DemoCloud PricingDocsFor EnterpriseCommunity HelpBlog
New projectLogin
New projectLogin
Community Help

GraphQL access control is denying access to a `relationTo` upload collection

default discord avatar
flovan
last year
1 1

Access control is denying a logged-in user to read from an upload collection and I'm not sure why.. I can read from the upload collection just fine when I access it directly:

query {
  CloudinaryImages {
    docs {
      altText
    }
  }
}

But not when it is being referenced from a nested field:

query {
  allWork {
    docs {
      thumbnail { # Will be `null` and say "You are not allowed to perform this action." 
        altText
      }
    }
  }
}

My CloudinaryImage collection looks like this:

const CloudinaryImage: CollectionConfig = {
  slug: 'cloudinary-image',
  admin: {
    disableDuplicate: true,
    useAsTitle: 'altText',
  },
  upload: {
    disableLocalStorage: true,
    adminThumbnail: ({doc}) => String(doc.cloudinaryURL),
  },
  fields: [
    {
      name: 'altText',
      label: 'Alt Text',
      type: 'text',
      required: true,
    },
    {
      name: 'cloudPublicId',
      type: 'text',
      admin: {
        position: 'sidebar',
        condition: ({cloudPublicId}) => !isNullOrEmpty(cloudPublicId),
        readOnly: true,
      },
    },
    {
      name: 'cloudinaryURL',
      type: 'text',
      admin: {
        position: 'sidebar',
        readOnly: true,
        condition: ({cloudinaryURL}) => !isNullOrEmpty(cloudinaryURL),
      },
    },
  ],
}

and the (partial) Work collection looks like this:

const Work: CollectionConfig = {
  slug: 'work',
  labels: {
    singular: 'Work',
    plural: 'Work',
  },
  admin: {
    description: 'Client projects',
  },
  fields: [
    [...]
    {
      name: 'thumbnail',
      label: 'Thumbnail',
      type: 'upload',
      relationTo: 'cloudinary-image',
      required: true,
    },
    [...]
  ],
}

I did at one point add useAPIKey to the Work collection and created an API key, but then decided I'd prefer to have a separate user for my client to use, and have since removed that flag again.

If I add access: { read: () => true} to the CloudinaryImage collection, all fields do come through.

I'm usually pretty good at figuring stuff out, but this one has got me stumped 😅

  • discord user avatar
    jmikrut
    Payload Team
    last year

    Hey @flovan — great find.

    This was a bug! No wonder it stumped you! Great detective work though and thanks for the thorough writeup.

    Just deployed a beta of Payload including a fix 👍

    payload@0.14.28-beta.0

    Give it a shot!

    1 reply
  • default discord avatar
    flovan
    last year

    This release does indeed fix my issue! Thanks for the very quick fix 🤩

Open the post
Continue the discussion in GitHub
Like what we're doing?
Star us on GitHub!

Star

Connect with the Payload Community on Discord

Discord

online

Can't find what you're looking for?

Get help straight from the Payload team with an Enterprise License.