Simplify your stack and build anything. Or everything.
Schedule a Demo
USE CASES
Headless CMSEnterprise App BuilderHeadless E-CommerceDigital Asset Management
FEATURES
Multi-TenancyWhite LabelLocalizationAccess ControlAuth
CASE STUDIES

See what others are building with Payload.

Browse Case Studies
Build tomorrow’s web with a modern solution you truly own.
PAYLOAD IS FOR
DevelopersMarketing teamsEnterprise companiesAgencies & Consultancies
COMPARE PAYLOAD
Payload vs WordPressPayload vs ContentfulPayload vs SanityPayload vs StrapiPayload vs Directus
AGENCY TESTIMONIAL

"Payload has transformed the way our clients manage content. It's an indispensable tool for any modern agency."

Become a PartnerFind a Partner
Code-based nature means you can build on top of it to power anything.
Resources
DocumentationExamplesTemplatesGitHubReleasesBlogGuides & Tutorials
Community
RoadmapDiscordCommunity Help
Payload Cloud

Deploy your entire stack in one place with Payload Cloud.

LoginCloud Pricing
It’s time to take back your content infrastructure.
Schedule a Demo
Enterprise Features
SSOAI Auto-EmbeddingPublishing WorkflowsVisual EditorStatic A/B testingAI features
Customer Stories
MicrosoftASICSBlue OriginHello BelloTekton
Featured Customer Story

Microsoft chose Payload to tell the world about AI.

Read the case studyBrowse all
LoginGet Started
Community Help

Approval Workflows

default discord avatar
rawkodelast year
6

I searched and found a few issues about this. The solution seems to be to enable versions and drafts and then swap out the Publish button with a custom component. This works great.



However, I’m worried about people hacking on the front end and need some server side validation that only certain roles can publish drafts.



I tried the beforeValidate hook, but I don’t believe we can access the user there.



Am I wrong? Is there another approach to block publishing content to one or more roles?



Thanks.

  • discord user avatar
    jarrod_not_jared
    last year

    I answered you in GitHub, but this may be a better place for discussion. You totally have access to the user on the req in a before validate function! Want to share a snippet of the collection hook code you are working with?

  • default discord avatar
    yersnlast year

    Hi did you implemented it? if yes could you share it please, also was searching for this type of solution

  • default discord avatar
    wkd1079last year

    access control

    https://payloadcms.com/docs/access-control/overview

    here's a snippet of my access control for

    read

    on a collection:



    export const versionedRead: Access = ({ req }) => {
  if (req.user) {
    // api user can't see drafts
    if (req.user?.role === 'api') {
      return {
        _status: {
          equals: 'published',
        },
      }
    }
    // all other authd users can see drafts
    return true
  }

  // no unauthenticated users
  return false
}
  • default discord avatar
    yersnlast year

    thanks I also want to change publish button to send to approve and so admin users will see list of approval, and only admin able to publish



    did you tried to implement something of this kind

  • default discord avatar
    wkd1079last year

    nope i haven't done any custom components yet

  • default discord avatar
    yersnlast year

    Are you going to?



    if yes let's share ideas and examples on how to implement it, anyways I am going to make custom components



    Hi there, so I want to make the custom button for Publish and change it to Send to Approve which will send it to Approve collection, where admins could publish and then some type unread/read and notifications only from collection of Approve

Open

Continue the discussion in Discord

Star on GitHub

Star

Chat on Discord

Discord

online

Can't find what you're looking for?

Get dedicated engineering support directly from the Payload team.