Payload hook doesn't have permission to read from collection

TacticalSmoores

last month

Hello, how can I allow a Paylook hook access to read sensitive files and send them as attachments? I can't set

read: ()=>true

on this collection because then anyone could find these applications with things like social security numbers.

const Applications: CollectionConfig = {
  slug: 'applications',
  access: {
    create: ():boolean => true,
  },
  upload: {
    mimeTypes: ['application/pdf'],
  },
  hooks: {
    afterChange: [
      ({ doc }) => {

        /* example doc:{
             id: '63ed21907be32a1ac6e64f71',
             filename: 'Website Application-10-10.pdf',
             mimeType: 'application/pdf',
             filesize: 926986,
             createdAt: '2023-02-15T18:16:48.348Z',
             updatedAt: '2023-02-15T18:16:48.348Z',
             url: 'http://localhost:3000/applications/Website Application-10-10.pdf'
        */ }

        const fileLocation = new URL(doc.url);
        const submissionTime = new Date(doc.createdAt).toString();
        const message = {
          from: 'website@mydomain.com',
          to: 'me@gmail.com',
          subject: `New Driver Application at ${submissionTime}`,
          attachments: [
            {
              path: fileLocation.toString(),
            },
          ],
          html:"New Driver Application Attached",
        };
        payload.sendEmail(message);
      },
    ],
  },
  fields: [],
};

Forbidden: You are not allowed to perform this action.
    at new ExtendableError (/home/kaleb/code/ttf-cms/node_modules/payload/dist/errors/APIError.js:22:15)
    at new APIError (/home/kaleb/code/ttf-cms/node_modules/payload/dist/errors/APIError.js:38:9)
    at new Forbidden (/home/kaleb/code/ttf-cms/node_modules/payload/dist/errors/Forbidden.js:10:9)
    at executeAccess (/home/kaleb/code/ttf-cms/node_modules/payload/dist/auth/executeAccess.js:9:23)
    at async /home/kaleb/code/ttf-cms/node_modules/payload/dist/auth/getExecuteStaticAccess.js:14:34
error - unhandledRejection: Error: Invalid status code 403
    at ClientRequest.<anonymous> (/home/kaleb/code/ttf-cms/node_modules/nodemailer/lib/fetch/index.js:218:23)
    at ClientRequest.emit (node:events:527:28)
    at HTTPParser.parserOnIncomingClient (node:_http_client:631:27)
    at HTTPParser.parserOnHeadersComplete (node:_http_common:128:17)
    at Socket.socketOnData (node:_http_client:494:22)
    at Socket.emit (node:events:527:28)
    at addChunk (node:internal/streams/readable:315:12)
    at readableAddChunk (node:internal/streams/readable:289:9)
    at Socket.Readable.push (node:internal/streams/readable:228:10)
    at TCP.onStreamRead (node:internal/stream_base_commons:190:23) {
  type: 'FETCH',
  sourceUrl: 'http://localhost:3000/applications/Website%20Application-10-10-10-4.pdf'

thisisnotchris
last month
in your collection config, you only have create access enabled

right?
TacticalSmoores
last month
That's correct, anyone can submit an application. So, create is set to true. That part works and the applications are uploaded to the server.
thisisnotchris
last month
But read is not enabled, correct @TacticalSmoores ?
TacticalSmoores
last month
yep, this is the collection permissions setup
```
access: {
    create: ():boolean => true,
  },
```
thisisnotchris
last month
Perhaps you need read?
https://payloadcms.com/docs/access-control/collections#read
TacticalSmoores
last month
I have, but my understanding is the access controls are for users. This is a hook that runs on the server. The hook cannot access the file on the server.
```
access: {
  create: ():boolean => true,
  read: ():boolean => true,
},
```
This works, but is a really bad idea. Now anyone on the internet can open this application pdf containing a person's social security number, name, address, etc.
Jarrod
Payload Team
last month
So you want non-users to be able to access these secure documents?
TacticalSmoores
last month
Yes and no,

The secure documents (job application, pdf) need to be
emailed
to a non-user as an attachment immediately after being uploaded. But, we don't any non-user to have access to the file by entering the url.
Jarrod
Payload Team
last month
Why emailed to a non user?

Will the person uploading the doc have a user account?
TacticalSmoores
last month
The person uploading the job application will not have an account.

Job application needs to be sent to the hiring manager who is older, not tech savvy. If they have to log into a CMS to pursue leads they probably won't bother. But if they received an email attachment it would be easy for them.

This is replacing a system where people had to walk in and fill out a paper form.
Jarrod
Payload Team
last month
When a doc is created you could create a uuid and attach that to the doc, then send the email with that as a query param.

In your read access you can check for the query param and see if it matches the uuid field on the upload doc and permit access if true.

It would likely be secure enough for ya.

Having the hiring manager use an account would obviously be most secure

But even then, the thing you are preventing access to is the collection information not the file. So this might not work for ya after all. Really you want the user to have to fetch the document and then they can read the url where the file lives and then they can navigate to the file
TacticalSmoores
last month
Yeah, I guess I was originally looking for something like a service worker. You can give it permissions, trigger it with hooks like
afterChange
, and perform other server-side actions using it.

Now, I think your solution of a UUID, treating it like a key to give read access, will work. I'm going to give that a shot, appreciate your help!

Open the post

Continue the discussion in Discord

Can't find what you're looking for?
Get help straight from the Payload team with an Enterprise License.Learn More