boolean or a
query constraint to restrict which documents users can interact with.
Example use cases:
read access to all
Posts where a
status field is equal to
Users with a
role field equal to
admin the ability to delete
ContactSubmissions, but only logged in users to
User to only be able to see their own
Order(s), but no others
Users that belong to a certain
Organization to access only that
By default, all Collections and Globals require that a user is logged in to be able to interact in any way. The default Access Control function evaluates the
user from the Express
req and returns
true if a user is logged in, and
false if not.
Default Access function:
You can manage access within Payload on three different levels:
When you perform Payload operations like
delete, your access control functions will be executed before any changes or operations are completed.
The Payload Admin UI responds dynamically to the access control that you define. For example, if you restrict editing a
ExampleCollection to only users that feature a
admin, the Payload Admin UI will hide the
ExampleCollection from the Admin UI entirely. This is super powerful and allows you to control who can do what with your Admin UI.
To accomplish this, Payload ships with an
Access operation, which is executed when a user logs into the Admin UI. Payload will execute each one of your access control functions, across all collections, globals, and fields, at the top level and return a response that contains a reflection of what the currently authenticated user can do with your application.
If you use
data within your access control functions, make sure to check that they are defined first. If they are not, then you can assume that your access control is being executed via the
access operation, to determine solely what the user can do within the Admin UI.