Simplify your stack and build anything. Or everything.
Schedule a Demo
USE CASES
Headless CMSEnterprise App BuilderHeadless E-CommerceDigital Asset Management
FEATURES
Multi-TenancyWhite LabelLocalizationAccess ControlAuth
CASE STUDIES

See what others are building with Payload.

Browse Case Studies
Build tomorrow’s web with a modern solution you truly own.
PAYLOAD IS FOR
DevelopersMarketing teamsEnterprise companiesAgencies & Consultancies
COMPARE PAYLOAD
Payload vs WordPressPayload vs ContentfulPayload vs SanityPayload vs StrapiPayload vs Directus
AGENCY TESTIMONIAL

"Payload has transformed the way our clients manage content. It's an indispensable tool for any modern agency."

Become a PartnerFind a Partner
Code-based nature means you can build on top of it to power anything.
Resources
DocumentationExamplesTemplatesGitHubReleasesBlog
Community
RoadmapDiscordCommunity Help
Payload Cloud

Deploy your entire stack in one place with Payload Cloud.

LoginCloud Pricing
It’s time to take back your content infrastructure.
Schedule a Demo
Enterprise Features
SSOAI Auto-EmbeddingPublishing WorkflowsVisual EditorStatic A/B testingAI features
Customer Stories
MicrosoftASICSBlue OriginHello BelloTekton
Featured Customer Story

Microsoft chose Payload to tell the world about AI.

Read the case studyBrowse all
LoginGet Started
Community Help

Access control in collection

default discord avatar
dtoa.9 months ago
2

Is it possible to only see/ delete/ update items added by the user in the collection?



read, update, create and delete



If have created something like this



import { Access } from "payload/config";

export const isAdminOrHasCollectionAccess = (collectionSlug: string = ''): Access => async ({ req: { user } }) => {
    if (user) {
        if (user.roles.includes('admin')) return true;

      
        if (user.roles.includes('editor') && user.access?.length > 0 && user.access.includes(collectionSlug)) {
            return {
                createdBy: {
                    equals: user.id,
                },
            };
        } else {
            return false;
        }
    }
    return false;
}


And in my collection


    access: {
        read: isAdminOrHasCollectionAccess('housing_and_shelter'),
    },


Its returning me

TypeError: Cannot read properties of undefined (reading 'type')

if there is no item from the user

@486710146651652106

What I also want it to now show other collection unless with permission in the dashboard



@486710146651652106

, how do you keep this access control while making sure that it is still readable in rest api?



Saw something like this



  // Non-logged in users can only read published docs
  return {
    _status: {
      equals: 'published'
    }
  };


So should I add a status field in my collection

@486710146651652106

Here.

https://github.com/payloadcms/access-control-demo/blob/master/src/access/isAdminHasSiteAccessOrPublished.ts

@1222652796327821406

, I see. Thank you. Let me try that.



Thank you

@1222652796327821406
  • default discord avatar
    notchr10 months ago
    @711506236998418442

    Sorry, which operations do you want to restrict?



    hmm



    At work I do



    import type { Access, FieldAccess } from 'payload/types';

import type { Admin } from '../payload-types';

export const isSuperAdmin: Access<
  any, // eslint-disable-line @typescript-eslint/no-explicit-any
  Admin
> = ({ req: { user } }) => {
  return Boolean(user?.role.includes('superAdmin'));
};

export const isCmsAdmin: Access<
  any, // eslint-disable-line @typescript-eslint/no-explicit-any
  Admin
> = ({ req: { user } }) => {
  return (
    Boolean(user?.role.includes('superAdmin')) ||
    Boolean(user?.role.includes('cmsAdmin'))
  );
};


    But they added a new "admin" access rule



    Idk if it necessary but



      access: {
    read: () => true,
    create: isUserAdmin,
    update: isUserAdmin,
    delete: isUserAdmin,
    admin: ({ req: { user } }) => {
      return (
        user.role.includes('userAdmin') || user.role.includes('superAdmin')
      );
    },
  },


    is an example of how i apply roles



    (the type for admin access control was different than normal so that's why i have an extra check on admin)



    hmmm wdym



    Oo that seems promising, whered ya see that?

  • default discord avatar
    arstoien_3991810 months ago

    Using

    _status: 'published'

    is how I'm currently doing this. I believe if you add versioning to the collection, this field is automatically added.



    https://payloadcms.com/docs/versions/overview
Open

Continue the discussion in Discord

Star on GitHub

Star

Chat on Discord

Discord

online

Can't find what you're looking for?

Get dedicated engineering support directly from the Payload team.