rich-text upload-element: impossible to restrict access to media collection

default discord avatar
unonweb
8 months ago
1 2

Hi,

I'm using multiple upload-enables media collections (one for every user).
Within the a user's media collection I've stated in the code that only this specific user has access to it.
Everything works fine in this multi-user setup except for one thing:

When trying to reference the user's media collection from the richText field (upload element) Payload goes through ALL upload enables collections trying to access them. Of course my current user is not allowed to access the media collections of all other users. So my readAccess function denies access (as it does when trying to read any collection of another user).
But here an error is thrown:
"Forbidden: You are not allowed to perform this action."
And the popup from the richtText's upload element remains empty.

I don't know if this is a bug or if my multi-user setup is totally wrong.

  • default discord avatar
    unonweb
    8 months ago

    Alright, in the meantin I've realized that I'm NOT supposed to separate user data on a collection level but on a doc level.
    This is because you can only return query constraints (by access functions) on a doc level.

    For the sake of completeness I document here what I did wrong:

    I had a 'pages, 'media', etc collection for every user.
    Within the collections I hard coded the access restrictions.

    // my access function
    function allowSpecificUsers({ req }, allowedUsers = []) {
    	try {
    		//...
    		if (allowedUsers.includes(req?.user?.name)) {
    			return true
    		} else {
    			console.log(`[access] requesting collection "${req?.collection?.config?.slug}" user NOT allowed: "${req?.user?.name}"`)
    			return false
    		}
    	} catch (err) {
    		console.error(err)
    	}
    }
    // withing the collection (Donald Duck's collection)
    access: {
    		read: ({ req }) => allowSpecificUsers({ req }, 'Donald Duck')
    	},
    }

    This kind of setup worked fine until I encountered the error that I described above.

  • default discord avatar
    unonweb
    8 months ago

    The full error thrown is:

    [08:21:02] ERROR (payload): Forbidden: You are not allowed to perform this action.
        at new ExtendableError (/home/frida/code/web/payloadcms/unonweb/node_modules/payload/dist/errors/APIError.js:22:15)
        at new APIError (/home/frida/code/web/payloadcms/unonweb/node_modules/payload/dist/errors/APIError.js:38:9)
        at new Forbidden (/home/frida/code/web/payloadcms/unonweb/node_modules/payload/dist/errors/Forbidden.js:10:9)
        at executeAccess (/home/frida/code/web/payloadcms/unonweb/node_modules/payload/dist/auth/executeAccess.js:9:23)
        at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
        at async find (/home/frida/code/web/payloadcms/unonweb/node_modules/payload/dist/collections/operations/find.js:53:24)
        at async findHandler (/home/frida/code/web/payloadcms/unonweb/node_modules/payload/dist/collections/requestHandlers/find.js:19:24
    

    In my opinion there should be no error, so we can have a multi-user setup with multiple media collections which are only accessible by the current user.

    Alternatively there could be a property like relation-to for the rich-text field so we can specify which media collections to browse.

Open the post
Continue the discussion in GitHub
Like what we're doing?
Star us on GitHub!

Star

Connect with the Payload Community on Discord

Discord

online

Can't find what you're looking for?

Get help straight from the Payload team with an Enterprise License.