Quick overview, Cheat Sheet, for The access control functions following Payload CMS 3 structure, which allows defining rules for read, create, update, and delete operations using dynamic conditions.
Payload is the open-source, fullstack Next.js framework, giving you instant backend superpowers. Get a full TypeScript backend and admin panel instantly. Use Payload as a headless CMS or for building powerful applications.
TLDR
User Collection
import { CollectionConfig } from 'payload/types'; const Users: CollectionConfig = { slug: 'users', // The collection slug auth: true, // Enable authentication (login functionality) fields: [ { name: 'email', type: 'email', // User email address required: true, unique: true, // Ensure that email addresses are unique }, { name: 'password', type: 'password', // User password field required: true, }, { name: 'role', type: 'select', options: ['admin', 'editor', 'author'], // Define the available roles defaultValue: 'author', // Default role is 'author' required: true, }, { name: 'firstName', type: 'text', // User's first name required: true, }, { name: 'lastName', type: 'text', // User's last name required: true, }, ], access: { // Access control for reading users (admin only) read: ({ req }) => req.user?.role === 'admin', // Only admin can create a user create: ({ req }) => req.user?.role === 'admin', // Admins and the user themselves can update user details update: ({ req, doc }) => req.user?.role === 'admin' || req.user?.id === doc?.id, // Only admins can delete a user delete: ({ req }) => req.user?.role === 'admin', }, }; export default Users; Notes Collection
import { CollectionConfig } from 'payload/types'; const Notes: CollectionConfig = { slug: 'notes', fields: [ { name: 'owner', type: 'relationship', // Links the note to a user (owner) relationTo: 'users', // Relates to the 'users' collection required: true, // Ensures every note has an owner }, ], access: { /** * Read Access: * - Admins can read all notes. * - Editors can read all notes. * - Authors can only read their own notes. */ read: ({ req, doc }) => { if (!req.user) return false; // If no user is logged in, deny access return ( req.user.role === 'admin' || req.user.role === 'editor' || req.user.id === doc?.owner // Authors can only read their own notes ); }, /** * Create Access: * - Admins, Editors, and Authors can create notes. */ create: ({ req }) => { return ( req.user?.role === 'admin' || req.user?.role === 'editor' || req.user?.role === 'author' ); }, /** * Update Access: * - Admins can update all notes. * - Editors can update all notes. * - Authors can only update their own notes. */ update: ({ req, doc }) => { if (!req.user) return false; return ( req.user.role === 'admin' || req.user.role === 'editor' || req.user.id === doc?.owner // Authors can only update their own notes ); }, /** * Delete Access: * - Admins can delete all notes. * - Authors can delete their own notes. * - Editors CANNOT delete any notes. */ delete: ({ req, doc }) => { if (!req.user) return false; return ( req.user.role === 'admin' || req.user.id === doc?.owner // Only the author of the note can delete it ); }, }, }; export default Notes; Access Control for Notes Collection in Payload CMS 3
Explanation
- Admins: Have full control over all notes.
- Editors: Can read and update all notes but cannot delete.
- Authors: Can only access their own notes (read, create, update, and delete).
- Guests (not logged in): Have no access.
| Role | Read Notes | Create Notes | Update Notes | Delete Notes |
|---|---|---|---|---|
| Admin | ✅ Can read all | ✅ Can create | ✅ Can update all | ✅ Can delete all |
| Editor | ✅ Can read all | ✅ Can create | ✅ Can update all | ❌ Cannot delete |
| Author | ✅ Can read own | ✅ Can create | ✅ Can update own | ✅ Can delete own |
| Guest | ❌ Cannot read | ❌ Cannot create | ❌ Cannot update | ❌ Cannot delete |
Top comments (2)
Hello, thanks for this. Do you think it's possible to manage access control dynamically ? With the conditions stored on a collection ?
possible, would need to see what other values are passed into the access function.