Collection Access Control
You can define Collection-level Access Control within each Collection's access
property. All Access Control functions accept one args
argument.
Available Controls
Function | Allows/Denies Access |
---|---|
create | Used in the create operation |
read | Used in the find and findByID operations |
update | Used in the update operation |
delete | Used in the delete operation |
Auth-enabled Controls
If a Collection supports Authentication
, the following Access Controls become available:
Function | Allows/Denies Access |
---|---|
admin | Used to restrict access to the Payload Admin panel |
unlock | Used to restrict which users can access the unlock operation |
Example Collection config:
Create
Returns a boolean which allows/denies access to the create
request.
Available argument properties:
Option | Description |
---|---|
req | The Express request object containing the currently authenticated user |
data | The data passed to create the document with. |
Example:
Read
Read access functions can return a boolean result or optionally return a query constraint which limits the documents that are returned to only those that match the constraint you provide. This can be helpful to restrict users' access to only certain documents however you specify.
Available argument properties:
Option | Description |
---|---|
req | The Express request object containing the currently authenticated user |
id | id of document requested, if within findByID |
Example:
Update
Update access functions can return a boolean result or optionally return a query constraint to limit the document(s) that can be updated by the currently authenticated user. For example, returning a query
from the update
Access Control is helpful in cases where you would like to restrict a user to only being able to update the documents containing a createdBy
relationship field equal to the user's ID.
Available argument properties:
Option | Description |
---|---|
req | The Express request object containing the currently authenticated user |
id | id of document requested to update |
data | The data passed to update the document with |
Example:
Delete
Similarly to the Update function, returns a boolean or a query constraint to limit which documents can be deleted by which users.
Available argument properties:
Option | Description |
---|---|
req | The Express request object with additional user property, which is the currently logged in user |
id | id of document requested to delete |
Example:
Admin
If the Collection is used to access the Payload Admin panel, the Admin
Access Control function determines whether or not the currently logged in user can access the admin UI.
Available argument properties:
Option | Description |
---|---|
req | The Express request object containing the currently authenticated user |
Unlock
Determines which users can unlock other users who may be blocked from authenticating successfully due to failing too many login attempts.
Available argument properties:
Option | Description |
---|---|
req | The Express request object containing the currently authenticated user |