Like what we’re doing? Star us on GitHub!

ERROR (payload): Forbidden: You are not allowed to perform this action.

eduhdev12
2 months ago
3 3

Bug Report

Hi, I deployed my payload-cms to docker on a vps, but after the first user registration I don't have access to anything. Everything works fine, no other errors in the container logs, but I can't create any new data in the collection due to "ERROR (payload): Forbidden: You are not allowed to perform this action".
This only happens in a production environment, but running yarn serve on a local machine doesn't present any problems.

Steps to Reproduce

  1. Account registration process
  2. Creation of a new category attempt

Other Details

Payload version: 1.5.9

  • eduhdev12
    last month

    Hello, in my case someone helped me and changed the csrf that must follow the prefix connection type if it's http or https and now seems to work flawlessly!

  • jmikrut
    Payload Team
    2 months ago

    Hey @eduhdev12 — this is probably related to one of two things:

    1. your cookie config. You should open your inspector, look at the Network tab, and inspect the auth cookie that is being set. Make sure it doesn't get blocked for any reason. It could be that you have some cookie settings that are conflicting with your live instance.
    2. CSRF. Take a look at this link: https://payloadcms.com/docs/authentication/overview#csrf-protection - you may need to whitelist your production domain within your csrf settings to allow the cookie to be read while on your production domain.

    I'll convert this to a discussion to keep conversation going as this is not a problem with Payload itself, but I'm more than happy to help!

    4 replies
    eduhdev12
    2 months ago

    Thank you for these details, but sadly the csrf setting didn't fix the issue and I can confirm that cookie header is present in request!

    cookie: payload-token=jwt
    

    The decoded jwt payload is good, but still no new results!
    I really want to fix this issue, it's very important

    jmikrut
    Payload Team
    2 months ago

    Are there any yellow "alert" symbols on the cookie? what browser are you using?

    You should compare the Payload demo network panel cookies / requests to that of your prod instance.

    See my inspector here after logging into the demo:

    Screen Shot 2023-01-19 at 11 25 51 AM

    eduhdev12
    2 months ago

    mdJVFubdSr

    The /api/access request has no issues, the problem is when I try to create a new item in any collection even that create access is () => true

    eduhdev12
    2 months ago

    This is the whole console log if it helps

    [16:28:49] ERROR (payload): Forbidden: You are not allowed to perform this action.
        at new ExtendableError (/usr/src/app/node_modules/payload/dist/errors/APIError.js:22:15)
        at new APIError (/usr/src/app/node_modules/payload/dist/errors/APIError.js:38:9)
        at new Forbidden (/usr/src/app/node_modules/payload/dist/errors/Forbidden.js:10:9)
        at executeAccess (/usr/src/app/node_modules/payload/dist/auth/executeAccess.js:9:23)
        at processTicksAndRejections (internal/process/task_queues.js:95:5)
        at async create (/usr/src/app/node_modules/payload/dist/collections/operations/create.js:37:9)
        at async createHandler (/usr/src/app/node_modules/payload/dist/collections/requestHandlers/create.js:12:21)
    
  • Barbacoa08
    2 months ago

    This sounds like the same issue that I'm running into (link to my discussion).

    Related, the deployment docs is 404.

    10 replies
    eduhdev12
    2 months ago

    Have you managed to fix it?

    Barbacoa08
    2 months ago

    Nope 😞. Still poking around trying to get it working. I can use () => true to be able to make updates. So for now I'm just setting everything to () => true while I make updates, than immediately reseting it back to isAdmin/ect once I'm done making edits. Or just editing locally, as I'm also only seeing this happen in the prod environment, localhost works as expected.

    eduhdev12
    2 months ago

    For me () => true is not working at all in production, just on local env

    Barbacoa08
    2 months ago

    Your payload.config.ts has this line in it yes?
    serverURL: process.env.PAYLOAD_PUBLIC_BASE_DNS

    And your PAYLOAD_PUBLIC_BASE_DNS includes your UN+PW yes? MongoDB Atlas will look like this:
    mongodb+srv://{username}&{password}@{dbname}.ntzanfx.mongodb.net/?retryWrites=true&w=majority

    BTW, the only tutorial I could find about hosting PayloadCMS was at Northflank. I'm running into a similar issue that you are, but I was able to get a bit further. And, it's free for something as simple as a POC.

    eduhdev12
    2 months ago

    I am trying to see if the serverURL is the issue, but I am sure that mongodb is working because I tried to change something manually in database and it's reading the date, the problem is writing new data

    Do you include in the serverURL the http/https method?

    Barbacoa08
    2 months ago

    https

    eduhdev12
    2 months ago

    I made a little progress, now () => true works good, but any access guard or checking if user is undefined is not working at all, doing requests from the cms and I get the user as undefined all the time

    Barbacoa08
    2 months ago

    Are you using a docker container? It sounds like you're in basically the same situation that I am now, and I'm wondering how close our projects are.

    My hosting environment is running a docker container. And I'm wondering if it's the docker container that's causing these auth issues.

    Also, do you have any csrf and/or cors settings in your payload.config.ts?

    eduhdev12
    2 months ago

    Yes, I am using a normal docker container and csrf, cors: "*", sometimes it makes a double call to create access and the first one is undefined and the second one contains the user, but the error comes up without any action.

    Barbacoa08
    2 months ago

    Yup, that's what I'm seeing as well. I have my csrf and cors locked to my environment, but otherwise we seem to have the same setup and are seeing the same thing happen.

Open the post
Continue the discussion in GitHub
Can't find what you're looking for?
Get help straight from the Payload team with an Enterprise License.Learn More