#All Images forbidden except when admin login

7 messages · Page 1 of 1 (latest)

languid kindle
#

All my images in the Media collection returns a 301 forbidden except when i login with the initial Admin account. All other accounts doen't work.

This is my media collection. All yarn packages are up to date. Payload version: 2.12.1. I have this issue for along time so its not with the latest version. i just upgraded from 2.1.1 to 2.12.1

import { CollectionConfig } from "payload/dist/collections/config/types";
// import { isAdmin } from "../auth/auth";

const Media: CollectionConfig = {
    access: {
        read: ({ req: { user } }) => true,
    },
    slug: 'media',
    fields: [
        {
            name: 'alt',
            label: 'Alt',
            type: 'text',
        }
    ],
    admin: {
        useAsTitle: 'id',
        hideAPIURL: false,
    },
    upload: {
        staticURL: '/media',
        staticDir: 'media',
        mimeTypes: ['image/*'],
        
    }
}

export default Media;

[backend] Forbidden: You are not allowed to perform this action.
[backend]     at executeAccess (/Users/xxx/xxx/flutter-drinks/payload/node_modules/payload/src/auth/executeAccess.ts:10:43)
[backend]     at processTicksAndRejections (node:internal/process/task_queues:95:5)
[backend]     at /Users/xxx/xxx/flutter-drinks/payload/node_modules/payload/src/auth/getExecuteStaticAccess.ts:19:30
nocturne barnBOT
languid kindle
#

Somehow the Users collection is conflicting with it.

    read: (red) => true,
    // read: isAdminOrSelf,
    create: isAdmin,
    update: isAdminOrSelf,
    delete: isAdminOrSelf,
  },

if i set the read permissions on true on the Users collection the images are working. But everyone can send an API request and retrieve all the users to thats not good.

Im wondering why this User collection has this conflict with the Media collection

crude shore
#

What happens if you structure the read on your Media collection like this?

read: () => true,

I'm imagining that when you are not signed in, the function will throw an undefined error since req.user is not defined when the user is not signed in. And then some global exception handler makes it so you get an unauthorized response.

#

Actually that wouldn't make much sense, nothing is trying to access req.user 😅

olive stratus
#

@languid kindle Have you solved this yet?

sturdy copper
#

I'm having the same issue, does someone have an answer?