Forbidden: You are not allowed to perform this action.
    at new ExtendableError (/app/node_modules/.pnpm/payload@1.2.4_mwhvu7sfp6vq5ryuwb6hlbjfka/node_modules/payload/src/errors/APIError.ts:26:11)
    at new APIError (/app/node_modules/.pnpm/payload@1.2.4_mwhvu7sfp6vq5ryuwb6hlbjfka/node_modules/payload/src/errors/APIError.ts:43:5)
    at new Forbidden (/app/node_modules/.pnpm/payload@1.2.4_mwhvu7sfp6vq5ryuwb6hlbjfka/node_modules/payload/src/errors/Forbidden.ts:7:5)
    at executeAccess (/app/node_modules/.pnpm/payload@1.2.4_mwhvu7sfp6vq5ryuwb6hlbjfka/node_modules/payload/src/auth/executeAccess.ts:9:43)
    at processTicksAndRejections (node:internal/process/task_queues:95:5)
    at /app/node_modules/.pnpm/payload@1.2.4_mwhvu7sfp6vq5ryuwb6hlbjfka/node_modules/payload/src/auth/getExecuteStaticAccess.ts:14:28

All my collections are accessed using the same client and basic Authentication with JWT token.

Below is my Image Collection config:

export const Images: CollectionConfig = {
  slug: 'images',
  admin: {
    useAsTitle: 'filename',
  },
  upload: {
    staticURL: '/media',
    staticDir: 'media',
    adminThumbnail: 'thumbnail',
    mimeTypes: ['image/*'],
  },
  fields: [...
  ],
};

I am also using CloudStorage access for non-local application:

plugins: [
    cloudStorage({
      collections: {
        [Images.slug]: {
          adapter:
            process.env.AWS_ASSET_STORAGE_ENABLED === 'true' ? S3Adapter : null,
        },
      },
    })

Probably something easy, but I cannot locate it. All the other collections are normally retrieved.
What is even more strange is when I login to CMS via UI, images on Frontend start suddenly appearing (?)

Selected Answer
JarrodMFlesch
2 years ago
This makes sense, you should define a read access control on your image collection, like so:
```
access: {
  read: () => true
}
```
Access control defaults to checking if a user exists on the request, which is why they appear when you are logged in.
adam-mrozik2 years ago
Just a note, if anyone encounters it as well:

While this might have been partially an issue as well, my main issue was oauthproxy wall I had on my Frontend and CMS. Weird that it only affected images, but lifting oauth wall from /images path did the trick

Thanks for the answer though!

Open

Continue the discussion in GitHub

Star on GitHub

Star

Chat on Discord

Discord

online

Can't find what you're looking for?

Get dedicated engineering support directly from the Payload team.

See what others are building with Payload.

"Payload has transformed the way our clients manage content. It's an indispensable tool for any modern agency."

Get the resources you need to start building today

Microsoft chose Payload to tell the world about AI.

Images access forbidden

Selected Answer

Continue the discussion in GitHub