#Can still access collection when read is set to false (payload 3)

Hi Everyone,
Having a strange issue with the payload 3 beta. I currently have the read access on my collection set to false, but I am still able to access it via the .find function in my frontend.

Not sure if im missing something simple here, but I couldn't find an answer anywhere online.

Any help would be greatly appreciated.

in collection:

  access: {
    read: () => {
      return false
    },
  },

in frontend component:

  const cabinets = await payload.find({
    collection: 'cabinets',
    depth: 1,
    limit: 10,
  })

additiona info: setting read to false blocks read from the admin panel but still allows it from payload.find

Hey @unborn oriole,

So, I think when you call the Payload Local API from your server, it's done so with "elevated permissions" so to speak. Basically, since it's the server, it kind of bypasses access controls. Or, a better way to put it, is Access Controls are more for User-driven interactions rather than your server

I know you mentioned that you're calling the local API from a "frontend" component, but that does not mean it is not executed on the server. In fact, NextJS is Server first by default, and you actually have to specifically dictate that code should run exclusively on the clientside.

ahhhh that makes sense. I guess making my own end point and manually checking auth would be my best bet then?

That's definitely an option! You could also perform an auth check just before you call the local API as well in whatever flow you had it in originally. I think there's some examples of authenticating manually in the examples/templates folder - if you need them.

awesome, I'll check those out. Thanks so much for your help!

My pleasure