feat: sanitise access endpoint (#7335)

Protects the `/api/access` endpoint behind authentication and sanitizes the result, making it more secure and significantly smaller. To do this: 1. The `permission` keyword is completely omitted from the result 2. Only _truthy_ access results are returned 3. All nested permissions are consolidated when possible --------- Co-authored-by: Dan Ribbens <dan.ribbens@gmail.com> Co-authored-by: Jacob Fletcher <jacobsfletch@gmail.com> Co-authored-by: James <james@trbl.design>
2024-11-15 14:08:06 -06:00
parent 0b9d5a5ae4
commit 26ffbca914
72 changed files with 998 additions and 228 deletions
--- a/packages/ui/src/fields/Array/ArrayRow.tsx
+++ b/packages/ui/src/fields/Array/ArrayRow.tsx
@@ -1,5 +1,5 @@
 'use client'
-import type { ArrayField, ClientField, FieldPermissions, Row } from 'payload'
+import type { ArrayField, ClientField, Row, SanitizedFieldPermissions } from 'payload'

 import { getTranslation } from '@payloadcms/translations'
 import React from 'react'
@@ -30,7 +30,7 @@ type ArrayRowProps = {
  readonly moveRow: (fromIndex: number, toIndex: number) => void
  readonly parentPath: string
  readonly path: string
-  readonly permissions: FieldPermissions
+  readonly permissions: SanitizedFieldPermissions
  readonly readOnly?: boolean
  readonly removeRow: (rowIndex: number) => void
  readonly row: Row
@@ -144,7 +144,7 @@ export const ArrayRow: React.FC<ArrayRowProps> = ({
          parentIndexPath=""
          parentPath={path}
          parentSchemaPath={schemaPath}
-          permissions={permissions?.fields}
+          permissions={permissions === true ? permissions : permissions?.fields}
          readOnly={readOnly}
        />
      </Collapsible>