Field-level Access Control

Field Access Control is specified with functions inside a field's config. All field-level Controls return a boolean value to allow or deny access for the specified operation. No field-level Access Controls support returning query constraints. All Access Control functions accept one args argument.

Available Controls

FunctionPurpose
createAllows or denies the ability to set a field's value when creating a new document
readAllows or denies the ability to read a field's value
updateAllows or denies the ability to update a field's value

Example Collection config:

export default {
slug: 'posts',
fields: [
{
name: 'title',
type: 'text',
access: {
create: ({ req: { user } }) => { ... },
read: ({ req: { user } }) => { ... },
update: ({ req: { user } }) => { ... },
},
};
],
}

Create

Returns a boolean which allows or denies the ability to set a field's value when creating a new document. If false is returned, any passed values will be discarded.

Available argument properties:

OptionDescription
reqThe Express request object containing the currently authenticated user
dataThe full data passed to create the document.
siblingDataImmediately adjacent field data passed to create the document.

Read

Returns a boolean which allows or denies the ability to read a field's value. If false, the entire property is omitted from the resulting document.

Available argument properties:

OptionDescription
reqThe Express request object containing the currently authenticated user
idid of the document being read
dataThe full data of the document being read.
siblingDataImmediately adjacent field data of the document being read.

Update

Returns a boolean which allows or denies the ability to update a field's value. If false is returned, any passed values will be discarded.

Available argument properties:

OptionDescription
reqThe Express request object containing the currently authenticated user
idid of the document being updated
dataThe full data passed to update the document.
siblingDataImmediately adjacent field data passed to update the document with.
Next

Globals Access Control