Access control in collection

dtoa.last year

12

• 

  notchrlast year

  @711506236998418442

  Sorry, which operations do you want to restrict?

• 

  dtoa.last year

  read, update, create and delete

  
  
  

  If have created something like this

  
  
  

  import { Access } from "payload/config";
  
  export const isAdminOrHasCollectionAccess = (collectionSlug: string = ''): Access => async ({ req: { user } }) => {
      if (user) {
          if (user.roles.includes('admin')) return true;
  
        
          if (user.roles.includes('editor') && user.access?.length > 0 && user.access.includes(collectionSlug)) {
              return {
                  createdBy: {
                      equals: user.id,
                  },
              };
          } else {
              return false;
          }
      }
      return false;
  }

  
  
  

  And in my collection

  
  

      access: {
          read: isAdminOrHasCollectionAccess('housing_and_shelter'),
      },

  
  
  

  Its returning me

  TypeError: Cannot read properties of undefined (reading 'type')

  if there is no item from the user

  @486710146651652106
  
  

  What I also want it to now show other collection unless with permission in the dashboard

• 

  notchrlast year

  hmm

  
  
  

  At work I do

  
  
  

  import type { Access, FieldAccess } from 'payload/types';
  
  import type { Admin } from '../payload-types';
  
  export const isSuperAdmin: Access<
    any, // eslint-disable-line @typescript-eslint/no-explicit-any
    Admin
  > = ({ req: { user } }) => {
    return Boolean(user?.role.includes('superAdmin'));
  };
  
  export const isCmsAdmin: Access<
    any, // eslint-disable-line @typescript-eslint/no-explicit-any
    Admin
  > = ({ req: { user } }) => {
    return (
      Boolean(user?.role.includes('superAdmin')) ||
      Boolean(user?.role.includes('cmsAdmin'))
    );
  };

  
  
  

  But they added a new "admin" access rule

  
  
  

  Idk if it necessary but

  
  
  

    access: {
      read: () => true,
      create: isUserAdmin,
      update: isUserAdmin,
      delete: isUserAdmin,
      admin: ({ req: { user } }) => {
        return (
          user.role.includes('userAdmin') || user.role.includes('superAdmin')
        );
      },
    },

  
  
  

  is an example of how i apply roles

  
  
  

  (the type for admin access control was different than normal so that's why i have an extra check on admin)

• 

  dtoa.last year

  @486710146651652106

  , how do you keep this access control while making sure that it is still readable in rest api?

• 

  notchrlast year

  hmmm wdym

• 

  dtoa.last year

  Saw something like this

  
  
  

    // Non-logged in users can only read published docs
    return {
      _status: {
        equals: 'published'
      }
    };

  
  
  

  So should I add a status field in my collection

  @486710146651652106
• 

  notchrlast year

  Oo that seems promising, whered ya see that?

• 

  dtoa.last year

  Here.

  https://github.com/payloadcms/access-control-demo/blob/master/src/access/isAdminHasSiteAccessOrPublished.ts
• 

  arstoien_39918last year

  Using

  _status: 'published'

  is how I'm currently doing this. I believe if you add versioning to the collection, this field is automatically added.

• 

  dtoa.last year

  @1222652796327821406

  , I see. Thank you. Let me try that.

• 

  arstoien_39918last year

  https://payloadcms.com/docs/versions/overview
• 

  dtoa.last year

  Thank you

  @1222652796327821406