Simplify your stack and build anything. Or everything.
Schedule a Demo
USE CASES
Headless CMSEnterprise App BuilderHeadless E-CommerceDigital Asset Management
FEATURES
Multi-TenancyWhite LabelLocalizationAccess ControlAuth
CASE STUDIES

See what others are building with Payload.

Browse Case Studies
Build tomorrow’s web with a modern solution you truly own.
PAYLOAD IS FOR
DevelopersMarketing teamsEnterprise companiesAgencies & Consultancies
COMPARE PAYLOAD
Payload vs WordPressPayload vs ContentfulPayload vs SanityPayload vs StrapiPayload vs Directus
AGENCY TESTIMONIAL

"Payload has transformed the way our clients manage content. It's an indispensable tool for any modern agency."

Become a PartnerFind a Partner
Code-based nature means you can build on top of it to power anything.
Resources
DocumentationExamplesTemplatesGitHubReleasesBlog
Community
RoadmapDiscordCommunity Help
Payload Cloud

Deploy your entire stack in one place with Payload Cloud.

LoginCloud Pricing
It’s time to take back your content infrastructure.
Schedule a Demo
Enterprise Features
SSOAI Auto-EmbeddingPublishing WorkflowsVisual EditorStatic A/B testingAI features
Customer Stories
MicrosoftASICSBlue OriginHello BelloTekton
Featured Customer Story

Microsoft chose Payload to tell the world about AI.

Read the case studyBrowse all
LoginGet Started
Community Help

Limiting find results using access

default discord avatar
zillion504last year

I have an application where users can log in and create journal entries. There are two user roles, "user" and "admin". I have coded the read access for journal entries as follows


export const isAdminOrCreatedBy = ({ req }: AccessArgs) => {
  // Allow admins
  if (isAdmin({ req })) return true;

  const user = req?.user as User;
  if (!user) return false;

  // Normal users can only access ones they own.
  return {
    createdBy: {
      equals: user.id,
    }
  };
};

When I run a find as a non-admin user, it will show me only entries that I own. However, as an admin it will show me every entry. In my application I don't want admin users to see all entries, I just want them to see their own. However, I do want them to see all of the entries when they're in the payload admin dashboard.



Obvious solution is to do some client-filtering in the application. However, I am wondering if anyone has suggestions for other approaches. Is there any way to do this with access control? Ideally I want the admin check to only happen if you're in the admin dashboard. Are there any methods for checking this? I can think of maybe viewing the Origin header of the request?



I found the following solution, changing my isAdmin check to disallow admin privileges from the web app:


const applicationOrigins: RegExp[] = [
  /^https?:\/\/localhost:3000/,
  /^https?:\/\/site\.com/
]

export const isAdmin = ({ req }: AccessArgs) => {
  // If the user is on the web app, do not use admin privileges.
  const origin = req.headers.origin;
  if (origin && applicationOrigins.find((appOrigin) => appOrigin.test(origin))) {
    return false;
  }

  const user = req.user as User;

  return user?.role === "admin";
};
    Open

    Continue the discussion in Discord

    Star on GitHub

    Star

    Chat on Discord

    Discord

    online

    Can't find what you're looking for?

    Get dedicated engineering support directly from the Payload team..