access control - user missing in req
help-> I have setup access control in my app according to the documentation. Everything seem to work fine on my machine. However, when I deploy, anywhere I implementation access control produces an error ( you are not allowed to ...) . I.e.
for example:
----------------
const Instruments: CollectionConfig = {
slug: 'instruments',
admin: {
useAsTitle: 'name',
defaultColumns:['name']
},
access: {
read: () => true,
create:()=>true,
update: ({ req: { user } }) =>{
return Boolean(user)
},
delete:isAdmin
},
fields: [
{
name: 'name',
type: 'text',
required:true
},
],
timestamps: false,
}
export default Instruments;
------------
read works, create works, but neither do update and delete
What does your update request/fetch look like?
response -> from ssh: Forbidden: You are not allowed to perform this action.
at new ExtendableError (/home/jelastic/ROOT/node_modules/payload/src/errors/APIError.ts:26:11)
at new APIError (/home/jelastic/ROOT/node_modules/payload/src/errors/APIError.ts:43:5)
at new Forbidden (/home/jelastic/ROOT/node_modules/payload/src/errors/Forbidden.ts:7:5)
at executeAccess (/home/jelastic/ROOT/node_modules/payload/src/auth/executeAccess.ts:9:43)
at processTicksAndRejections (node:internal/process/task_queues:96:5)
at update (/home/jelastic/ROOT/node_modules/payload/src/collections/operations/update.ts:97:43)
at updateHandler (/home/jelastic/ROOT/node_modules/payload/src/collections/requestHandlers/update.ts:24:17)
this is from trying in payload admin
Update: solution found
I added these to my config:
---
rateLimit:{
trustProxy:true
},
csrf:[
'<url_to_the_site>'
]
I am running my app in a virtuozzo environnement with a lot of control on deployment, loadbalancing etc... No clue which on of the 2 worked, though.
Continue the discussion in Discord
Star
Discord
online
Get help straight from the Payload team with an Enterprise License.