silk quarry
Hi, I'm just starting out with PayloadCMS and I'm looking for some advice on my use case.
I need a collection which can be added to by anonymous users, but to prevent abuse (including CSRF) I want to make sure that only the person who created it is allowed to update it.
What is(are) the recommended approach(es)? How does Payload support them?
Regards
gusty mulchBOT
bronze shard
Payload doesn't really have a way to support this use-case, and in general how would you truly do this with anonymous users? Every time you create a new session even for the same user they won't be able to be identified with the previous session, so even in BaaS like Firebase updates won't be possible.
silk quarry
I'm sure it does.
One thought I had was to generate a random value which is stored in the collection and in a hidden field on the page. then when the user submits an update we ensure the values match (the value could randomise after each udate). And/or setting a cookie with some kind of correlation value. Either way this value could be verified in an access condition or a validation hook.
But being new to the framework, I'd like to know what people think is the preferred/builtin/conventional approach.
thin halo
I'm sure it does.
One thought I had was to generate a random value which is st...
Just as you described, i think it's okay.
Same approach used in ecommerce template
https://github.com/payloadcms/payload/blob/main/packages/plugin-ecommerce/src/collections/carts/hasCartSecretAccess.ts
silk quarry
This is excellent. Thank you Veia
