DemoCloud PricingDocsFor EnterpriseCommunity HelpBlog
New projectLogin
New projectLogin
Community Help

Restrict access on auth's email field

default discord avatar
chris_heinz
4 months ago
2

Hey there, I am having a Users collection with auth enabled and two separate roles editor and admin. I am able to restrict the editors access for all fields in that collection so that they can only update their own fields. I just recognized that when logged in as an editor I can view the details of an admin and even force an unlock and edit their email or password. As I restricted the update acess there is no save button so technically they can't update or do any harm other than forcing unlocks but it is very misleading that it is still editable. I could not found any way to restrict access on that field which is automatically injected when auth is enabled.


In my expection this field should be visible as readonly similar to the other fields.


// Users collection
  access: {
    create: isAdmin,
    read: () => true,
    update: isAdminOrSelf,
    delete: isAdminOrSelf,
  },
  • default discord avatar
    jarrod69420
    4 months ago

    Hey @chris_heinz I think this is a great observation. If update results in false we should not show anything but the field when viewing an existing doc

  • default discord avatar
    chris_heinz
    4 months ago

    Thanks for confirming I was wondering if there might be some configuration option that I missed. Also the field should be read-only similar to the others. I can open an issue in github to address this @jarrod69420

Open the post
Continue the discussion in Discord
Like what we're doing?
Star us on GitHub!

Star

Connect with the Payload Community on Discord

Discord

online

Can't find what you're looking for?

Get help straight from the Payload team with an Enterprise License.