sanitizeWhereQuery } from '../../database/sanitizeWhereQuery.js'
 import { afterRead } from '../../fields/hooks/afterRead/index.js'
 import { lockedDocumentsCollectionSlug } from '../../locked-documents/config.js'
 import { killTransaction } from '../../utilities/killTransaction.js'
@@ -144,6 +145,7 @@ export const findOperation = async <
     let result: PaginatedDocs<DataFromCollectionSlug<TSlug>>
 
     let fullWhere = combineQueries(where!, accessResult!)
+    sanitizeWhereQuery({ fields: collectionConfig.flattenedFields, payload, where: fullWhere })
 
     const sort = sanitizeSortQuery({
       fields: collection.config.flattenedFields,

packages/payload/src/collections/operations/findByID.ts

@@ -18,6 +18,7 @@ import type {
 import executeAccess from '../../auth/executeAccess.js'
 import { combineQueries } from '../../database/combineQueries.js'
 import { sanitizeJoinQuery } from '../../database/sanitizeJoinQuery.js'
+import { sanitizeWhereQuery } from '../../database/sanitizeWhereQuery.js'
 import { NotFound } from '../../errors/index.js'
 import { afterRead } from '../../fields/hooks/afterRead/index.js'
 import { validateQueryPaths } from '../../index.js'
@@ -110,6 +111,12 @@ export const findByIDOperation = async <
 
     const fullWhere = combineQueries(where, accessResult)
 
+    sanitizeWhereQuery({
+      fields: collectionConfig.flattenedFields,
+      payload: args.req.payload,
+      where: fullWhere,
+    })
+
     const sanitizedJoins = await sanitizeJoinQuery({
       collectionConfig,
       joins,

packages/payload/src/collections/operations/findVersions.ts

@@ -7,6 +7,7 @@ import type { Collection } from '../config/types.js'
 import executeAccess from '../../auth/executeAccess.js'
 import { combineQueries } from '../../database/combineQueries.js'
 import { validateQueryPaths } from '../../database/queryValidation/validateQueryPaths.js'
+import { sanitizeWhereQuery } from '../../database/sanitizeWhereQuery.js'
 import { afterRead } from '../../fields/hooks/afterRead/index.js'
 import { killTransaction } from '../../utilities/killTransaction.js'
 import { sanitizeInternalFields } from '../../utilities/sanitizeInternalFields.js'
@@ -71,9 +72,10 @@ export const findVersionsOperation = async <TData extends TypeWithVersion<TData>
     })
 
     const fullWhere = combineQueries(where!, accessResults)
+    sanitizeWhereQuery({ fields: versionFields, payload, where: fullWhere })
 
     const select = sanitizeSelect({
-      fields: buildVersionCollectionFields(payload.config, collectionConfig, true),
+      fields: versionFields,
       forceSelect: getQueryDraftsSelect({ select: collectionConfig.forceSelect }),
       select: incomingSelect,
       versions: true,

packages/payload/src/collections/operations/update.ts

@@ -15,7 +15,8 @@ import type {
 import executeAccess from '../../auth/executeAccess.js'
 import { combineQueries } from '../../database/combineQueries.js'
 import { validateQueryPaths } from '../../database/queryValidation/validateQueryPaths.js'
-import { APIError, Forbidden } from '../../errors/index.js'
+import { sanitizeWhereQuery } from '../../database/sanitizeWhereQuery.js'
+import { APIError } from '../../errors/index.js'
 import { type CollectionSlug, deepCopyObjectSimple } from '../../index.js'
 import { generateFileData } from '../../uploads/generateFileData.js'
 import { unlinkTempFiles } from '../../uploads/unlinkTempFiles.js'
@@ -140,6 +141,8 @@ export const updateOperation = async <
 
     const fullWhere = combineQueries(where, accessResult!)
 
+    sanitizeWhereQuery({ fields: collectionConfig.flattenedFields, payload, where: fullWhere })
+
     const sort = sanitizeSortQuery({
       fields: collection.config.flattenedFields,
       sort: incomingSort,

packages/payload/src/database/queryValidation/validateSearchParams.ts

@@ -113,9 +113,6 @@ export async function validateSearchParam({
       if ('virtual' in field && field.virtual) {
         if (field.virtual === true) {
           errors.push({ path })
-        } else {
-          constraint[`${field.virtual}` as keyof WhereField] = constraint[path as keyof WhereField]
-          delete constraint[path as keyof WhereField]
         }
       }
 

packages/payload/src/database/sanitizeWhereQuery.ts

@@ -0,0 +1,64 @@
+import type { FlattenedField } from '../fields/config/types.js'
+import type { Payload, Where } from '../types/index.js'
+
+/**
+ * Currently used only for virtual fields linked with relationships
+ */
+export const sanitizeWhereQuery = ({
+  fields,
+  payload,
+  where,
+}: {
+  fields: FlattenedField[]
+  payload: Payload
+  where: Where
+}) => {
+  for (const key in where) {
+    const value = where[key]
+
+    if (['and', 'or'].includes(key.toLowerCase()) && Array.isArray(value)) {
+      for (const where of value) {
+        sanitizeWhereQuery({ fields, payload, where })
+      }
+      continue
+    }
+
+    const paths = key.split('.')
+    let pathHasChanged = false
+
+    let currentFields = fields
+
+    for (let i = 0; i < paths.length; i++) {
+      const path = paths[i]!
+      const field = currentFields.find((each) => each.name === path)
+
+      if (!field) {
+        break
+      }
+
+      if ('virtual' in field && field.virtual && typeof field.virtual === 'string') {
+        paths[i] = field.virtual
+        pathHasChanged = true
+      }
+
+      if ('flattenedFields' in field) {
+        currentFields = field.flattenedFields
+      }
+
+      if (
+        (field.type === 'relationship' || field.type === 'upload') &&
+        typeof field.relationTo === 'string'
+      ) {
+        const relatedCollection = payload.collections[field.relationTo]
+        if (relatedCollection) {
+          currentFields = relatedCollection.config.flattenedFields
+        }
+      }
+    }
+
+    if (pathHasChanged) {
+      where[paths.join('.')] = where[key]!
+      delete where[key]
+    }
+  }
+}

test/database/config.ts

@@ -38,6 +38,7 @@ export default buildConfigWithDefaults({
   collections: [
     {
       slug: 'categories',
+      versions: { drafts: true },
       fields: [
         {
           type: 'text',