Cloud PricingDocsFor EnterpriseCommunity HelpBlog
New projectLogin
New projectLogin
Community Help

Access control for unpublishing

default discord avatar
cerize
10 months ago
1 1

Hello! Maybe I am missing something, but I could not find anything related to access control of the 'unpublish' action. Is it possible?

  • discord user avatar
    jacobsfletch
    Payload Team
    10 months ago

    @cerize Hi! You can use the beforeChange hook to check the document's _status. If it went from published to draft then you can throw an API error. Something like this (untested):

    import APIError from "payload/dist/errors/APIError";

const beforeChangeHook: GlobalBeforeChangeHook = async ({
  data, // incoming data to update or create with
  req, // full express request
  originalDoc, // original document
}) => {
  if (originalDoc._status === 'published' && data._status !== 'published') throw new APIError('You cannot do this!');
  return data; // Return data to update the document with
}

    Here are the docs for this hook: https://payloadcms.com/docs/hooks/globals#beforechange

    7 replies
  • default discord avatar
    cerize
    10 months ago

    @jacobsfletch let me bug you one more time. Does a hook ever receive the _status 'changed'? It seems that if I publish a document, then make a random modification, the status goes back to 'draft' and I thought it would be 'changed': https://payloadcms.com/docs/versions/drafts#database-changes. My use case is 'Do not allow changing the field x if the document was ever published.

  • default discord avatar
    cerize
    9 months ago

    @jacobsfletch there is also another scenario that would make the status go from published to draft. It's when something is published as someone just 'save draft'. So that may not be enough to distinguish 'unpublish'?

  • discord user avatar
    jacobsfletch
    Payload Team
    9 months ago

    @cerize I believe the changed status is virtual and doesn't ever save to the db. This is because a single document is never changed—they can only every be draft or published.

    It's when something is published as someone just 'save draft'. So that may not be enough to distinguish 'unpublish'?

    Ok so you need to prevent them from unpublishing documents, but allow them to save drafts. You're right this is tricky, it's not immediately clear to me how we'd handle these cases.

  • default discord avatar
    cerize
    9 months ago

    thanks for the clarification @jacobsfletch! Do you know if it's in the roadmap any change that would allow to target the 'unpublish' action?

  • discord user avatar
    DanRibbens
    Payload Team
    9 months ago

    You could add a hidden: true field for new field named wasPublished that you give a beforeChange that conditionally sets the field true if (value || _status === 'published'). Then in a custom validation logic function on the locked in fields you could compare the wasPublished value.

    Would that work for your scenario @cerize?

  • discord user avatar
    jacobsfletch
    Payload Team
    9 months ago

    ^^ BOOM! @cerize you should give this a shot.

    Do you know if it's in the roadmap any change that would allow to target the 'unpublish' action?

    I believe it's this one: #1324

  • default discord avatar
    cerize
    9 months ago

    Thanks @DanRibbens and @jacobsfletch , I will try!

Open the post
Continue the discussion in GitHub
Like what we're doing?
Star us on GitHub!

Star

Connect with the Payload Community on Discord

Discord

online

Can't find what you're looking for?

Get help straight from the Payload team with an Enterprise License.