"Payload has transformed the way our clients manage content. It's an indispensable tool for any modern agency."
Microsoft chose Payload to tell the world about AI.
Payload hook doesn't have permission to read from collection
Hello, how can I allow a Paylook hook access to read sensitive files and send them as attachments? I can't set
read: ()=>trueon this collection because then anyone could find these applications with things like social security numbers.
const Applications: CollectionConfig = {
slug: 'applications',
access: {
create: ():boolean => true,
},
upload: {
mimeTypes: ['application/pdf'],
},
hooks: {
afterChange: [
({ doc }) => {
/* example doc:{
id: '63ed21907be32a1ac6e64f71',
filename: 'Website Application-10-10.pdf',
mimeType: 'application/pdf',
filesize: 926986,
createdAt: '2023-02-15T18:16:48.348Z',
updatedAt: '2023-02-15T18:16:48.348Z',
url: 'http://localhost:3000/applications/Website Application-10-10.pdf'
*/ }
const fileLocation = new URL(doc.url);
const submissionTime = new Date(doc.createdAt).toString();
const message = {
from: 'website@mydomain.com',
to: 'me@gmail.com',
subject: `New Driver Application at ${submissionTime}`,
attachments: [
{
path: fileLocation.toString(),
},
],
html:"New Driver Application Attached",
};
payload.sendEmail(message);
},
],
},
fields: [],
};Forbidden: You are not allowed to perform this action.
at new ExtendableError (/home/kaleb/code/ttf-cms/node_modules/payload/dist/errors/APIError.js:22:15)
at new APIError (/home/kaleb/code/ttf-cms/node_modules/payload/dist/errors/APIError.js:38:9)
at new Forbidden (/home/kaleb/code/ttf-cms/node_modules/payload/dist/errors/Forbidden.js:10:9)
at executeAccess (/home/kaleb/code/ttf-cms/node_modules/payload/dist/auth/executeAccess.js:9:23)
at async /home/kaleb/code/ttf-cms/node_modules/payload/dist/auth/getExecuteStaticAccess.js:14:34
error - unhandledRejection: Error: Invalid status code 403
at ClientRequest.<anonymous> (/home/kaleb/code/ttf-cms/node_modules/nodemailer/lib/fetch/index.js:218:23)
at ClientRequest.emit (node:events:527:28)
at HTTPParser.parserOnIncomingClient (node:_http_client:631:27)
at HTTPParser.parserOnHeadersComplete (node:_http_common:128:17)
at Socket.socketOnData (node:_http_client:494:22)
at Socket.emit (node:events:527:28)
at addChunk (node:internal/streams/readable:315:12)
at readableAddChunk (node:internal/streams/readable:289:9)
at Socket.Readable.push (node:internal/streams/readable:228:10)
at TCP.onStreamRead (node:internal/stream_base_commons:190:23) {
type: 'FETCH',
sourceUrl: 'http://localhost:3000/applications/Website%20Application-10-10-10-4.pdf'
in your collection config, you only have create access enabled
right?
That's correct, anyone can submit an application. So, create is set to true. That part works and the applications are uploaded to the server.
But read is not enabled, correct
@288798695699513346?
yep, this is the collection permissions setup
access: { create: ():boolean => true, },Perhaps you need read?
https://payloadcms.com/docs/access-control/collections#readI have, but my understanding is the access controls are for users. This is a hook that runs on the server. The hook cannot access the file on the server.
access: { create: ():boolean => true, read: ():boolean => true, },This works, but is a really bad idea. Now anyone on the internet can open this application pdf containing a person's social security number, name, address, etc.
So you want non-users to be able to access these secure documents?
Yes and no,
The secure documents (job application, pdf) need to be
emailedto a non-user as an attachment immediately after being uploaded. But, we don't any non-user to have access to the file by entering the url.
Why emailed to a non user?
Will the person uploading the doc have a user account?
The person uploading the job application will not have an account.
Job application needs to be sent to the hiring manager who is older, not tech savvy. If they have to log into a CMS to pursue leads they probably won't bother. But if they received an email attachment it would be easy for them.
This is replacing a system where people had to walk in and fill out a paper form.
When a doc is created you could create a uuid and attach that to the doc, then send the email with that as a query param.
In your read access you can check for the query param and see if it matches the uuid field on the upload doc and permit access if true.
It would likely be secure enough for ya.
Having the hiring manager use an account would obviously be most secure
But even then, the thing you are preventing access to is the collection information not the file. So this might not work for ya after all. Really you want the user to have to fetch the document and then they can read the url where the file lives and then they can navigate to the file
Yeah, I guess I was originally looking for something like a service worker. You can give it permissions, trigger it with hooks like
afterChange, and perform other server-side actions using it.
Now, I think your solution of a UUID, treating it like a key to give read access, will work. I'm going to give that a shot, appreciate your help!
Star
Discord
online
Get dedicated engineering support directly from the Payload team.