Payload is joining Figma!Read the announcement
Simplify your stack and build anything. Or everything.
Schedule a Demo
USE CASES
Headless CMSEnterprise App BuilderHeadless E-CommerceDigital Asset Management
FEATURES
Multi-TenancyWhite LabelLocalizationAccess ControlAuth
CASE STUDIES

See what others are building with Payload.

Browse Case Studies
Build tomorrow’s web with a modern solution you truly own.
PAYLOAD IS FOR
DevelopersMarketing teamsEnterprise companiesAgencies & Consultancies
COMPARE PAYLOAD
Payload vs WordPressPayload vs ContentfulPayload vs SanityPayload vs StrapiPayload vs Directus
AGENCY TESTIMONIAL

"Payload has transformed the way our clients manage content. It's an indispensable tool for any modern agency."

Become a PartnerFind a Partner
Code-based nature means you can build on top of it to power anything.
Resources
DocumentationExamplesTemplatesGitHubReleasesBlogGuides & Tutorials
Community
RoadmapDiscordCommunity Help
Resources for Developers

Get the resources you need to start building today

Guides & TutorialsExplore Docs
It’s time to take back your content infrastructure.
Schedule a Demo
Enterprise Features
SSOAI Auto-EmbeddingPublishing WorkflowsVisual EditorStatic A/B testingAI features
Customer Stories
MicrosoftASICSBlue OriginHello BelloTekton
Featured Customer Story

Microsoft chose Payload to tell the world about AI.

Read the case studyBrowse all
LoginGet Started
Community Help

Unathorized

default discord avatar
benslerlast year
21

Hello everyone,



I have three users:


- 1 that is only admin.


- 1 that is admin and user.


- 1 that is only user.



The first two have no problems logging in or anything else.



However the one that is only "user" gets this error when logging in:



Unauthorized, you must be logged in to make this request.


You are not allowed to access this page.



The URL is the dashboard -> my-url/admin



I haven't changed anything access wise, only added the users.



Does anyone know how to fix it?

  • default discord avatar
    notchrlast year
    @99187935642935296

    So you have a single collection type for users / admins?



    May we check out the collection?

  • default discord avatar
    benslerlast year

    I used the default website template on the payload cloud site. It gave me two roles, user and admin

  • default discord avatar
    notchrlast year

    Sure thing, may we see the collection?

  • default discord avatar
    benslerlast year
    export const UserFields: CollectionConfig['fields'] = [
  {
    name: 'name',
    type: 'text',
  },
  {
    name: 'roles',
    type: 'select',
    hasMany: true,
    saveToJWT: true,
    hooks: {
      beforeChange: [ensureFirstUserIsAdmin],
    },
    defaultValue: ['user'],
    options: [
      {
        label: 'admin',
        value: 'admin',
      },
      {
        label: 'user',
        value: 'user',
      },
    ],
    access: {
      read: admins,
      create: admins,
      update: admins,
    },
  },
]

const Users: CollectionConfig = {
  slug: 'users',
  admin: {
    useAsTitle: 'name',
    defaultColumns: ['name', 'email'],
  },
  access: {
    read: adminsAndUser,
    create: anyone,
    update: adminsAndUser,
    delete: admins,
    admin: ({ req: { user } }) => checkRole(['admin'], user),
  },
  auth: true,
  fields: UserFields,
  timestamps: true,
}

export default Users


    Is this what you want? 🙂

  • default discord avatar
    notchrlast year

    hmmm



    @99187935642935296

    temporarily



    replace the read value, adminsAndUser with



    () => true



    read: () => true,



    and then try logging in



    we can determine the source of the issue

  • default discord avatar
    benslerlast year

    Same error

  • discord user avatar
    jarrod_not_jared
    last year

    try removing

    admin: ({ req: { user } }) => checkRole(['admin'], user),
  • default discord avatar
    benslerlast year

    That did the trick, thank you 🙂

  • default discord avatar
    generator101last year
    @281120856527077378

    what does that code do? I am facing similar issue, wouldnt removing that code create some security thing since that checks the role?

  • discord user avatar
    jarrod_not_jared
    last year
    @99187935642935296

    wanted all users to be able to log in to the admin panel, but was restricting it based on the

    admin

    role. A user that did not have that role would never be able to access the admin panel.



    so he would need to extend it to check admin and user roles, or create some other more generic field/setting on a user that allows them to login. Similar convo here:

    https://discord.com/channels/967097582721572934/1126801396331708466
  • default discord avatar
    generator101last year

    I was testing this repo yesterday

    https://discord.com/channels/967097582721572934/1125626247343517707/1126641928633589852

    and faced this issue where I could not login



    https://github.com/payloadcms/payload/blob/master/examples/auth/cms/src/collections/Users.ts#L28

    and that line of code is also here

  • default discord avatar
    notchrlast year
    @944284724824801302

    Interesting, does anyone know the default value of that function?



    must return false or undefined

  • discord user avatar
    jarrod_not_jared
    last year
    @944284724824801302

    Looks like there are a couple small bugs with this example proj, looking into em now

  • default discord avatar
    generator101last year

    thanks

    @281120856527077378

    for now I just commented that hook and it seems to be working but good to get an idea of what is causing the issue

  • discord user avatar
    jarrod_not_jared
    last year

    So I fixed the duplicate

    user

    role being added. The other issue you are having with not being able to create a user with the admin role, makes sense. You really do not want all users to be able to add the

    admin

    role by adding it to the form data. This line (

    https://github.com/payloadcms/payload/blob/master/examples/auth/cms/src/collections/hooks/protectRoles.ts#L7

    ) is responsible for allowing only a specific email address

    demo@payloadcms.com

    to be considered admin. You could adjust this logic to fit your needs though.

  • default discord avatar
    generator101last year
    @281120856527077378

    thanks, that didnt seem to fix the issue, I am an admin and still cannot login



  • discord user avatar
    jarrod_not_jared
    last year

    Did you adjust that line like mentioned?

  • default discord avatar
    generator101last year

    yeah, I update the hook but I left 

    const isAdmin = req.user?.roles.includes('admin')

    which I think should be sufficient no?



    I already have admin user



    but somehow this hook changes that role to user

  • discord user avatar
    jarrod_not_jared
    last year

    Oh I see, can you add

    saveToJWT: true,

    to the roles field on the users collection

  • default discord avatar
    generator101last year
    @281120856527077378

    unfortunately if I enable 

    admin: ({ req: { user } }) => checkRole(['admin'], user),

    I still have unauthorized message error

  • discord user avatar
    jarrod_not_jared
    last year

    AH



    my fix for the protectRoles function was wrong. updated, see here:

    https://github.com/payloadcms/payload/commit/4b60845c670a211b9052f48c7dd7793350f0e8c8
Open

Continue the discussion in Discord

Star on GitHub

Star

Chat on Discord

Discord

online

Can't find what you're looking for?

Get dedicated engineering support directly from the Payload team.