Keep getting "You are not allowed to perform this action." when trying to save.

default discord avatar
ahmetskilinc
last year
1 4

I hosted Payload on Northflank, I'm able to access it and created a login but whenever I try to create a new document in Payload and save it I get the following in the logs:

stdout F [10:02:38] ERROR (payload): Forbidden: You are not allowed to perform this action.
stdout F     at Layer.handle [as handle_request] (/home/node/node_modules/express/lib/router/layer.js:95:5)
stdout F     at Route.dispatch (/home/node/node_modules/express/lib/router/route.js:114:3)
stdout F     at next (/home/node/node_modules/express/lib/router/route.js:138:14)
stdout F     at next (/home/node/node_modules/express/lib/router/route.js:144:13)
stdout F     at Layer.handle [as handle_request] (/home/node/node_modules/express/lib/router/layer.js:95:5)
stdout F     at updateHandler (/home/node/node_modules/payload/src/preferences/requestHandlers/update.ts:12:29)
stdout F     at update (/home/node/node_modules/payload/src/preferences/operations/update.ts:23:11)
stdout F     at new UnauthorizedError (/home/node/node_modules/payload/src/errors/UnathorizedError.ts:6:5)
stdout F     at new APIError (/home/node/node_modules/payload/src/errors/APIError.ts:43:5)
stdout F     at new ExtendableError (/home/node/node_modules/payload/src/errors/APIError.ts:26:11)
  • PayloadCMS v0.18.5
  • Northflank
  • MongoDB as add-on in Northflank
  • API Route works but obviously no data
  • Have been able to create account and login

What could be the issue?

If you need anything other info, please let me know.

  • default discord avatar
    ahmetskilinc
    last year

    Fixed.

    I had put the wrong url in the env variable for serverURL.

  • default discord avatar
    MinSomai
    last year

    for me this usually happens because of two reasons (Rest API).

    • expired tokens, because I've yet to implement auto refresh
    • forgot to include token in the header
    3 replies
    default discord avatar
    ahmetskilinc
    last year

    Which tokens would have expired? I've only just set it up.

    default discord avatar
    MinSomai
    last year

    are you sending JWT token with the create/POST request?

    default discord avatar
    ahmetskilinc
    last year

    I'm not, I haven't seen that in the documentation. I'm only creating/updating in Payload, so isnt auth handled by Payload itself.

  • discord user avatar
    denolfe
    Payload Team
    last year

    This issue is related to your access control. By default, access control requires a user to be logged in, which should be the case if you're saving from the admin.

    Here's where I'd start troubleshooting from:

    • Can you check what the response is from /api/<user-collection-slug>/me. This will give us an indication of current user access.
    • Next, I'd check /api/access and confirm that you have access to create of the specific collection.

    Other related questions:

    • Does it work locally?
    • Do you have a custom create access control on the collection? If so, can you post it?
    1 reply
    default discord avatar
    ahmetskilinc
    last year

    Here is the response from /api/users/me:

    {
      "user": {
        "id": "62c4a2f7343b1c2a9e2c334b",
        "email": "email@email.com", // is correct email
        "firstName": "Ahmet",
        "lastName": "Kilinc",
        "createdAt": "2022-07-05T20:45:45.263Z",
        "updatedAt": "2022-07-06T17:01:39.724Z"
      },
      "collection": "users",
      "token": "TOKEN",
      "exp": 1657134099
    }
    

    As for /api/access: most are set to true, well the ones I've set in the collection file anyway.

    It does work locally.

    I'm assuming you mean access property in the collection:

    access: {
    	read: () => {
    		return true;
    	},
    }
    

    Just realised, I am not using the local API anymore. Does the create method on access have to also be true too?

  • default discord avatar
    ahmetskilinc
    last year

    Added the following to the collection after @denolfe reminded me of the custom access control rules and it is working now!

    access: {
    	read: () => {
    		return true;
    	},
    	create: () => {
    		return true;
    	},
    	delete: () => {
    		return true;
    	},
    	update: () => {
    		return true;
    	},
    }

    Is there a better way to set this up? I know theres access control you can add to the payload.config.js file but I wasnt able to set it up locally.

    3 replies
    discord user avatar
    denolfe
    Payload Team
    last year

    I'd be very cautious with setting everything true in this way. Setting to true in this way means "anyone authenticated or not has access". By default, payload will use the default access, which requires a user to be logged in. I'd encourage you to use this at a minimum unless you explicitly want anyone to be able to perform the operation.

    What was the access control for create set to for the collection you were trying to create a document within when it was not working?

    There could also be issues related to CSRF protection. Do you have anything set for the csrf in your payload config?

    default discord avatar
    ahmetskilinc
    last year

    I had set Read to true as I couldnt get CSRF or CORS to work locally, it was set to:

    	cors: ["http://localhost", "http://localhost:3000", "http://localhost:3001"],
    	csrf: ["http://localhost", "http://localhost:3000", "http://localhost:3001"],

    and still didn't work, so I had allowed only for Read to be true in each collection.

    discord user avatar
    denolfe
    Payload Team
    last year

    You'll need to configure these values to include your NorthFlank domains in order to work properly when deployed there. These config values are used to determine cookie auth.

Open the post
Continue the discussion in GitHub
Like what we're doing?
Star us on GitHub!

Star

Connect with the Payload Community on Discord

Discord

online

Can't find what you're looking for?

Get help straight from the Payload team with an Enterprise License.