Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature request]: Add support for roles field access configuration #82

Open
joshuaja opened this issue Feb 20, 2024 · 2 comments
Open

[Feature request]: Add support for roles field access configuration #82

joshuaja opened this issue Feb 20, 2024 · 2 comments
Labels
enhancement New feature or request

Comments

@joshuaja
Copy link

joshuaja commented Feb 20, 2024
edited
Loading

Package name

payload-rbac

Description

I need to prevent a user from changing their own user Roles and am currently doing this via the Collection-level access configuration on the User collection.

Field-level access configurations solve for this - inaccessible fields are grayed out in the Payload Admin view and it skips adding the field in the request body.

Without field-level access control, the user gets an error when trying to save their user record within the User edit screen (because Payload is adding the roles field to the request body even though it hasn't been changed in the UI), so they are never able to update their user in the Payload Admin view due to this.

If you do try to add a roles field to the Collection, you get this error: Unable to enable payload-rbac on collection ${collection.slug}: collection already has a 'roles' field!.

We need the ability to gray out the Roles select control on the Admin edit screen (via supporting Field-level access configuration).

Is there a way to merge the roles field configuration from the collection into the payload-rbac roles configuration so it can leverage the access field property?

image
@joshuaja joshuaja added the enhancement New feature or request label Feb 20, 2024
@joshuaja joshuaja changed the title [Feature request]: Add support for field access configuration [Feature request]: Add support for roles field access configuration Feb 20, 2024
@ndcollins
Copy link

@teunmooij related to this would also be great if, as part of this configuration, we could specify hasMany on this field, similar to relationships, such that if we only want the user to be assigned a single role rather than many, we can do so.

@abernh
Copy link

abernh commented Sep 20, 2024
edited
Loading

My current workaround is to re-enhance the config after it was passed through the rbac plugin.
Crude but works.

export const pluginRbac = rbacWithRolesAccess({
    collections: ['users'],
    roles: ['admin', 'editor'],
    fieldAccess: {
        create: ({req: {user}}) => user?.roles.includes('admin'),
        update: ({req: {user}}) => user?.roles.includes('admin'),
    }
})


function rbacWithRolesAccess(options: Options & { access: Record<string, FieldAccess> }): (config: Config) => Config {
    return (incomingConfig) => {

        const config: Config = rbac(options)(incomingConfig)

        if (options.fieldAccess) {
            config.collections.forEach(col => {
                if (!options.collections.includes(col.slug))
                    return;

                const rolesField: Field | null = col.fields.find(f => f.name === 'roles')
                if (!rolesField)
                    return

                rolesField.access = {
                    ...options.fieldAccess
                }
            })
        }

        return config
    }
}

// payload.config

{
    ...
    plugins: [
         pluginRbac
    ]
    ...
}

This was just a quick copy paste ... hope I didn't miss anything ... if so, I guess you still get the gist.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ndcollins @abernh @joshuaja