Code-based nature means you can build on top of it to power anything.
Resources
DocumentationExamplesTemplatesGitHubBlog
Community
RoadmapDiscordCommunity Help
Payload Cloud

Deploy your entire stack in one place with Payload Cloud.

LoginCloud Pricing
It’s time to take back your content infrastructure.
Schedule a Demo
Enterprise Features
SSOPublishing WorkflowsVisual EditorStatic A/B testingAI features
Customer Stories
MicrosoftBlue OriginHello BelloMythical SocietyTekton
Featured Customer Story

Microsoft chose Payload to tell the world about AI.

Read the case study
New projectLogin
New projectLogin
Community Help

You are not allowed to perform this action in Admin dashboard

default discord avatar
Veera26last year
4

I'm getting below issue when I am creating CRUD operation on any collection in admin dashboard.


"You are not allowed to perform this action" .



It works locally. But not working in server

  • discord user avatar
    dribbens
    last year

    I'm guessing the user is not being recognized and that can happen for a few reasons.


    It coudl be that your app is using an nginx proxy. There is a setting for this

    trustProxy

    . You can find more about that here:

    https://payloadcms.com/docs/production/preventing-abuse#rate-limiting-requests

    It can also be an issue with CSRF. Can you see in your browser network connection if you have any more information about the failing request?

  • default discord avatar
    kaspartrlast year

    I reproduced this issue following Northflank tutorial here:


    https://northflank.com/guides/deploying-payload-cms

    In my payload.config.ts file I have set the following


      rateLimit: {
    trustProxy: true,
  },


    But I still get the 403 Forbitten error on all admin dashboard actions.



    My network tab shows the following on the failing request.


    Response headers:


    access-control-allow-headers: Origin, X-Requested-With, Content-Type, Accept, Authorization, Content-Encoding, x-apollo-tracing
access-control-allow-methods: PUT, PATCH, POST, GET, DELETE, OPTIONS
content-language: en
content-length: 70
content-type: application/json; charset=utf-8
date: Tue, 20 Dec 2022 09:39:32 GMT
etag: W/"46-bd4yfQXS/voMs5vNOs0ci7W7Q7k"
server: istio-envoy
vary: X-HTTP-Method-Override, Accept-Encoding
x-envoy-upstream-service-time: 8
x-powered-by: Express
x-ratelimit-limit: 500
x-ratelimit-remaining: 487 <-- this looks OK right?
x-ratelimit-reset: 1671529179


    Response body:


    {"errors":[{"message":"You are not allowed to perform this action."}]}


    I see the payload-token in the request headers inside the cookie



    SOLVED ✅



    After following the tip about CSRF and this tutorial, the problem was gone.


    https://payloadcms.com/docs/authentication/overview#csrf-protection

    In short, you need to whitelist all your domains where the app is running in the payload.conf.ts file by adding the domains into the csrf array as follows:


      csrf: [
    'https://staging.code.run', // staging
    'https://production.code.run', // production
  ],
  • default discord avatar
    edubasabelast year

    You saved my day!

Open

Continue the discussion in Discord

Star on GitHub

Star

Chat on Discord

Discord

online

Can't find what you're looking for?

Get help straight from the Payload team with an Enterprise License.