Skip to content

Unable to manage access control for auth fields when more than one collection has auth enabled. #11569

New issue
New issue
Open
#11662
Open
Unable to manage access control for auth fields when more than one collection has auth enabled.#11569
#11662
Assignees
JessChowdhury
@shiva-hack

Description

@shiva-hack
shiva-hack
opened on Mar 6, 2025

Describe the Bug

Scenario

  • Two or more auth collections in a payloadcms instance.
  • Here they are members and users.
  • The admin is hooked to the users collection which has two roles user and admin.
  • The members collection has auth fields as well as some extra fields for the member profile.
// payload.config.ts

export default buildConfig({
...
collections: [Members, Users],
...
}) 
// users.collection.ts

export const UsersCollection: CollectionConfig<'users'> = {
  slug: 'users',
  auth: true,
  admin: {
    useAsTitle: 'email',
  },
  fields: [
    {
      name: 'roles',
      label: 'Roles',
      type: 'select',
      options: ['admin', 'user'],
      hasMany: true,
    },
  ],
}
// members.collection.ts

export const MembersCollection: CollectionConfig<'members'> = {
  slug: 'members',
  auth: true,
  admin: {
    useAsTitle: 'email',
  },
  access: {
    create: ({ req: { user } }) =>
      Boolean(user?.collection === 'users' && user.roles?.includes('admin')),
    update: ({ req: { user } }) => {
      // TODO: there is no way to block the payloadcms user only role from editing the auth fields like email and password.
      return Boolean(user?.collection === 'users')
    },
    // TODO: we need something like this to block the payloadcms user only role from updating the auth fields like email and password.
    // auth: ({ req: { user } }) =>
    //   Boolean(user?.collection === 'users' && user.roles?.includes('admin')),
  },
  fields: [
    {
      name: 'name',
      label: 'Name',
      type: 'text',
      required: true,
    },
  ],
}

Expected Behavior

  • The user role from the users collection should not see the auth fields for the member.
  • The admin role from the users collection should see and be able to update the auth fields for the member.

Current Behavior

  • There is no field level / auth group level access control specifically for the CRUD actions on the auth fields.

I have added TODO notes in the members collection

Link to the code that reproduces this issue

https://github.com/shiva-hack/payload/tree/fix/auth-fields-access

Reproduction Steps

  • Create two or more collections with auth enabled.
  • Try to block the user of the admin users collection from accessing the auth fields based on a user role.

Which area(s) are affected? (Select all that apply)

area: ui, area: core

Environment Info

Binaries:
  Node: 22.6.0
  npm: 10.8.2
  Yarn: N/A
  pnpm: 9.7.1
Relevant Packages:
  payload: 3.27.0
  next: 15.2.0
  @payloadcms/db-postgres: 3.27.0
  @payloadcms/live-preview-react: 3.27.0
  react: 19.0.0
  react-dom: 19.0.0
Operating System:
  Platform: darwin
  Arch: arm64
  Version: Darwin Kernel Version 24.3.0: Thu Jan  2 20:24:23 PST 2025; root:xnu-11215.81.4~3/RELEASE_ARM64_T6020
  Available memory (MB): 16384
  Available CPU cores: 12

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions