Good morning, we're a bit new to Payload and currently trying to set everything up (only the backend right now in order to migrate data over).
Anyway, we noticed that by default, any API endpoint (i.e: /api/pages/) is publicly viewable. We'd like to prevent this from happening and I've checked out
https://payloadcms.com/docs/authentication/operationsbut still not too sure how to do this, unfortunately.
In the meantime, since we're hosting our payload backend on Azure app service, I've added Authentication there so at least that's working for us 🙂
Hello
@1019667378960863293!
You want to setup up Access Control for your collections
For instance, if you have your Pages Collection
const Pages: CollectionConfig = {
slug: "pages",
access: {
create: ({ req: { user } }) => { ... },
read: ({ req: { user } }) => { ... },
update: ({ req: { user } }) => { ... },
delete: ({ req: { user } }) => { ... },
admin: ({ req: { user } }) => { ... },
},
};
Each type of operation in access (create, read, etc) has a function as its value
The function should return a boolean
Some folks implement role-based access and have slightly more complex access logic
If you can elaborate on how you want the access to work, I can suggest a configuration
^^^
And if you need helper plugins, I'll shill mine and another one:
Oh yeah
@858693520012476436we definitely used yours at first but then we somewhat copied what payload itself uses, which is defining roles in /access/ and referencing them later on in Pages.ts
access: {
read: (isAdminOrHasSiteAccessOrPublished || isTech),
create: (isAdminOrHasSiteAccess('id') || isTech),
update: (isAdminOrHasSiteAccess('id') || isTech),
delete: isAdmin,
interesting, im up for updating my plugin with further utilities if it stays within the scope of its simplicity...what limitations did you have?
I think one of my devs just preferred the cleaner look 🙂 No biggie
thats actually the main reason i didnt do anything complex for mine...with payload its much easier to roll your own solution than to have an overengineered plugin that might still not do everything you need
Star
Discord
online
Get dedicated engineering support directly from the Payload team.