Simplify your stack and build anything. Or everything.

Schedule a Demo

USE CASES

Headless CMS Enterprise App Builder Headless E-Commerce Digital Asset Management

FEATURES

Multi-Tenancy White Label Localization Access Control Auth

CASE STUDIES

See what others are building with Payload.

Browse Case Studies

Build tomorrow’s web with a modern solution you truly own.

PAYLOAD IS FOR

Developers Marketing teams Enterprise companies Agencies & Consultancies

COMPARE PAYLOAD

Payload vs WordPress Payload vs Contentful Payload vs Sanity Payload vs Strapi Payload vs Directus

AGENCY TESTIMONIAL

"Payload has transformed the way our clients manage content. It's an indispensable tool for any modern agency."

Become a Partner Find a Partner

Code-based nature means you can build on top of it to power anything.

Resources

Documentation Examples Templates GitHub Releases Blog

Community

Roadmap Discord Community Help

Payload Cloud

Deploy your entire stack in one place with Payload Cloud.

It’s time to take back your content infrastructure.

Schedule a Demo

Enterprise Features

SSO AI Auto-Embedding Publishing Workflows Visual Editor Static A/B testing AI features

Customer Stories

Microsoft ASICS Blue Origin Hello Bello Tekton

Featured Customer Story

Microsoft chose Payload to tell the world about AI.

Read the case study Browse all

Login Get Started

Respecting Access Control with Local API Operations

In Payload, local API operations override access control by default. This means that operations will run without checking if the current user has permission to perform the action. This is useful in certain scenarios where access control is not necessary, but it is important to be aware of when to enforce it for security reasons.

Default Behavior: Access Control Skipped

By default, local API operations skip access control. This allows operations to execute without the system checking if the current user has appropriate permissions. This might be helpful in admin or server-side scripts where the user context is not required to perform the operation.

For example:

1// Access control is this operation would be skipped by default
2const test = await payload.create({
3  collection: 'users',
4  data: {
5    email: 'test@test.com',
6    password: 'test',
7  },
8})

Respecting Access Control

If you want to respect access control and ensure that the operation is performed only if the user has appropriate permissions, you need to explicitly pass the user object and set the overrideAccess option to false.

overrideAccess: false: This ensures that access control is not skipped and the operation respects the current user's permissions.
user: Pass the authenticated user context to the operation. This ensures the system checks whether the user has the right permissions to perform the action.

1const authedCreate = await payload.create({
collection: 'users',
overrideAccess: false, // This ensures access control will be applied
user, // Pass the authenticated user to check permissions
data: {
  email: 'test@test.com',
  password: 'test',
},
9})

This example will only allow the document to be created if the user we passed has the appropriate access control permissions.

REST API