Simplify your stack and build anything. Or everything.
Build tomorrow’s web with a modern solution you truly own.
Code-based nature means you can build on top of it to power anything.
It’s time to take back your content infrastructure.

Unathorized

default discord avatar
benslerlast year
21

Hello everyone,



I have three users:


- 1 that is only admin.


- 1 that is admin and user.


- 1 that is only user.



The first two have no problems logging in or anything else.



However the one that is only "user" gets this error when logging in:



Unauthorized, you must be logged in to make this request.


You are not allowed to access this page.



The URL is the dashboard -> my-url/admin



I haven't changed anything access wise, only added the users.



Does anyone know how to fix it?

  • default discord avatar
    notchrlast year
    @99187935642935296

    So you have a single collection type for users / admins?



    May we check out the collection?

  • default discord avatar
    benslerlast year

    I used the default website template on the payload cloud site. It gave me two roles, user and admin

  • default discord avatar
    notchrlast year

    Sure thing, may we see the collection?

  • default discord avatar
    benslerlast year
    export const UserFields: CollectionConfig['fields'] = [
      {
        name: 'name',
        type: 'text',
      },
      {
        name: 'roles',
        type: 'select',
        hasMany: true,
        saveToJWT: true,
        hooks: {
          beforeChange: [ensureFirstUserIsAdmin],
        },
        defaultValue: ['user'],
        options: [
          {
            label: 'admin',
            value: 'admin',
          },
          {
            label: 'user',
            value: 'user',
          },
        ],
        access: {
          read: admins,
          create: admins,
          update: admins,
        },
      },
    ]
    
    const Users: CollectionConfig = {
      slug: 'users',
      admin: {
        useAsTitle: 'name',
        defaultColumns: ['name', 'email'],
      },
      access: {
        read: adminsAndUser,
        create: anyone,
        update: adminsAndUser,
        delete: admins,
        admin: ({ req: { user } }) => checkRole(['admin'], user),
      },
      auth: true,
      fields: UserFields,
      timestamps: true,
    }
    
    export default Users


    Is this what you want? 🙂

  • default discord avatar
    notchrlast year

    hmmm



    @99187935642935296

    temporarily



    replace the read value, adminsAndUser with



    () => true



    read: () => true,



    and then try logging in



    we can determine the source of the issue

  • default discord avatar
    benslerlast year

    Same error

  • try removing

    admin: ({ req: { user } }) => checkRole(['admin'], user),
  • default discord avatar
    benslerlast year

    That did the trick, thank you 🙂

  • default discord avatar
    generator101last year
    @281120856527077378

    what does that code do? I am facing similar issue, wouldnt removing that code create some security thing since that checks the role?

  • @99187935642935296

    wanted all users to be able to log in to the admin panel, but was restricting it based on the

    admin

    role. A user that did not have that role would never be able to access the admin panel.



    so he would need to extend it to check admin and user roles, or create some other more generic field/setting on a user that allows them to login. Similar convo here:

    https://discord.com/channels/967097582721572934/1126801396331708466
  • default discord avatar
    generator101last year
  • default discord avatar
    notchrlast year
    @944284724824801302

    Interesting, does anyone know the default value of that function?



    must return false or undefined

  • @944284724824801302

    Looks like there are a couple small bugs with this example proj, looking into em now

  • default discord avatar
    generator101last year

    thanks

    @281120856527077378

    for now I just commented that hook and it seems to be working but good to get an idea of what is causing the issue

  • So I fixed the duplicate

    user

    role being added. The other issue you are having with not being able to create a user with the admin role, makes sense. You really do not want all users to be able to add the

    admin

    role by adding it to the form data. This line (

    https://github.com/payloadcms/payload/blob/master/examples/auth/cms/src/collections/hooks/protectRoles.ts#L7

    ) is responsible for allowing only a specific email address

    demo@payloadcms.com

    to be considered admin. You could adjust this logic to fit your needs though.

  • default discord avatar
    generator101last year
    @281120856527077378

    thanks, that didnt seem to fix the issue, I am an admin and still cannot login



  • Did you adjust that line like mentioned?

  • default discord avatar
    generator101last year

    yeah, I update the hook but I left

    const isAdmin = req.user?.roles.includes('admin')

    which I think should be sufficient no?



    I already have admin user



    but somehow this hook changes that role to user

  • Oh I see, can you add

    saveToJWT: true,

    to the roles field on the users collection

  • default discord avatar
    generator101last year
    @281120856527077378

    unfortunately if I enable

    admin: ({ req: { user } }) => checkRole(['admin'], user),

    I still have unauthorized message error

  • AH



    my fix for the protectRoles function was wrong. updated, see here:

    https://github.com/payloadcms/payload/commit/4b60845c670a211b9052f48c7dd7793350f0e8c8
Star on GitHub

Star

Chat on Discord

Discord

online

Can't find what you're looking for?

Get dedicated engineering support directly from the Payload team.