Like what we’re doing? Star us on GitHub!

GraphQL access control is denying access to a `relationTo` upload collection

flovan
last year
1 1

Access control is denying a logged-in user to read from an upload collection and I'm not sure why.. I can read from the upload collection just fine when I access it directly:

query {
  CloudinaryImages {
    docs {
      altText
    }
  }
}

But not when it is being referenced from a nested field:

query {
  allWork {
    docs {
      thumbnail { # Will be `null` and say "You are not allowed to perform this action." 
        altText
      }
    }
  }
}

My CloudinaryImage collection looks like this:

const CloudinaryImage: CollectionConfig = {
  slug: 'cloudinary-image',
  admin: {
    disableDuplicate: true,
    useAsTitle: 'altText',
  },
  upload: {
    disableLocalStorage: true,
    adminThumbnail: ({doc}) => String(doc.cloudinaryURL),
  },
  fields: [
    {
      name: 'altText',
      label: 'Alt Text',
      type: 'text',
      required: true,
    },
    {
      name: 'cloudPublicId',
      type: 'text',
      admin: {
        position: 'sidebar',
        condition: ({cloudPublicId}) => !isNullOrEmpty(cloudPublicId),
        readOnly: true,
      },
    },
    {
      name: 'cloudinaryURL',
      type: 'text',
      admin: {
        position: 'sidebar',
        readOnly: true,
        condition: ({cloudinaryURL}) => !isNullOrEmpty(cloudinaryURL),
      },
    },
  ],
}

and the (partial) Work collection looks like this:

const Work: CollectionConfig = {
  slug: 'work',
  labels: {
    singular: 'Work',
    plural: 'Work',
  },
  admin: {
    description: 'Client projects',
  },
  fields: [
    [...]
    {
      name: 'thumbnail',
      label: 'Thumbnail',
      type: 'upload',
      relationTo: 'cloudinary-image',
      required: true,
    },
    [...]
  ],
}

I did at one point add useAPIKey to the Work collection and created an API key, but then decided I'd prefer to have a separate user for my client to use, and have since removed that flag again.

If I add access: { read: () => true} to the CloudinaryImage collection, all fields do come through.

I'm usually pretty good at figuring stuff out, but this one has got me stumped 😅

  • jmikrut
    Payload Team
    12 months ago

    Hey @flovan — great find.

    This was a bug! No wonder it stumped you! Great detective work though and thanks for the thorough writeup.

    Just deployed a beta of Payload including a fix 👍

    payload@0.14.28-beta.0
    

    Give it a shot!

    1 reply
  • flovan
    12 months ago

    This release does indeed fix my issue! Thanks for the very quick fix 🤩

Open the post
Continue the discussion in GitHub
Can't find what you're looking for?
Get help straight from the Payload team with an Enterprise License.Learn More