"Payload has transformed the way our clients manage content. It's an indispensable tool for any modern agency."
Get the resources you need to start building today
Microsoft chose Payload to tell the world about AI.
Show & hide certain collections and content in the CMS
Morning all - quick question - is it possible to show/hide certain collections and content in the CMS based on a user's role? If so, could you point me in the right direction please? Thanks.
Good morning π The easiest way to achieve this is to assign a
rolefield to your users collection, it could be as simple as a select field with values such as
adminuservisitoror whatever.
Collections in payload are automatically shown/hidden from the user depending on their access properties. Each collection (and even individual fields!) can have their access properties set for
readcreateupdateand
deleteindividually.
These properties are functions which take the current user as their parameter, you can check the provided user against their role. Let's take the
access.readproperty of the fictional collection
Messages. You can define the function so that it returns either
truemeaning the user will be able to see all messages
falsedenying access to any messages
or return what is called a
query contraint, for instance
{ sender: { equals: user.id } }So that the user can only see the messages he sent out.
If a user does not have read access to a collection, it will not be shown in the admin dashboard. Furthermore, even
ifhe has access to the collection (but you still want to hide it) you can use the
admin.isHiddenproperty of fields to hide individual fields, if that is more what you want π give me a second to assemble the resources in the documentation for you
I guess it's important to distinguish between API access permissions and what the user can see & do in the admin panel of the CMS. In this instance, I'm referring specifically to the admin panel.
so you do want the user to be able to have read access via the API but still want to hide the collection in the admin dashboard?
https://payloadcms.com/docs/access-control/overview#collectionsHere is the go-to resource for general access control, the video is very helpful π If you want to de-couple API read access and visibility in the admin dashboard I am not sure it is possible right now, ill have another look into it though
Thank you. In my instance, all API data will be public (as it's for a website), so I'm not overly concerned about that aspect atm. I'm currently more concerned about being able to deliver different experiences for editors in the CMS (think marketing people etc.)
Oh yes I understand, one quick and easy step to make their life easier would be to separate the collections into different
groups, that already cleans up the dashboard UI significantly. I can not see a way to hide collections completely, I will try to clarify that tonight and if it is indeed missing start a PR for it so it could be added soon hopefully π
btw, you can also always use your own custom dashboard components as payload is headless, but that of course would be a bigger effort than just setting
isHiddento true in the collection
For that you could take the component docs as a starting point
https://payloadcms.com/docs/admin/components#collectionsThank you - yeah, in this instance we'd only want certain roles to see certain content in the CMS. So for example, the People Ops team would be responsible for all Careers related content (and that's all they'd see), and other marketing teams wouldn't see the Careers content in the CMS but would only see and have access to content related to their role.
Oh yes I can clearly see the benefit! I am not sure if there is something along those lines planned/already on the way. If not I will give it a try myself. Once I have news to share I'll post them here in this thread π
Thanks
@245330411570331648- I really appreciate it
I found a workaround. When defining the
access.readaccess control function, the id parameter is undefined when the payload cms is setting up the field visibility. But is defined when the API is reading the field.
-> Here's that in the docs
https://payloadcms.com/docs/access-control/overview#argument-availabilitySo I made a function to hide collections and fields to editor users. (Being
editora custom user field). But not disturbing the normal GET response.
const HideToEditors = ({ req: { user }, id }) => {
if(user?.role == 'editor' && id === undefined) {
return false;
}
return true;
}
and then
access: {
read: HideToEditors
},
I have started a Github discussion about this, you can find it here
https://github.com/payloadcms/payload/discussions/1462Let me know if the proposed solutions would solve your problem and if you have any other thoughts about it π
@218019902118821888clever solution btw!
- @189202872800378881
Is this what you're looking for? ^
@423902407294976000Thanks. I guess this proposal would also solve my problem, even though i still don't think "Account Settings" should be restricted by "Users" access controls.
@218019902118821888I implemented your workaround and it seems to do its job. The "Users" collection is hidden, but you can still edit your profile settings. π
Small Update: The workaround does not work on the "Media" collection. Media is hidden, but the editor role loses the ability to select and preview/view media files through other collections.
Awesome stuff π
Star
Discord
online
Get dedicated engineering support directly from the Payload team.