I hosted Payload on Northflank, I'm able to access it and created a login but whenever I try to create a new document in Payload and save it I get the following in the logs:
stdout F [10:02:38] ERROR (payload): Forbidden: You are not allowed to perform this action.
stdout F at Layer.handle [as handle_request] (/home/node/node_modules/express/lib/router/layer.js:95:5)
stdout F at Route.dispatch (/home/node/node_modules/express/lib/router/route.js:114:3)
stdout F at next (/home/node/node_modules/express/lib/router/route.js:138:14)
stdout F at next (/home/node/node_modules/express/lib/router/route.js:144:13)
stdout F at Layer.handle [as handle_request] (/home/node/node_modules/express/lib/router/layer.js:95:5)
stdout F at updateHandler (/home/node/node_modules/payload/src/preferences/requestHandlers/update.ts:12:29)
stdout F at update (/home/node/node_modules/payload/src/preferences/operations/update.ts:23:11)
stdout F at new UnauthorizedError (/home/node/node_modules/payload/src/errors/UnathorizedError.ts:6:5)
stdout F at new APIError (/home/node/node_modules/payload/src/errors/APIError.ts:43:5)
stdout F at new ExtendableError (/home/node/node_modules/payload/src/errors/APIError.ts:26:11)
What could be the issue?
If you need anything other info, please let me know.
Fixed.
I had put the wrong url in the env variable for serverURL.
for me this usually happens because of two reasons (Rest API).
Which tokens would have expired? I've only just set it up.
are you sending JWT token with the create/POST request?
I'm not, I haven't seen that in the documentation. I'm only creating/updating in Payload, so isnt auth handled by Payload itself.
This issue is related to your access control. By default, access control requires a user to be logged in, which should be the case if you're saving from the admin.
Here's where I'd start troubleshooting from:
/api/<user-collection-slug>/me
. This will give us an indication of current user access./api/access
and confirm that you have access to create
of the specific collection.Other related questions:
Here is the response from /api/users/me
:
{
"user": {
"id": "62c4a2f7343b1c2a9e2c334b",
"email": "email@email.com", // is correct email
"firstName": "Ahmet",
"lastName": "Kilinc",
"createdAt": "2022-07-05T20:45:45.263Z",
"updatedAt": "2022-07-06T17:01:39.724Z"
},
"collection": "users",
"token": "TOKEN",
"exp": 1657134099
}
As for /api/access
: most are set to true, well the ones I've set in the collection file anyway.
It does work locally.
I'm assuming you mean access
property in the collection:
access: {
read: () => {
return true;
},
}
Just realised, I am not using the local API anymore. Does the create method on access have to also be true too?
Added the following to the collection after @denolfe reminded me of the custom access control rules and it is working now!
access: {
read: () => {
return true;
},
create: () => {
return true;
},
delete: () => {
return true;
},
update: () => {
return true;
},
}
Is there a better way to set this up? I know theres access control you can add to the payload.config.js
file but I wasnt able to set it up locally.
I'd be very cautious with setting everything true in this way. Setting to true in this way means "anyone authenticated or not has access". By default, payload will use the default access, which requires a user to be logged in. I'd encourage you to use this at a minimum unless you explicitly want anyone to be able to perform the operation.
What was the access control for create
set to for the collection you were trying to create a document within when it was not working?
There could also be issues related to CSRF protection. Do you have anything set for the csrf
in your payload config?
I had set Read to true as I couldnt get CSRF or CORS to work locally, it was set to:
cors: ["http://localhost", "http://localhost:3000", "http://localhost:3001"],
csrf: ["http://localhost", "http://localhost:3000", "http://localhost:3001"],
and still didn't work, so I had allowed only for Read to be true in each collection.
You'll need to configure these values to include your NorthFlank domains in order to work properly when deployed there. These config values are used to determine cookie auth.
Star
Discord
online
Get help straight from the Payload team with an Enterprise License.