Simplify your stack and build anything. Or everything.
Build tomorrow’s web with a modern solution you truly own.
Code-based nature means you can build on top of it to power anything.
It’s time to take back your content infrastructure.

Refined access control for uploads

default discord avatar
tom.griffiths2 years ago
9

How would you go about only allowing users to see their own images within the admin panel. But whilst still allowing public read access to the URL for display on the front-end?



For more detail, I have a

media

upload collection that has a user field, which is set to too the user that creates the asset. I would like to be able to have the user see their own images in the Media collection, and not other images. But I can't seem to find a way to restrict this, without blocking read access to the asset URL. Is there something in the request object I can use?

  • default discord avatar
    arskeliss2 years ago

    I'm no expert, nor know how to implement it in code, but the logic would be to allow public access to the underlying URL && some kind of an custom access control hook which allows only the uploading user to their own uploads. Right? I guess you need to check the access control and hooks docs, there are examples on the payload github

  • default discord avatar
    thgh.2 years ago

    I got a similar issue. I think the best way forward is configuring strict access controls and then add a custom endpoint that exposes all data



    Another option would be to add an express middleware that adds a filter (by modifying req.query) if the request referer contains /admin but that is probably a rabbit hole.



    And another idea: configure the access controls such that anonymous read is allowed but authenticated read is limited to your own.

  • default discord avatar
    tom.griffiths2 years ago

    Thanks

    @537385969230413846

    and

    @476523795251855360

    . In the end I found a way using the cloud storage plugin. I enabled public read ACL, and disabled the access control via the plugin which reveals the actual object storage URL instead of the rewritten payload one. And then I just added a CDN onto the cloud storage in this case via digital ocean and added the rules I needed in the collection config. Works well.

  • default discord avatar
    mihanc2 years ago

    Hi. How can I bypass the access restriction via custom endpoints?


    If I understood correctly, the restrictions apply to each endpoint



    Solved it by adding overrideAccess

  • default discord avatar
    arskeliss2 years ago

    You are using this inside payload or your frontend?

  • default discord avatar
    mihanc2 years ago

    Inside payload.

  • default discord avatar
    thgh.2 years ago

    The global payload object cannot take access restrictions into account as it is not aware of who is querying? Or are you using req.payload (which I think is also unrestricted but starting to doubt that now)?

  • default discord avatar
    mihanc2 years ago

    Seems it take into account the restrictions. At least it didn't work until I added the overrideAccess as true



    In the documentation says that if the overrideAccess is false, you have to pass the user to use against the access control checks.



    So another solution is to create a dummy user object and use it to bypass the restriction. But for me overrideAccess: true looks better

  • default discord avatar
    thgh.2 years ago

    Well, the docs say the default is true so that's peculiar. (Which matches my experience)

Star on GitHub

Star

Chat on Discord

Discord

online

Can't find what you're looking for?

Get dedicated engineering support directly from the Payload team.