void belfry
Hello,
I'm working on a multi-tenanted Payload CMS instance using the official "Multi Tenant" plugin.
I'm looking to try and set up my rest API to require a tenant being specified for all requests, just so that nobody can visit an endpoint like: http://localhost:3000/api/pages and see ALL pages for ALL tenants.
It will all be public-facing website content, so not the end of the world if someone did see it all. But I'd rather try to obscure who the other tenants are if possible. Also this will hopefully reduce the chance of mistakes leading to content from other tenants being shown on the client side.
At the moment, I have this working using access control on the collection so that any requests without ?tenant=tenant-slug fail:
// My "pages" read access function
// If the user is logged in, always allow
if(req.user)
{
return true;
}
// Check if a tenant slug is provided in query params
const tenant = req.query.tenant;
// No tenant = no access
if (!tenant) {
return false;
}
// Filter results to tenant only
const query: Where = {
'tenant.slug': {
equals: tenant
},
};
return query;
Is this a good approach? Is there a better way? As far as I can tell, by default the API routes are not segregated by tenant - but let me know if i'm missing something here and there is already a way to achieve this. Or if there is just a better approach in general that i'm missing.
Thanks
regal terrace