chore: adds testing coverage for document drawer access control

test/access-control/config.ts

@@ -1,11 +1,13 @@
 import { devUser } from '../credentials';
 import { buildConfig } from '../buildConfig';
 import { FieldAccess } from '../../src/fields/config/types';
-import { SiblingDatum } from './payload-types';
 import { firstArrayText, secondArrayText } from './shared';
 
 export const slug = 'posts';
+export const unrestrictedSlug = 'unrestricted';
 export const readOnlySlug = 'read-only-collection';
+
+export const userRestrictedSlug = 'user-restricted';
 export const restrictedSlug = 'restricted';
 export const restrictedVersionsSlug = 'restricted-versions';
 export const siblingDataSlug = 'sibling-data';
@@ -110,6 +112,21 @@ export default buildConfig({
         },
       ],
     },
+    {
+      slug: unrestrictedSlug,
+      fields: [
+        {
+          name: 'name',
+          type: 'text',
+        },
+        {
+          name: 'userRestrictedDocs',
+          type: 'relationship',
+          relationTo: userRestrictedSlug,
+          hasMany: true,
+        },
+      ],
+    },
     {
       slug: restrictedSlug,
       fields: [
@@ -140,6 +157,28 @@ export default buildConfig({
         delete: () => false,
       },
     },
+    {
+      slug: userRestrictedSlug,
+      admin: {
+        useAsTitle: 'name',
+      },
+      fields: [
+        {
+          name: 'name',
+          type: 'text',
+        },
+      ],
+      access: {
+        create: () => true,
+        read: () => true,
+        update: ({ req }) => ({
+          name: {
+            equals: req.user?.email,
+          },
+        }),
+        delete: () => false,
+      },
+    },
     {
       slug: restrictedVersionsSlug,
       versions: true,
@@ -314,7 +353,7 @@ export default buildConfig({
       },
     });
 
-    await payload.create<SiblingDatum>({
+    await payload.create({
       collection: siblingDataSlug,
       data: {
         array: [

test/access-control/e2e.spec.ts

@@ -4,8 +4,9 @@ import payload from '../../src';
 import { AdminUrlUtil } from '../helpers/adminUrlUtil';
 import { initPayloadE2E } from '../helpers/configHelpers';
 import { login } from '../helpers';
-import { restrictedVersionsSlug, readOnlySlug, restrictedSlug, slug, docLevelAccessSlug } from './config';
+import { restrictedVersionsSlug, readOnlySlug, restrictedSlug, slug, docLevelAccessSlug, unrestrictedSlug } from './config';
 import type { ReadOnlyCollection, RestrictedVersion } from './payload-types';
+import wait from '../../src/utilities/wait';
 
 /**
  * TODO: Access Control
@@ -183,7 +184,7 @@ describe('access control', () => {
     beforeAll(async () => {
       docLevelAccessURL = new AdminUrlUtil(serverURL, docLevelAccessSlug);
 
-      existingDoc = await payload.create<any>({
+      existingDoc = await payload.create({
         collection: docLevelAccessSlug,
         data: {
           approvedTitle: 'Title',
@@ -215,6 +216,44 @@ describe('access control', () => {
       await expect(deleteAction).toContainText('Delete');
     });
   });
+
+  test('maintain access control in document drawer', async () => {
+    const unrestrictedDoc = await payload.create({
+      collection: unrestrictedSlug,
+      data: {
+        name: 'unrestricted-123',
+      },
+    });
+
+    // navigate to the `unrestricted` document and open the drawers to test access
+    const unrestrictedURL = new AdminUrlUtil(serverURL, unrestrictedSlug);
+    await page.goto(unrestrictedURL.edit(unrestrictedDoc.id));
+
+    const button = await page.locator('#userRestrictedDocs-add-new button.relationship-add-new__add-button.doc-drawer__toggler');
+    await button.click();
+    const documentDrawer = await page.locator('[id^=doc-drawer_user-restricted_1_]');
+    await expect(documentDrawer).toBeVisible();
+    await documentDrawer.locator('#field-name').fill('anonymous@email.com');
+    await documentDrawer.locator('#action-save').click();
+    await wait(200);
+    await expect(page.locator('.Toastify')).toContainText('successfully');
+
+    // ensure user is not allowed to edit this document
+    await expect(await documentDrawer.locator('#field-name')).toBeDisabled();
+    await documentDrawer.locator('button.doc-drawer__header-close').click();
+    await wait(200);
+
+    await button.click();
+    const documentDrawer2 = await page.locator('[id^=doc-drawer_user-restricted_1_]');
+    await expect(documentDrawer2).toBeVisible();
+    await documentDrawer2.locator('#field-name').fill('dev@payloadcms.com');
+    await documentDrawer2.locator('#action-save').click();
+    await wait(200);
+    await expect(page.locator('.Toastify')).toContainText('successfully');
+
+    // ensure user is allowed to edit this document
+    await expect(await documentDrawer2.locator('#field-name')).toBeEnabled();
+  });
 });
 
 async function createDoc(data: any): Promise<{ id: string }> {