Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to manage access control for auth fields when more than one collection has auth enabled. #11569

Open
shiva-hack opened this issue Mar 6, 2025 · 2 comments · May be fixed by #11662
Open

Unable to manage access control for auth fields when more than one collection has auth enabled. #11569

shiva-hack opened this issue Mar 6, 2025 · 2 comments · May be fixed by #11662
Assignees
@JessChowdhury

Comments

@shiva-hack
Copy link

Describe the Bug

Scenario

  • Two or more auth collections in a payloadcms instance.
  • Here they are members and users.
  • The admin is hooked to the users collection which has two roles user and admin.
  • The members collection has auth fields as well as some extra fields for the member profile.
// payload.config.ts

export default buildConfig({
...
collections: [Members, Users],
...
}) 
// users.collection.ts

export const UsersCollection: CollectionConfig<'users'> = {
  slug: 'users',
  auth: true,
  admin: {
    useAsTitle: 'email',
  },
  fields: [
    {
      name: 'roles',
      label: 'Roles',
      type: 'select',
      options: ['admin', 'user'],
      hasMany: true,
    },
  ],
}
// members.collection.ts

export const MembersCollection: CollectionConfig<'members'> = {
  slug: 'members',
  auth: true,
  admin: {
    useAsTitle: 'email',
  },
  access: {
    create: ({ req: { user } }) =>
      Boolean(user?.collection === 'users' && user.roles?.includes('admin')),
    update: ({ req: { user } }) => {
      // TODO: there is no way to block the payloadcms user only role from editing the auth fields like email and password.
      return Boolean(user?.collection === 'users')
    },
    // TODO: we need something like this to block the payloadcms user only role from updating the auth fields like email and password.
    // auth: ({ req: { user } }) =>
    //   Boolean(user?.collection === 'users' && user.roles?.includes('admin')),
  },
  fields: [
    {
      name: 'name',
      label: 'Name',
      type: 'text',
      required: true,
    },
  ],
}

Expected Behavior

  • The user role from the users collection should not see the auth fields for the member.
  • The admin role from the users collection should see and be able to update the auth fields for the member.

Current Behavior

  • There is no field level / auth group level access control specifically for the CRUD actions on the auth fields.

I have added TODO notes in the members collection

Link to the code that reproduces this issue

https://github.com/shiva-hack/payload/tree/fix/auth-fields-access

Reproduction Steps

  • Create two or more collections with auth enabled.
  • Try to block the user of the admin users collection from accessing the auth fields based on a user role.

Which area(s) are affected? (Select all that apply)

area: ui, area: core

Environment Info

Binaries:
  Node: 22.6.0
  npm: 10.8.2
  Yarn: N/A
  pnpm: 9.7.1
Relevant Packages:
  payload: 3.27.0
  next: 15.2.0
  @payloadcms/db-postgres: 3.27.0
  @payloadcms/live-preview-react: 3.27.0
  react: 19.0.0
  react-dom: 19.0.0
Operating System:
  Platform: darwin
  Arch: arm64
  Version: Darwin Kernel Version 24.3.0: Thu Jan  2 20:24:23 PST 2025; root:xnu-11215.81.4~3/RELEASE_ARM64_T6020
  Available memory (MB): 16384
  Available CPU cores: 12
@shiva-hack shiva-hack added status: needs-triage Possible bug which hasn't been reproduced yet validate-reproduction Auto-added tag on create to tell bot to check recreation URL, removed after check. labels Mar 6, 2025
@github-actions github-actions bot removed the validate-reproduction Auto-added tag on create to tell bot to check recreation URL, removed after check. label Mar 6, 2025
@JessChowdhury
Copy link
Member

Hey @shiva-hack - sorry if I am misunderstanding your issue but I tested this and using the access.update function does provide the desired behavior that you described:

update: ({ req: { user } }) => {
    const isAdmin = user?.collection === 'users' && user?.roles?.includes('admin') 
    return isAdmin 
},

When the user is not an admin, this is how the auth fields would look on the members collection:
Image
They would not be able to edit the email, change the password or force unlock as these get set to read-only.

What part is not working as you expected?

@shiva-hack
Copy link
Author

shiva-hack commented Mar 7, 2025
edited
Loading

@JessChowdhury , so this does check the admin key over the entire collection, but what if we just want to disable the auth fields and keep the other fields open?

  • The user should be able to update other fields except email, change the password or force unlock.
  • The admin should be able to update all the fields including email, change the password and force unlock.

@JessChowdhury JessChowdhury self-assigned this Mar 12, 2025
@github-actions github-actions bot removed the status: needs-triage Possible bug which hasn't been reproduced yet label Mar 12, 2025
@JessChowdhury JessChowdhury linked a pull request Mar 12, 2025 that will close this issue
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@JessChowdhury JessChowdhury

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: adds auth option to collection access control payloadcms/payload
2 participants
@shiva-hack @JessChowdhury