Disable a user (including access to API)
Hi! I've seen this subject already asked 2 weeks ago (
https://discord.com/channels/967097582721572934/1126801396331708466) but the original question only mentioned disabling access to the admin UI. I was able to create a checkbox and disable the user access to the admin UI by adding the following config on my
Userscollection:
access: {
admin: ({ req: { user } }) => {
return Boolean(user) && !user.disabled;
},
}However I would also like to disable this user access to the REST API, because right now, this user can still login through the
/api/users/loginendpoint.
I believe I've looked through all the access control and authentication documentation pages, but to no avail. Right now, my solution has been to create all collections through a little helper function so that I can change default values. Most notably I can change the default access control of all my collections to forbid access to disabled users. Still, blocking user access at the login step would be a more allegant solution.
In that case, you could use a
beforeLoginhook, and throw an error, if they are disabled. This of course is only minded the login routes. You should make sure to then also require a user object to be available for each access control on all other collections
Oh this is great, I completely missed the specific hooks for auth-enabled collections. It even shows the error message in the response! As you said, as long as the rest of my access controls are not set to public, it should prevent disabled users to access the collections as they won't be able to log in. Anyway, that solves my problem, thanks!
CHeers!
Star
Discord
online
Get help straight from the Payload team with an Enterprise License.