#Full admin panel access for some users

4 messages · Page 1 of 1 (latest)

last aspen
#

In our app, admin users have full access in the backend admin, so they can see and change everything there. But on the front end they should have the same normal access as other users. We thought we could override the access for these users in the code snippet below based on the local API usage. Now I’ve noticed the backend payload—the admin panel—is no longer using the local API; it’s using the REST API. Is there a way to tell if a request came from within the admin panel? (maybe a specific header being set).

    /**
     * This is the default PayloadCMS behaviour
     * https://payloadcms.com/docs/access-control/overview#default-access-control
     */
    const fallback = (args: AccessArgs) => {
        return !!args.req.user;
    };

    collectionConfig.access = collectionConfig.access || {};

    collectionConfig.access.create = collectionConfig.access.create || fallback;
    collectionConfig.access.read = collectionConfig.access.read || fallback;

    // Let's not allow deleting and updating by default
    collectionConfig.access.update = collectionConfig.access.update || (() => false);
    collectionConfig.access.delete = collectionConfig.access.delete || (() => false);

    const operations = ['create', 'read', 'update', 'delete'] as const;

    operations.forEach((operation) => {
        const initial = collectionConfig.access![operation]!;

        collectionConfig.access![operation] = (args) => {
            const root = args.req.payloadAPI === 'local' && args.req.user?.adminPanel;

            return root || initial(args);
        };
    });
});```
deep epochBOT
#
New Community-Help Thread Created!

Help is on the way! To mark it as solved, use the /solve command. In the meantime, here are some existing threads that may help you:

Documentation:

Community-Help:

sly garden
last aspen
#

I did but didn't see anything specific. Adding the header myself would involve patching the core code of the admin right?