Payload is now part of Figma! Learn More
Simplify your stack and build anything. Or everything.
Schedule a Demo
USE CASES
Headless CMSEnterprise App BuilderHeadless E-CommerceDigital Asset Management
FEATURES
Multi-TenancyWhite LabelLocalizationAccess ControlAuth
CASE STUDIES

See what others are building with Payload.

Browse Case Studies
Build tomorrow’s web with a modern solution you truly own.
PAYLOAD IS FOR
DevelopersMarketing teamsEnterprise companiesAgencies & Consultancies
COMPARE PAYLOAD
Payload vs WordPressPayload vs ContentfulPayload vs SanityPayload vs StrapiPayload vs Directus
AGENCY TESTIMONIAL

"Payload has transformed the way our clients manage content. It's an indispensable tool for any modern agency."

Become a PartnerFind a Partner
Code-based nature means you can build on top of it to power anything.
Resources
DocumentationExamplesTemplatesGitHubReleasesBlogGuides & Tutorials
Community
RoadmapDiscordCommunity Help
Resources for Developers

Get the resources you need to start building today

Guides & TutorialsExplore Docs
It’s time to take back your content infrastructure.
Schedule a Demo
Enterprise Features
SSOAI Auto-EmbeddingPublishing WorkflowsVisual EditorStatic A/B testingAI features
Customer Stories
MicrosoftASICSBlue OriginHello BelloTekton
Featured Customer Story

Microsoft chose Payload to tell the world about AI.

Read the case studyBrowse all
LoginGet Started
Community Help

Can still access collection when read is set to false (payload 3)

default discord avatar
drd.devlast year
6

Hi Everyone,


Having a strange issue with the payload 3 beta. I currently have the read access on my collection set to false, but I am still able to access it via the .find function in my frontend.



Not sure if im missing something simple here, but I couldn't find an answer anywhere online.



Any help would be greatly appreciated.




in collection:


  access: {
    read: () => {
      return false
    },
  },


in frontend component:


  const cabinets = await payload.find({
    collection: 'cabinets',
    depth: 1,
    limit: 10,
  })


additiona info: setting read to false blocks read from the admin panel but still allows it from payload.find

  • default discord avatar
    zed0547last year

    Hey

    @126595896556257280

    ,



    So, I think when you call the Payload Local API from your server, it's done so with "elevated permissions" so to speak. Basically, since it's the server, it kind of bypasses access controls. Or, a better way to put it, is Access Controls are more for User-driven interactions rather than your server



    I know you mentioned that you're calling the local API from a "frontend" component, but that does not mean it is not executed on the server. In fact, NextJS is Server first by default, and you actually have to specifically dictate that code should run exclusively on the clientside.

  • default discord avatar
    drd.devlast year

    ahhhh that makes sense. I guess making my own end point and manually checking auth would be my best bet then?

  • default discord avatar
    zed0547last year

    That's definitely an option! You could also perform an auth check

    just

    before you call the local API as well in whatever flow you had it in originally. I think there's some examples of authenticating manually in the examples/templates folder - if you need them.

  • default discord avatar
    drd.devlast year

    awesome, I'll check those out. Thanks so much for your help!

  • default discord avatar
    zed0547last year

    My pleasure

  • default discord avatar
    drd.devlast year

    just wanted to provide a quick update for anyone else with the same issue, You can set this flag in your .find to disable the default Access override

Open

Continue the discussion in Discord

Star on GitHub

Star

Chat on Discord

Discord

online

Can't find what you're looking for?

Get dedicated engineering support directly from the Payload team.