Like what we’re doing? Star us on GitHub!

Payload hook doesn't have permission to read from collection

TacticalSmoores
last month
17

Hello, how can I allow a Paylook hook access to read sensitive files and send them as attachments? I can't set

read: ()=>true

on this collection because then anyone could find these applications with things like social security numbers.



const Applications: CollectionConfig = {
  slug: 'applications',
  access: {
    create: ():boolean => true,
  },
  upload: {
    mimeTypes: ['application/pdf'],
  },
  hooks: {
    afterChange: [
      ({ doc }) => {

        /* example doc:{
             id: '63ed21907be32a1ac6e64f71',
             filename: 'Website Application-10-10.pdf',
             mimeType: 'application/pdf',
             filesize: 926986,
             createdAt: '2023-02-15T18:16:48.348Z',
             updatedAt: '2023-02-15T18:16:48.348Z',
             url: 'http://localhost:3000/applications/Website Application-10-10.pdf'
        */ }

        const fileLocation = new URL(doc.url);
        const submissionTime = new Date(doc.createdAt).toString();
        const message = {
          from: 'website@mydomain.com',
          to: 'me@gmail.com',
          subject: `New Driver Application at ${submissionTime}`,
          attachments: [
            {
              path: fileLocation.toString(),
            },
          ],
          html:"New Driver Application Attached",
        };
        payload.sendEmail(message);
      },
    ],
  },
  fields: [],
};


Forbidden: You are not allowed to perform this action.
    at new ExtendableError (/home/kaleb/code/ttf-cms/node_modules/payload/dist/errors/APIError.js:22:15)
    at new APIError (/home/kaleb/code/ttf-cms/node_modules/payload/dist/errors/APIError.js:38:9)
    at new Forbidden (/home/kaleb/code/ttf-cms/node_modules/payload/dist/errors/Forbidden.js:10:9)
    at executeAccess (/home/kaleb/code/ttf-cms/node_modules/payload/dist/auth/executeAccess.js:9:23)
    at async /home/kaleb/code/ttf-cms/node_modules/payload/dist/auth/getExecuteStaticAccess.js:14:34
error - unhandledRejection: Error: Invalid status code 403
    at ClientRequest.<anonymous> (/home/kaleb/code/ttf-cms/node_modules/nodemailer/lib/fetch/index.js:218:23)
    at ClientRequest.emit (node:events:527:28)
    at HTTPParser.parserOnIncomingClient (node:_http_client:631:27)
    at HTTPParser.parserOnHeadersComplete (node:_http_common:128:17)
    at Socket.socketOnData (node:_http_client:494:22)
    at Socket.emit (node:events:527:28)
    at addChunk (node:internal/streams/readable:315:12)
    at readableAddChunk (node:internal/streams/readable:289:9)
    at Socket.Readable.push (node:internal/streams/readable:228:10)
    at TCP.onStreamRead (node:internal/stream_base_commons:190:23) {
  type: 'FETCH',
  sourceUrl: 'http://localhost:3000/applications/Website%20Application-10-10-10-4.pdf'
  • thisisnotchris
    last month

    in your collection config, you only have create access enabled



    right?

  • TacticalSmoores
    last month

    That's correct, anyone can submit an application. So, create is set to true. That part works and the applications are uploaded to the server.

  • thisisnotchris
    last month

    But read is not enabled, correct @TacticalSmoores ?

  • TacticalSmoores
    last month

    yep, this is the collection permissions setup


    access: {
        create: ():boolean => true,
      },
  • thisisnotchris
    last month
  • TacticalSmoores
    last month

    I have, but my understanding is the access controls are for users. This is a hook that runs on the server. The hook cannot access the file on the server.



    access: {
      create: ():boolean => true,
      read: ():boolean => true,
    },

    This works, but is a really bad idea. Now anyone on the internet can open this application pdf containing a person's social security number, name, address, etc.

  • Jarrod
    Payload Team
    last month

    So you want non-users to be able to access these secure documents?

  • TacticalSmoores
    last month

    Yes and no,


    The secure documents (job application, pdf) need to be

    emailed

    to a non-user as an attachment immediately after being uploaded. But, we don't any non-user to have access to the file by entering the url.

  • Jarrod
    Payload Team
    last month

    Why emailed to a non user?



    Will the person uploading the doc have a user account?

  • TacticalSmoores
    last month

    The person uploading the job application will not have an account.



    Job application needs to be sent to the hiring manager who is older, not tech savvy. If they have to log into a CMS to pursue leads they probably won't bother. But if they received an email attachment it would be easy for them.



    This is replacing a system where people had to walk in and fill out a paper form.

  • Jarrod
    Payload Team
    last month

    When a doc is created you could create a uuid and attach that to the doc, then send the email with that as a query param.



    In your read access you can check for the query param and see if it matches the uuid field on the upload doc and permit access if true.



    It would likely be secure enough for ya.



    Having the hiring manager use an account would obviously be most secure



    But even then, the thing you are preventing access to is the collection information not the file. So this might not work for ya after all. Really you want the user to have to fetch the document and then they can read the url where the file lives and then they can navigate to the file

  • TacticalSmoores
    last month

    Yeah, I guess I was originally looking for something like a service worker. You can give it permissions, trigger it with hooks like

    afterChange

    , and perform other server-side actions using it.



    Now, I think your solution of a UUID, treating it like a key to give read access, will work. I'm going to give that a shot, appreciate your help!

Open the post
Continue the discussion in Discord
Can't find what you're looking for?
Get help straight from the Payload team with an Enterprise License.Learn More