Keep getting "You are not allowed to perform this action." when trying to save.

ahmetskilinc

last year

1 4

I hosted Payload on Northflank, I'm able to access it and created a login but whenever I try to create a new document in Payload and save it I get the following in the logs:

stdout F [10:02:38] ERROR (payload): Forbidden: You are not allowed to perform this action.
stdout F     at Layer.handle [as handle_request] (/home/node/node_modules/express/lib/router/layer.js:95:5)
stdout F     at Route.dispatch (/home/node/node_modules/express/lib/router/route.js:114:3)
stdout F     at next (/home/node/node_modules/express/lib/router/route.js:138:14)
stdout F     at next (/home/node/node_modules/express/lib/router/route.js:144:13)
stdout F     at Layer.handle [as handle_request] (/home/node/node_modules/express/lib/router/layer.js:95:5)
stdout F     at updateHandler (/home/node/node_modules/payload/src/preferences/requestHandlers/update.ts:12:29)
stdout F     at update (/home/node/node_modules/payload/src/preferences/operations/update.ts:23:11)
stdout F     at new UnauthorizedError (/home/node/node_modules/payload/src/errors/UnathorizedError.ts:6:5)
stdout F     at new APIError (/home/node/node_modules/payload/src/errors/APIError.ts:43:5)
stdout F     at new ExtendableError (/home/node/node_modules/payload/src/errors/APIError.ts:26:11)

PayloadCMS v0.18.5
Northflank
MongoDB as add-on in Northflank
API Route works but obviously no data
Have been able to create account and login

What could be the issue?

If you need anything other info, please let me know.

Selected Answer
ahmetskilinc
last year
Fixed.

I had put the wrong url in the env variable for serverURL.
MinSomai
last year
for me this usually happens because of two reasons (Rest API).
- expired tokens, because I've yet to implement auto refresh
- forgot to include token in the header
3 replies
ahmetskilinc
last year
Which tokens would have expired? I've only just set it up.
MinSomai
last year
are you sending JWT token with the create/POST request?
ahmetskilinc
last year
I'm not, I haven't seen that in the documentation. I'm only creating/updating in Payload, so isnt auth handled by Payload itself.
denolfe
Payload Team
last year
This issue is related to your access control. By default, access control requires a user to be logged in, which should be the case if you're saving from the admin.

Here's where I'd start troubleshooting from:
- Can you check what the response is from /api/<user-collection-slug>/me. This will give us an indication of current user access.
- Next, I'd check /api/access and confirm that you have access to create of the specific collection.
Other related questions:
- Does it work locally?
- Do you have a custom create access control on the collection? If so, can you post it?
1 reply
ahmetskilinc
last year
Here is the response from /api/users/me:
```
{
  "user": {
    "id": "62c4a2f7343b1c2a9e2c334b",
    "email": "email@email.com", // is correct email
    "firstName": "Ahmet",
    "lastName": "Kilinc",
    "createdAt": "2022-07-05T20:45:45.263Z",
    "updatedAt": "2022-07-06T17:01:39.724Z"
  },
  "collection": "users",
  "token": "TOKEN",
  "exp": 1657134099
}
```
As for /api/access: most are set to true, well the ones I've set in the collection file anyway.

It does work locally.

I'm assuming you mean access property in the collection:
```
access: {
	read: () => {
		return true;
	},
}
```
Just realised, I am not using the local API anymore. Does the create method on access have to also be true too?
ahmetskilinc
last year
Added the following to the collection after @denolfe reminded me of the custom access control rules and it is working now!
```
access: {
	read: () => {
		return true;
	},
	create: () => {
		return true;
	},
	delete: () => {
		return true;
	},
	update: () => {
		return true;
	},
}
```
Is there a better way to set this up? I know theres access control you can add to the payload.config.js file but I wasnt able to set it up locally.
3 replies
denolfe
Payload Team
last year
I'd be very cautious with setting everything true in this way. Setting to true in this way means "anyone authenticated or not has access". By default, payload will use the default access, which requires a user to be logged in. I'd encourage you to use this at a minimum unless you explicitly want anyone to be able to perform the operation.

What was the access control for create set to for the collection you were trying to create a document within when it was not working?

There could also be issues related to CSRF protection. Do you have anything set for the csrf in your payload config?
ahmetskilinc
last year
I had set Read to true as I couldnt get CSRF or CORS to work locally, it was set to:
```
	cors: ["http://localhost", "http://localhost:3000", "http://localhost:3001"],
	csrf: ["http://localhost", "http://localhost:3000", "http://localhost:3001"],
```
and still didn't work, so I had allowed only for Read to be true in each collection.
denolfe
Payload Team
last year
You'll need to configure these values to include your NorthFlank domains in order to work properly when deployed there. These config values are used to determine cookie auth.

Open the post

Continue the discussion in GitHub

Like what we're doing?
Star us on GitHub!

Star

Connect with the Payload Community on Discord

Discord

online

Can't find what you're looking for?

Get help straight from the Payload team with an Enterprise License.