Hey there, I am having a Users collection with auth enabled and two separate roles editor and admin. I am able to restrict the editors access for all fields in that collection so that they can only update their own fields. I just recognized that when logged in as an editor I can view the details of an admin and even force an unlock and edit their email or password. As I restricted the update acess there is no save button so technically they can't update or do any harm other than forcing unlocks but it is very misleading that it is still editable. I could not found any way to restrict access on that field which is automatically injected when auth is enabled.

In my expection this field should be visible as readonly similar to the other fields.

// Users collection
  access: {
    create: isAdmin,
    read: () => true,
    update: isAdminOrSelf,
    delete: isAdminOrSelf,
  },

jarrod_not_jared
last year
Hey
@690590499202924574
I think this is a great observation. If update results in false we should not show anything but the field when viewing an existing doc
chrispy.qlast year
Thanks for confirming I was wondering if there might be some configuration option that I missed. Also the field should be read-only similar to the others. I can open an issue in github to address this
@281120856527077378
kevscriptlast year
Hey, not sure if I should be opening a new topic, but I have a similar problem. Since I'm providing a custom email for my users and setting up their account with it, I'd like to prevent none-admin users from ever modifying that email. I can't find a way to modify access to that auto-generated email field on an auth collection. Any update on that?
chrispy.qlast year
The problem I was facing was solved with the UI update. It is still possible to edit fields of another user (as editor via bulk edit) but those changes wont get applied it says “Successfully updated 0 Users” or something like that. Your specific case is a bit different not sure if this is possible yet. Maybe it is worth a new github issue 🙂
kevscriptlast year
Hmm thanks for the update
chrispy.qlast year
You’re welcome
kevscriptlast year
Ok just to update for anyone, the solution was pretty similar. You can initialize an auth collection with your own configured field with
{ name: "email" }
, which should overwrite the generated one. If you set
access: { update: isAdmin }
on it, the field won't appear as read only to none-admin users as other classic fields,
but
it will not keep the changes on save even tho the
success
toast appears.

Open

Continue the discussion in Discord

Star on GitHub

Star

Chat on Discord

Discord

online

Can't find what you're looking for?

Get dedicated engineering support directly from the Payload team.