#Preventing User Access to the Admin Panel

I'm currently working with the Payload CMS v3 beta for my upcoming Next.js application, where I have successfully set up user registration, login, logout, and account details features. I'm quite impressed with how well v3 is performing. Great work!

However, I've noticed that new users also gain access to the admin panel upon account creation. I need to ensure that while users can log in via the general API endpoint (/api/users/login), they should not have access to the admin panel (/admin) by default.

Could you advise if the "canAccessAdmin" flag can be set to false by default when a user account is created?

Is there an easy way to restrict access in this way?

Thanks, Thorsten

I've never used the flag so I'm not that sure. However, I would try to create an afterChange hook on the user collection and try to change it there.

I mean, I can use roles to be set by default like this:

const Users = {
  slug: 'users',
  auth: true,
  admin: {
    useAsTitle: 'email',
  },
  fields: [
    {
      name: 'role',
      type: 'select',
      options: [
        { label: 'Admin', value: 'admin' },
        { label: 'User', value: 'user' },
      ],
      required: true,
      defaultValue: 'user',
    },
  ],
};

But how to check if the login is done via admin panel? The afterLogin hook seems to be to generic... Or can I check inside the hook if the login was done via admin panel anyhow? (login via admin panel vs. login via api)

There is access control for accessing the admin panel https://payloadcms.com/docs/access-control/collections#admin