I'm getting below issue when I am creating CRUD operation on any collection in admin dashboard.
"You are not allowed to perform this action" .
It works locally. But not working in server
I'm guessing the user is not being recognized and that can happen for a few reasons.
It coudl be that your app is using an nginx proxy. There is a setting for this
trustProxy
. You can find more about that here:
https://payloadcms.com/docs/production/preventing-abuse#rate-limiting-requestsIt can also be an issue with CSRF. Can you see in your browser network connection if you have any more information about the failing request?
I reproduced this issue following Northflank tutorial here:
In my payload.config.ts file I have set the following
rateLimit: {
trustProxy: true,
},
But I still get the 403 Forbitten error on all admin dashboard actions.
My network tab shows the following on the failing request.
Response headers:
access-control-allow-headers: Origin, X-Requested-With, Content-Type, Accept, Authorization, Content-Encoding, x-apollo-tracing
access-control-allow-methods: PUT, PATCH, POST, GET, DELETE, OPTIONS
content-language: en
content-length: 70
content-type: application/json; charset=utf-8
date: Tue, 20 Dec 2022 09:39:32 GMT
etag: W/"46-bd4yfQXS/voMs5vNOs0ci7W7Q7k"
server: istio-envoy
vary: X-HTTP-Method-Override, Accept-Encoding
x-envoy-upstream-service-time: 8
x-powered-by: Express
x-ratelimit-limit: 500
x-ratelimit-remaining: 487 <-- this looks OK right?
x-ratelimit-reset: 1671529179
Response body:
{"errors":[{"message":"You are not allowed to perform this action."}]}
I see the payload-token in the request headers inside the cookie
SOLVED ✅
After following the tip about CSRF and this tutorial, the problem was gone.
In short, you need to whitelist all your domains where the app is running in the payload.conf.ts file by adding the domains into the csrf array as follows:
csrf: [
'https://staging.code.run', // staging
'https://production.code.run', // production
],
You saved my day!
Star
Discord
online
Get dedicated engineering support directly from the Payload team..