ERROR (payload): Forbidden: You are not allowed to perform this action.

eduhdev12

2 months ago

3 3

Bug Report

Hi, I deployed my payload-cms to docker on a vps, but after the first user registration I don't have access to anything. Everything works fine, no other errors in the container logs, but I can't create any new data in the collection due to "ERROR (payload): Forbidden: You are not allowed to perform this action".
This only happens in a production environment, but running yarn serve on a local machine doesn't present any problems.

Steps to Reproduce

Account registration process
Creation of a new category attempt

Other Details

Payload version: 1.5.9

Selected Answer
eduhdev12
last month
Hello, in my case someone helped me and changed the csrf that must follow the prefix connection type if it's http or https and now seems to work flawlessly!
jmikrut
Payload Team
2 months ago
Hey @eduhdev12 — this is probably related to one of two things:
1. your cookie config. You should open your inspector, look at the Network tab, and inspect the auth cookie that is being set. Make sure it doesn't get blocked for any reason. It could be that you have some cookie settings that are conflicting with your live instance.
2. CSRF. Take a look at this link: https://payloadcms.com/docs/authentication/overview#csrf-protection - you may need to whitelist your production domain within your csrf settings to allow the cookie to be read while on your production domain.
I'll convert this to a discussion to keep conversation going as this is not a problem with Payload itself, but I'm more than happy to help!
4 replies
eduhdev12
2 months ago
Thank you for these details, but sadly the csrf setting didn't fix the issue and I can confirm that cookie header is present in request!
```
cookie: payload-token=jwt
```
The decoded jwt payload is good, but still no new results!
I really want to fix this issue, it's very important
jmikrut
Payload Team
2 months ago
Are there any yellow "alert" symbols on the cookie? what browser are you using?

You should compare the Payload demo network panel cookies / requests to that of your prod instance.

See my inspector here after logging into the demo:

eduhdev12
2 months ago

The /api/access request has no issues, the problem is when I try to create a new item in any collection even that create access is () => true
eduhdev12
2 months ago
This is the whole console log if it helps
```
[16:28:49] ERROR (payload): Forbidden: You are not allowed to perform this action.
    at new ExtendableError (/usr/src/app/node_modules/payload/dist/errors/APIError.js:22:15)
    at new APIError (/usr/src/app/node_modules/payload/dist/errors/APIError.js:38:9)
    at new Forbidden (/usr/src/app/node_modules/payload/dist/errors/Forbidden.js:10:9)
    at executeAccess (/usr/src/app/node_modules/payload/dist/auth/executeAccess.js:9:23)
    at processTicksAndRejections (internal/process/task_queues.js:95:5)
    at async create (/usr/src/app/node_modules/payload/dist/collections/operations/create.js:37:9)
    at async createHandler (/usr/src/app/node_modules/payload/dist/collections/requestHandlers/create.js:12:21)
```
Barbacoa08
2 months ago
This sounds like the same issue that I'm running into (link to my discussion).

Related, the deployment docs is 404.
10 replies
eduhdev12
2 months ago
Have you managed to fix it?
Barbacoa08
2 months ago
Nope 😞. Still poking around trying to get it working. I can use () => true to be able to make updates. So for now I'm just setting everything to () => true while I make updates, than immediately reseting it back to isAdmin/ect once I'm done making edits. Or just editing locally, as I'm also only seeing this happen in the prod environment, localhost works as expected.
eduhdev12
2 months ago
For me () => true is not working at all in production, just on local env
Barbacoa08
2 months ago
Your payload.config.ts has this line in it yes?
serverURL: process.env.PAYLOAD_PUBLIC_BASE_DNS

And your PAYLOAD_PUBLIC_BASE_DNS includes your UN+PW yes? MongoDB Atlas will look like this:
mongodb+srv://{username}&{password}@{dbname}.ntzanfx.mongodb.net/?retryWrites=true&w=majority

BTW, the only tutorial I could find about hosting PayloadCMS was at Northflank. I'm running into a similar issue that you are, but I was able to get a bit further. And, it's free for something as simple as a POC.
eduhdev12
2 months ago
I am trying to see if the serverURL is the issue, but I am sure that mongodb is working because I tried to change something manually in database and it's reading the date, the problem is writing new data

Do you include in the serverURL the http/https method?
Barbacoa08
2 months ago
https
eduhdev12
2 months ago
I made a little progress, now () => true works good, but any access guard or checking if user is undefined is not working at all, doing requests from the cms and I get the user as undefined all the time
Barbacoa08
2 months ago
Are you using a docker container? It sounds like you're in basically the same situation that I am now, and I'm wondering how close our projects are.

My hosting environment is running a docker container. And I'm wondering if it's the docker container that's causing these auth issues.

Also, do you have any csrf and/or cors settings in your payload.config.ts?
eduhdev12
2 months ago
Yes, I am using a normal docker container and csrf, cors: "*", sometimes it makes a double call to create access and the first one is undefined and the second one contains the user, but the error comes up without any action.
Barbacoa08
2 months ago
Yup, that's what I'm seeing as well. I have my csrf and cors locked to my environment, but otherwise we seem to have the same setup and are seeing the same thing happen.

Open the post

Continue the discussion in GitHub

Can't find what you're looking for?
Get help straight from the Payload team with an Enterprise License.Learn More