CVE-2024-54151

### Summary When setting `WEBSOCKETS_GRAPHQL_AUTH` or `WEBSOCKETS_REST_AUTH` to "public", an unauthenticated user is able to do any of the supported operations (CRUD, subscriptions) with full admin privileges. ### Details Accountability for unauthenticated WebSocket requests is set to null, which used to be "public permissions" until the Permissions Policy update which now defaults that to system/admin level access. So instead of null we need to make use of `createDefaultAccountability()` to ensure public permissions are used for unauthenticated users. ### PoC 1. Start directus with ```bash WEBSOCKETS_ENABLED=true WEBSOCKETS_GRAPHQL_AUTH=public WEBSOCKETS_REST_AUTH=public ``` 2. Subscribe using GQL or REST or do any CRUD operation on a user created collection (system tables are not reachable with crud) ```gql subscription { directus_users_mutated { key event data { id email first_name last_name password } } } ``` or ```json { "type": "items", "action": "read", "collection": "your_collection_name" } ``` 3a. Open up the data studio as any user. Observe how the subscriber gets notified on each page navigation (because the users `last_page` gets updated, the `password` fields is properly redacted here) 3b. Observe receiving all available items from the `your_collection_name` collection. ### Impact This impacts any Directus instance that has either `WEBSOCKETS_GRAPHQL_AUTH` or `WEBSOCKETS_REST_AUTH` set to `public` allowing unauthenticated users to subscribe for changes on any collection or do REST CRUD operations on user defined collections ignoring permissions.