Simplify your stack and build anything. Or everything.
Build tomorrow’s web with a modern solution you truly own.
Code-based nature means you can build on top of it to power anything.
It’s time to take back your content infrastructure.

Payload hook doesn't have permission to read from collection

default discord avatar
tacticalsmoores2 years ago
12

Hello, how can I allow a Paylook hook access to read sensitive files and send them as attachments? I can't set

read: ()=>true

on this collection because then anyone could find these applications with things like social security numbers.



const Applications: CollectionConfig = {
  slug: 'applications',
  access: {
    create: ():boolean => true,
  },
  upload: {
    mimeTypes: ['application/pdf'],
  },
  hooks: {
    afterChange: [
      ({ doc }) => {

        /* example doc:{
             id: '63ed21907be32a1ac6e64f71',
             filename: 'Website Application-10-10.pdf',
             mimeType: 'application/pdf',
             filesize: 926986,
             createdAt: '2023-02-15T18:16:48.348Z',
             updatedAt: '2023-02-15T18:16:48.348Z',
             url: 'http://localhost:3000/applications/Website Application-10-10.pdf'
        */ }

        const fileLocation = new URL(doc.url);
        const submissionTime = new Date(doc.createdAt).toString();
        const message = {
          from: 'website@mydomain.com',
          to: 'me@gmail.com',
          subject: `New Driver Application at ${submissionTime}`,
          attachments: [
            {
              path: fileLocation.toString(),
            },
          ],
          html:"New Driver Application Attached",
        };
        payload.sendEmail(message);
      },
    ],
  },
  fields: [],
};


Forbidden: You are not allowed to perform this action.
    at new ExtendableError (/home/kaleb/code/ttf-cms/node_modules/payload/dist/errors/APIError.js:22:15)
    at new APIError (/home/kaleb/code/ttf-cms/node_modules/payload/dist/errors/APIError.js:38:9)
    at new Forbidden (/home/kaleb/code/ttf-cms/node_modules/payload/dist/errors/Forbidden.js:10:9)
    at executeAccess (/home/kaleb/code/ttf-cms/node_modules/payload/dist/auth/executeAccess.js:9:23)
    at async /home/kaleb/code/ttf-cms/node_modules/payload/dist/auth/getExecuteStaticAccess.js:14:34
error - unhandledRejection: Error: Invalid status code 403
    at ClientRequest.<anonymous> (/home/kaleb/code/ttf-cms/node_modules/nodemailer/lib/fetch/index.js:218:23)
    at ClientRequest.emit (node:events:527:28)
    at HTTPParser.parserOnIncomingClient (node:_http_client:631:27)
    at HTTPParser.parserOnHeadersComplete (node:_http_common:128:17)
    at Socket.socketOnData (node:_http_client:494:22)
    at Socket.emit (node:events:527:28)
    at addChunk (node:internal/streams/readable:315:12)
    at readableAddChunk (node:internal/streams/readable:289:9)
    at Socket.Readable.push (node:internal/streams/readable:228:10)
    at TCP.onStreamRead (node:internal/stream_base_commons:190:23) {
  type: 'FETCH',
  sourceUrl: 'http://localhost:3000/applications/Website%20Application-10-10-10-4.pdf'
  • default discord avatar
    notchr2 years ago

    in your collection config, you only have create access enabled



    right?

  • default discord avatar
    tacticalsmoores2 years ago

    That's correct, anyone can submit an application. So, create is set to true. That part works and the applications are uploaded to the server.

  • default discord avatar
    notchr2 years ago

    But read is not enabled, correct

    @288798695699513346

    ?

  • default discord avatar
    tacticalsmoores2 years ago

    yep, this is the collection permissions setup


    access: {
        create: ():boolean => true,
      },
  • default discord avatar
    notchr2 years ago
  • default discord avatar
    tacticalsmoores2 years ago

    I have, but my understanding is the access controls are for users. This is a hook that runs on the server. The hook cannot access the file on the server.



    access: {
      create: ():boolean => true,
      read: ():boolean => true,
    },

    This works, but is a really bad idea. Now anyone on the internet can open this application pdf containing a person's social security number, name, address, etc.

  • discord user avatar
    jarrod_not_jared
    2 years ago

    So you want non-users to be able to access these secure documents?

  • default discord avatar
    tacticalsmoores2 years ago

    Yes and no,


    The secure documents (job application, pdf) need to be

    emailed

    to a non-user as an attachment immediately after being uploaded. But, we don't any non-user to have access to the file by entering the url.

  • discord user avatar
    jarrod_not_jared
    2 years ago

    Why emailed to a non user?



    Will the person uploading the doc have a user account?

  • default discord avatar
    tacticalsmoores2 years ago

    The person uploading the job application will not have an account.



    Job application needs to be sent to the hiring manager who is older, not tech savvy. If they have to log into a CMS to pursue leads they probably won't bother. But if they received an email attachment it would be easy for them.



    This is replacing a system where people had to walk in and fill out a paper form.

  • discord user avatar
    jarrod_not_jared
    2 years ago

    When a doc is created you could create a uuid and attach that to the doc, then send the email with that as a query param.



    In your read access you can check for the query param and see if it matches the uuid field on the upload doc and permit access if true.



    It would likely be secure enough for ya.



    Having the hiring manager use an account would obviously be most secure



    But even then, the thing you are preventing access to is the collection information not the file. So this might not work for ya after all. Really you want the user to have to fetch the document and then they can read the url where the file lives and then they can navigate to the file

  • default discord avatar
    tacticalsmoores2 years ago

    Yeah, I guess I was originally looking for something like a service worker. You can give it permissions, trigger it with hooks like

    afterChange

    , and perform other server-side actions using it.



    Now, I think your solution of a UUID, treating it like a key to give read access, will work. I'm going to give that a shot, appreciate your help!

Star on GitHub

Star

Chat on Discord

Discord

online

Can't find what you're looking for?

Get dedicated engineering support directly from the Payload team.