Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Join Field Forbids Default Access Control from Related Collections #9974

Closed
davliang opened this issue Dec 14, 2024 · 6 comments
Closed

Join Field Forbids Default Access Control from Related Collections #9974

davliang opened this issue Dec 14, 2024 · 6 comments
Assignees
@DanRibbens

Comments

@davliang
Copy link

davliang commented Dec 14, 2024
edited
Loading

Describe the Bug

Related to #9930. Fixed by #9971.

Fetching a document in the admin panel with a join field with default access will result in a doc undefined on the client-side and Forbidden in the console logs on the client side and server side.

Link to the code that reproduces this issue

https://github.com/davliang/payload/tree/issue/join-permissions

Reproduction Steps

  1. Run pnpm install to install dependencies
  2. Run pnpm dev _community to start the admin panel
  3. Go to http://localhost:3000/admin
  4. Create a new All Posts (Just click save in the form.)

Which area(s) are affected? (Select all that apply)

area: docs, area: ui

Environment Info

Payload: 3.7.0
Node.js: 22.6.0
Next.js: 15.1.0
@davliang davliang added status: needs-triage Possible bug which hasn't been reproduced yet validate-reproduction labels Dec 14, 2024
@davliang davliang mentioned this issue Dec 14, 2024
Closed
@akhrarovsaid
Copy link
Contributor

If I'm not mistaken here I believe this will be fixed by #9971 and the issue was not passing a user while overrideAccess is set to false to prevent users from reading data they technically shouldn't have access to.

@davliang
Copy link
Author

If I'm not mistaken here I believe this will be fixed by #9971 and the issue was not passing a user while overrideAccess is set to false to prevent users from reading data they technically shouldn't have access to.

You're right, patching it works correctly now. I should have looked closer at the previous pull requests. Thank you!

@DanRibbens DanRibbens self-assigned this Dec 14, 2024
@DanRibbens DanRibbens removed the status: needs-triage Possible bug which hasn't been reproduced yet label Dec 14, 2024
@DanRibbens DanRibbens mentioned this issue Dec 14, 2024
Merged
@DanRibbens
Copy link
Contributor

Thanks for opening an issue. I caught this one too late yesterday to get it into the release.

I also found that join field e2e tests were not running in CI which would have caught this. Now it is included and passing https://github.com/payloadcms/payload/actions/runs/12330014124/job/34415043646?pr=9971 as expected.

@tyteen4a03
Copy link
Contributor

Can confirm - will have to downgrade to 3.6.0 while this is fixed.

DanRibbens added a commit that referenced this issue Dec 14, 2024
@DanRibbens
fix: edit join field not rendering (#9971)
f5516b9 
In PR #9930 we added `overrideAccess: false` to the find operation and
failed to pass the user. This caused
#9974 where any access
control causes the edit view to error.

The fix was to pass the user through.

This change also adds Join Field e2e tests to the CI pipeline which was
previously missing and would have caught the error.
@DanRibbens
Copy link
Contributor

Closing this issue, we'll get it out soon!

@github-actions GitHub Actions
Copy link
Contributor

This issue has been automatically locked.
Please open a new issue if this issue persists with any additional detail.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 16, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@DanRibbens DanRibbens

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(ui): pass req to join relation table read access davliang/payload
4 participants
@tyteen4a03 @DanRibbens @akhrarovsaid @davliang