Code-based nature means you can build on top of it to power anything.
Resources
DocumentationExamplesTemplatesGitHub
Community
RoadmapDiscordCommunity Help
Payload Cloud

Deploy your entire stack in one place with Payload Cloud.

LoginCloud Pricing
It’s time to take back your content infrastructure.
Schedule a Demo
Enterprise Features
SSOPublishing WorkflowsVisual EditorAI TranslationsAI Writing Assistant
Customer Stories
MicrosoftHello BelloHope NetworkTektonMy290
Featured Customer Story

Microsoft chose Payload to tell the world about AI.

Read the case study
New projectLogin
New projectLogin
Community Help

Access Control for a collection when authenticated against specific collection only

default discord avatar
ryanlanciaux2 years ago
1 1

My apologies about this question, as it may be something that's clearly answered in the docs.

I have two user collections: admins and users, Both of the user collections have lists of users with the intent of different responsibilities. admins should be able to edit everything through the admin panel whereas users will basically have a profile they can edit, and that's it.

I'd like to make it so admins could see the list of all other admins, where standard users shouldn't have this functionality. I see in the docs for Access Control it says:

Declaring who should have access to what documents is no more complex than writing a simple JavaScript function that either returns a boolean or a query constraint to restrict which documents users can interact with.

Based on this, I think a query constraint is what I need, however, I get a little lost regarding how to specify a query that says "show me this collection ONLY if I'm in an admin list." As it stands today, I can see the admins collection whether I'm logged in as a standard user or an admin, instead of admin only.

One other thing I tried is to perform a payload.query inside the access control function, but that seemed to cause errors due to the async / promises. Any thoughts on how to achieve this would be greatly appreciated!

  • Selected Answer
    discord user avatar
    denolfe
    2 years ago

    Hey @ryanlanciaux, thanks for the question. You were definitely on the right track. We could probably explain this more and add examples of this in the documentation. Here is an example of doing what you describe:

    You can see from the code that if the user is in the admins collection it will return true, indicating access to all. However, if the user is in the users collection, a query constraint is returned that will return only documents with that user's id.

    const userAccess = ({ req: { user } }) => {
  if (user) {
    if (user.collection === 'admins') {
      return true;
    }

    if (user.collection === 'users') {
      return {
        id: {
          equals: user.id,
        },
      };
    }
  }

  return false;
};

export { userAccess };

    If you put that code in a separate file, then import it - you'd use it in your collection like this:

    access: {
    admin: () => true, // Allow access to admin panel
    read: userAccess,
    update: userAccess,
  },

    You may also consider having a similar function for create and delete as well.

    Hopefully, this helps. Let me know if there are any issues running that code 👍

    1 reply
  • default discord avatar
    ryanlanciaux2 years ago

    Thanks a ton! This works perfectly for me.

Open

Continue the discussion in GitHub

Star on GitHub

Star

Chat on Discord

Discord

online

Can't find what you're looking for?

Get help straight from the Payload team with an Enterprise License.