Access Control in Payload CMS - A Quick Reference Guide
Quick overview, Cheat Sheet, for The access control functions following Payload CMS 3 structure, which allows defining rules for read, create, update, and delete operations using dynamic conditions. Payload is the open-source, fullstack Next.js framework, giving you instant backend superpowers. Get a full TypeScript backend and admin panel instantly. Use Payload as a headless CMS or for building powerful applications. TLDR User Collection import { CollectionConfig } from 'payload/types'; const Users: CollectionConfig = { slug: 'users', // The collection slug auth: true, // Enable authentication (login functionality) fields: [ { name: 'email', type: 'email', // User email address required: true, unique: true, // Ensure that email addresses are unique }, { name: 'password', type: 'password', // User password field required: true, }, { name: 'role', type: 'select', options: ['admin', 'editor', 'author'], // Define the available roles defaultValue: 'author', // Default role is 'author' required: true, }, { name: 'firstName', type: 'text', // User's first name required: true, }, { name: 'lastName', type: 'text', // User's last name required: true, }, ], access: { // Access control for reading users (admin only) read: ({ req }) => req.user?.role === 'admin', // Only admin can create a user create: ({ req }) => req.user?.role === 'admin', // Admins and the user themselves can update user details update: ({ req, doc }) => req.user?.role === 'admin' || req.user?.id === doc?.id, // Only admins can delete a user delete: ({ req }) => req.user?.role === 'admin', }, }; export default Users; Notes Collection import { CollectionConfig } from 'payload/types'; const Notes: CollectionConfig = { slug: 'notes', fields: [ { name: 'owner', type: 'relationship', // Links the note to a user (owner) relationTo: 'users', // Relates to the 'users' collection required: true, // Ensures every note has an owner }, ], access: { /** * Read Access: * - Admins can read all notes. * - Editors can read all notes. * - Authors can only read their own notes. */ read: ({ req, doc }) => { if (!req.user) return false; // If no user is logged in, deny access return ( req.user.role === 'admin' || req.user.role === 'editor' || req.user.id === doc?.owner // Authors can only read their own notes ); }, /** * Create Access: * - Admins, Editors, and Authors can create notes. */ create: ({ req }) => { return ( req.user?.role === 'admin' || req.user?.role === 'editor' || req.user?.role === 'author' ); }, /** * Update Access: * - Admins can update all notes. * - Editors can update all notes. * - Authors can only update their own notes. */ update: ({ req, doc }) => { if (!req.user) return false; return ( req.user.role === 'admin' || req.user.role === 'editor' || req.user.id === doc?.owner // Authors can only update their own notes ); }, /** * Delete Access: * - Admins can delete all notes. * - Authors can delete their own notes. * - Editors CANNOT delete any notes. */ delete: ({ req, doc }) => { if (!req.user) return false; return ( req.user.role === 'admin' || req.user.id === doc?.owner // Only the author of the note can delete it ); }, }, }; export default Notes; Access Control for Notes Collection in Payload CMS 3 Explanation Admins: Have full control over all notes. Editors: Can read and update all notes but cannot delete. Authors: Can only access their own notes (read, create, update, and delete). Guests (not logged in): Have no access. Role Read Notes Create Notes Update Notes Delete Notes Admin ✅ Can read all ✅ Can create ✅ Can update all ✅ Can delete all Editor ✅ Can read all ✅ Can create ✅ Can update all ❌ Cannot delete Author ✅ Can read own ✅ Can create ✅ Can update own ✅ Can delete own Guest ❌ Cannot read ❌ Cannot create ❌ Cannot update ❌ Cannot delete See more Payload CMS content on my Youtube Channel CLICK HERE
Quick overview, Cheat Sheet, for The access control functions following Payload CMS 3 structure, which allows defining rules for read, create, update, and delete operations using dynamic conditions.
Payload is the open-source, fullstack Next.js framework, giving you instant backend superpowers. Get a full TypeScript backend and admin panel instantly. Use Payload as a headless CMS or for building powerful applications.
TLDR
User Collection
import { CollectionConfig } from 'payload/types';
const Users: CollectionConfig = {
slug: 'users', // The collection slug
auth: true, // Enable authentication (login functionality)
fields: [
{
name: 'email',
type: 'email', // User email address
required: true,
unique: true, // Ensure that email addresses are unique
},
{
name: 'password',
type: 'password', // User password field
required: true,
},
{
name: 'role',
type: 'select',
options: ['admin', 'editor', 'author'], // Define the available roles
defaultValue: 'author', // Default role is 'author'
required: true,
},
{
name: 'firstName',
type: 'text', // User's first name
required: true,
},
{
name: 'lastName',
type: 'text', // User's last name
required: true,
},
],
access: {
// Access control for reading users (admin only)
read: ({ req }) => req.user?.role === 'admin',
// Only admin can create a user
create: ({ req }) => req.user?.role === 'admin',
// Admins and the user themselves can update user details
update: ({ req, doc }) => req.user?.role === 'admin' || req.user?.id === doc?.id,
// Only admins can delete a user
delete: ({ req }) => req.user?.role === 'admin',
},
};
export default Users;
Notes Collection
import { CollectionConfig } from 'payload/types';
const Notes: CollectionConfig = {
slug: 'notes',
fields: [
{
name: 'owner',
type: 'relationship', // Links the note to a user (owner)
relationTo: 'users', // Relates to the 'users' collection
required: true, // Ensures every note has an owner
},
],
access: {
/**
* Read Access:
* - Admins can read all notes.
* - Editors can read all notes.
* - Authors can only read their own notes.
*/
read: ({ req, doc }) => {
if (!req.user) return false; // If no user is logged in, deny access
return (
req.user.role === 'admin' ||
req.user.role === 'editor' ||
req.user.id === doc?.owner // Authors can only read their own notes
);
},
/**
* Create Access:
* - Admins, Editors, and Authors can create notes.
*/
create: ({ req }) => {
return (
req.user?.role === 'admin' ||
req.user?.role === 'editor' ||
req.user?.role === 'author'
);
},
/**
* Update Access:
* - Admins can update all notes.
* - Editors can update all notes.
* - Authors can only update their own notes.
*/
update: ({ req, doc }) => {
if (!req.user) return false;
return (
req.user.role === 'admin' ||
req.user.role === 'editor' ||
req.user.id === doc?.owner // Authors can only update their own notes
);
},
/**
* Delete Access:
* - Admins can delete all notes.
* - Authors can delete their own notes.
* - Editors CANNOT delete any notes.
*/
delete: ({ req, doc }) => {
if (!req.user) return false;
return (
req.user.role === 'admin' ||
req.user.id === doc?.owner // Only the author of the note can delete it
);
},
},
};
export default Notes;
Access Control for Notes Collection in Payload CMS 3
Explanation
- Admins: Have full control over all notes.
- Editors: Can read and update all notes but cannot delete.
- Authors: Can only access their own notes (read, create, update, and delete).
- Guests (not logged in): Have no access.
| Role | Read Notes | Create Notes | Update Notes | Delete Notes |
|---|---|---|---|---|
| Admin | ✅ Can read all | ✅ Can create | ✅ Can update all | ✅ Can delete all |
| Editor | ✅ Can read all | ✅ Can create | ✅ Can update all | ❌ Cannot delete |
| Author | ✅ Can read own | ✅ Can create | ✅ Can update own | ✅ Can delete own |
| Guest | ❌ Cannot read | ❌ Cannot create | ❌ Cannot update | ❌ Cannot delete |
