Unable to manage access control for auth fields when more than one collection has auth enabled. #11569
Description
Describe the Bug
Scenario
- Two or more auth collections in a payloadcms instance.
- Here they are
membersandusers. - The admin is hooked to the
userscollection which has two rolesuserandadmin. - The
memberscollection has auth fields as well as some extra fields for the member profile.
// payload.config.ts
export default buildConfig({
...
collections: [Members, Users],
...
}) // users.collection.ts
export const UsersCollection: CollectionConfig<'users'> = {
slug: 'users',
auth: true,
admin: {
useAsTitle: 'email',
},
fields: [
{
name: 'roles',
label: 'Roles',
type: 'select',
options: ['admin', 'user'],
hasMany: true,
},
],
}// members.collection.ts
export const MembersCollection: CollectionConfig<'members'> = {
slug: 'members',
auth: true,
admin: {
useAsTitle: 'email',
},
access: {
create: ({ req: { user } }) =>
Boolean(user?.collection === 'users' && user.roles?.includes('admin')),
update: ({ req: { user } }) => {
// TODO: there is no way to block the payloadcms user only role from editing the auth fields like email and password.
return Boolean(user?.collection === 'users')
},
// TODO: we need something like this to block the payloadcms user only role from updating the auth fields like email and password.
// auth: ({ req: { user } }) =>
// Boolean(user?.collection === 'users' && user.roles?.includes('admin')),
},
fields: [
{
name: 'name',
label: 'Name',
type: 'text',
required: true,
},
],
}Expected Behavior
- The
userrole from theuserscollection should not see the auth fields for the member. - The
adminrole from theuserscollection should see and be able to update the auth fields for the member.
Current Behavior
- There is no field level / auth group level access control specifically for the CRUD actions on the auth fields.
I have added TODO notes in the members collection
Link to the code that reproduces this issue
https://github.com/shiva-hack/payload/tree/fix/auth-fields-access
Reproduction Steps
- Create two or more collections with auth enabled.
- Try to block the user of the admin users collection from accessing the auth fields based on a user role.
Which area(s) are affected? (Select all that apply)
area: ui, area: core
Environment Info
Binaries:
Node: 22.6.0
npm: 10.8.2
Yarn: N/A
pnpm: 9.7.1
Relevant Packages:
payload: 3.27.0
next: 15.2.0
@payloadcms/db-postgres: 3.27.0
@payloadcms/live-preview-react: 3.27.0
react: 19.0.0
react-dom: 19.0.0
Operating System:
Platform: darwin
Arch: arm64
Version: Darwin Kernel Version 24.3.0: Thu Jan 2 20:24:23 PST 2025; root:xnu-11215.81.4~3/RELEASE_ARM64_T6020
Available memory (MB): 16384
Available CPU cores: 12
Metadata
Metadata
Assignees
Labels
No labels
Type
Projects
Milestone
Relationships
Development
Participants
Activity
jessrynkar commentedon Mar 7, 2025
Hey @shiva-hack - sorry if I am misunderstanding your issue but I tested this and using the
access.updatefunction does provide the desired behavior that you described:When the user is not an admin, this is how the auth fields would look on the
memberscollection:They would not be able to edit the email, change the password or force unlock as these get set to read-only.
What part is not working as you expected?
shiva-hack commentedon Mar 7, 2025
@JessChowdhury , so this does check the admin key over the entire collection, but what if we just want to disable the auth fields and keep the other fields open?
cewald commentedon Mar 24, 2025
I have the same problem – i want to give users the option to change single fields but not others email address nor password.
fix(ui): updates auth fields UI to reflect access control (payloadcms…
github-actions commentedon Jun 27, 2025
🚀 This is included in version v3.44.0
github-actions commentedon Jul 5, 2025
This issue has been automatically locked.
Please open a new issue if this issue persists with any additional detail.