Field-level Access Control

Field Access Control is specified with functions inside a field's config. All field-level Controls return a boolean value to allow or deny access for the specified operation. No field-level Access Controls support returning query constraints. All Access Control functions accept one args argument.

Available Controls

FunctionPurpose
createAllows or denies the ability to set a field's value when creating a new document
readAllows or denies the ability to read a field's value
updateAllows or denies the ability to update a field's value

Example Collection config:

export default {
slug: 'posts',
fields: [
{
name: 'title',
label: 'Title',
type: 'text',
access: {
create: ({ req: { user } }) => { ... },
read: ({ req: { user } }) => { ... },
update: ({ req: { user } }) => { ... },
},
};
],
}

Create

Returns a boolean which allows or denies the ability to set a field's value when creating a new document. If false is returned, any passed values will be discarded.

Available argument properties:

OptionDescription
reqThe Express request object containing the currently authenticated user

Read

Returns a boolean which allows or denies the ability to read a field's value. If false, the entire property is omitted from the resulting document.

Available argument properties:

OptionDescription
reqThe Express request object containing the currently authenticated user
idid of the document being read

Update

Returns a boolean which allows or denies the ability to update a field's value. If false is returned, any passed values will be discarded.

Available argument properties:

OptionDescription
reqThe Express request object containing the currently authenticated user
idid of the document being updated
Next

Globals Access Control