publish | Payload | Page 1

quaint arch Mar 29, 2023, 7:15 AM

#

I am trying to implement access control isAdminOrSelf but it does not work:
import { Access } from "payload/config";

export const isAdminOrSelf: Access = ({ req: { user } }) => {
// Need to be logged in
if (user) {
// If user has role of 'admin'
if (user.roles?.includes('admin')) {
return true;
}

// If any other type of user, only provide access to themselves
return {
  id: {
    equals: user.id,
  }
}

}

// Reject everyone else
return false;
}

It works if Admin but not for Self! Anything wrong?

lyric roost Mar 29, 2023, 7:28 AM

#

quaint arch I am trying to implement access control isAdminOrSelf but it does not work: impo...

Hm interesting - you only added that access control directly to the users collection, right?

quaint arch Mar 29, 2023, 7:29 AM

#

yes but after the user created update failed.

here is the access in the collection:

#

access: {
// Data Manager can create
create: isLoggedIn,
// Only admins or creator can update
update: isAdminOrSelf,
// Admins or creator can read,
// otherwise users not logged in can only read public indicators
read: isPublicOnly,
// Only admins can delete
delete: isAdminOrSelf,
},

#

[07:22:02] ERROR (payload): Forbidden: You are not allowed to perform this action.

lyric roost Mar 29, 2023, 7:31 AM

#

export const isAdminOrSelf: Access = ({data,  req: { user } }) => {
  // Need to be logged in
  if (user) {
    // If user has role of 'admin'
    if (user.roles?.includes('admin')) {
      return true;
    }

    return data?.id == user.id;
  }

  // Reject everyone else
  return false;
}

Does it work this way by any chance?

quaint arch Mar 29, 2023, 7:34 AM

#

no this disables everything after saving

lyric roost Mar 29, 2023, 7:47 AM

#

quaint arch no this disables everything after saving

export const isAdminOrSelf: Access = ({data, id, req: { user } }) => {
  // Need to be logged in
  if (user) {
    // If user has role of 'admin'
    if (user.roles?.includes('admin')) {
      return true;
    }

    return id == user.id;
  }

  // Reject everyone else
  return false;
}

Try this - tested it out locally!

#

Problem was that "data" is null before you actually updated the document

quaint arch Mar 29, 2023, 7:57 AM

#

same issue

lyric roost Mar 29, 2023, 8:01 AM

#

what exactly is the issue now?

Also, do add a console.log(id) and console.log(user.id) and verify they are printed out correctly when accessing and updating the document

quaint arch Mar 29, 2023, 8:04 AM

#

The issue is after I click save all fields are grayed and cannot be modified

#

in the developer console I have the following error:
XHRGEThttp://localhost:8000/api/users?depth=0&where[id][in][0]=6423f051567653754e23bb4c&limit=250
[HTTP/1.1 403 Forbidden 17ms]

quaint arch Mar 29, 2023, 8:37 AM

#

where to put console.log?

#publish