Restrict access on auth's email field

default discord avatar
4 months ago

Hey there, I am having a Users collection with auth enabled and two separate roles editor and admin. I am able to restrict the editors access for all fields in that collection so that they can only update their own fields. I just recognized that when logged in as an editor I can view the details of an admin and even force an unlock and edit their email or password. As I restricted the update acess there is no save button so technically they can't update or do any harm other than forcing unlocks but it is very misleading that it is still editable. I could not found any way to restrict access on that field which is automatically injected when auth is enabled.

In my expection this field should be visible as readonly similar to the other fields.

// Users collection
  access: {
    create: isAdmin,
    read: () => true,
    update: isAdminOrSelf,
    delete: isAdminOrSelf,
  • default discord avatar
    4 months ago

    Hey @chris_heinz I think this is a great observation. If update results in false we should not show anything but the field when viewing an existing doc

  • default discord avatar
    4 months ago

    Thanks for confirming I was wondering if there might be some configuration option that I missed. Also the field should be read-only similar to the others. I can open an issue in github to address this @jarrod69420

Open the post
Continue the discussion in Discord
Like what we're doing?
Star us on GitHub!


Connect with the Payload Community on Discord



Can't find what you're looking for?

Get help straight from the Payload team with an Enterprise License.