fix: blocks non-admin users from admin access (#6127)
This commit is contained in:
Jacob Fletcher
@@ -17,7 +17,7 @@ export async function getAccessResults({ req }: GetAccessResultsArgs): Promise<P
|
||||
? payload.config.collections.find((collection) => collection.slug === user.collection)
|
||||
: null
|
||||
|
||||
if (userCollectionConfig) {
|
||||
if (userCollectionConfig && payload.config.admin.user === user.collection) {
|
||||
results.canAccessAdmin = userCollectionConfig.access.admin
|
||||
? await userCollectionConfig.access.admin({ req })
|
||||
: isLoggedIn
|
||||
|
||||
@@ -10,6 +10,8 @@ import {
|
||||
hiddenAccessSlug,
|
||||
hiddenFieldsSlug,
|
||||
noAdminAccessEmail,
|
||||
nonAdminUserEmail,
|
||||
nonAdminUserSlug,
|
||||
readOnlyGlobalSlug,
|
||||
readOnlySlug,
|
||||
relyOnRequestHeadersSlug,
|
||||
@@ -122,6 +124,11 @@ export default buildConfigWithDefaults({
|
||||
},
|
||||
],
|
||||
},
|
||||
{
|
||||
slug: nonAdminUserSlug,
|
||||
auth: true,
|
||||
fields: [],
|
||||
},
|
||||
{
|
||||
slug,
|
||||
access: {
|
||||
@@ -487,6 +494,14 @@ export default buildConfigWithDefaults({
|
||||
},
|
||||
})
|
||||
|
||||
await payload.create({
|
||||
collection: nonAdminUserSlug,
|
||||
data: {
|
||||
email: nonAdminUserEmail,
|
||||
password: 'test',
|
||||
},
|
||||
})
|
||||
|
||||
await payload.create({
|
||||
collection: slug,
|
||||
data: {
|
||||
|
||||
@@ -26,6 +26,8 @@ import { POLL_TOPASS_TIMEOUT } from '../playwright.config.js'
|
||||
import {
|
||||
docLevelAccessSlug,
|
||||
noAdminAccessEmail,
|
||||
nonAdminUserEmail,
|
||||
nonAdminUserSlug,
|
||||
readOnlyGlobalSlug,
|
||||
readOnlySlug,
|
||||
restrictedSlug,
|
||||
@@ -55,6 +57,7 @@ describe('access control', () => {
|
||||
let readOnlyGlobalUrl: AdminUrlUtil
|
||||
let restrictedVersionsUrl: AdminUrlUtil
|
||||
let serverURL: string
|
||||
let context: BrowserContext
|
||||
|
||||
beforeAll(async ({ browser }) => {
|
||||
;({ payload, serverURL } = await initPayloadE2ENoConfig<Config>({ dirname }))
|
||||
@@ -65,7 +68,7 @@ describe('access control', () => {
|
||||
readOnlyGlobalUrl = new AdminUrlUtil(serverURL, readOnlySlug)
|
||||
restrictedVersionsUrl = new AdminUrlUtil(serverURL, restrictedVersionsSlug)
|
||||
|
||||
const context = await browser.newContext()
|
||||
context = await browser.newContext()
|
||||
page = await context.newPage()
|
||||
initPageConsoleErrorCatch(page)
|
||||
|
||||
@@ -340,7 +343,7 @@ describe('access control', () => {
|
||||
await expect(documentDrawer2.locator('#field-name')).toBeEnabled()
|
||||
})
|
||||
|
||||
test('should completely block admin access', async () => {
|
||||
test('should block admin access to admin user', async () => {
|
||||
const adminURL = `${serverURL}/admin`
|
||||
await page.goto(adminURL)
|
||||
await page.waitForURL(adminURL)
|
||||
@@ -360,6 +363,51 @@ describe('access control', () => {
|
||||
})
|
||||
|
||||
await expect(page.locator('.next-error-h1')).toBeVisible()
|
||||
|
||||
await page.goto(`${serverURL}/admin/logout`)
|
||||
await page.waitForURL(`${serverURL}/admin/logout`)
|
||||
|
||||
// Log back in for the next test
|
||||
await login({
|
||||
page,
|
||||
serverURL,
|
||||
data: {
|
||||
email: devUser.email,
|
||||
password: devUser.password,
|
||||
},
|
||||
})
|
||||
})
|
||||
|
||||
test('should block admin access to non-admin user', async () => {
|
||||
const adminURL = `${serverURL}/admin`
|
||||
await page.goto(adminURL)
|
||||
await page.waitForURL(adminURL)
|
||||
|
||||
await expect(page.locator('.dashboard')).toBeVisible()
|
||||
|
||||
await page.goto(`${serverURL}/admin/logout`)
|
||||
await page.waitForURL(`${serverURL}/admin/logout`)
|
||||
|
||||
const nonAdminUser = await payload.login({
|
||||
collection: nonAdminUserSlug,
|
||||
data: {
|
||||
email: nonAdminUserEmail,
|
||||
password: devUser.password,
|
||||
},
|
||||
})
|
||||
|
||||
context.addCookies([
|
||||
{
|
||||
name: 'payload-token',
|
||||
value: nonAdminUser.token,
|
||||
url: serverURL,
|
||||
},
|
||||
])
|
||||
|
||||
await page.goto(adminURL)
|
||||
await page.waitForURL(adminURL)
|
||||
|
||||
await expect(page.locator('.next-error-h1')).toBeVisible()
|
||||
})
|
||||
})
|
||||
|
||||
|
||||
@@ -17,3 +17,7 @@ export const hiddenAccessSlug = 'hidden-access'
|
||||
export const hiddenAccessCountSlug = 'hidden-access-count'
|
||||
|
||||
export const noAdminAccessEmail = 'no-admin-access@payloadcms.com'
|
||||
|
||||
export const nonAdminUserEmail = 'non-admin-user@payloadcms.com'
|
||||
|
||||
export const nonAdminUserSlug = 'non-admin-user'
|
||||
|
||||
@@ -37,7 +37,7 @@
|
||||
],
|
||||
"paths": {
|
||||
"@payload-config": [
|
||||
"./test/_community/config.ts"
|
||||
"./test/access-control/config.ts"
|
||||
],
|
||||
"@payloadcms/live-preview": [
|
||||
"./packages/live-preview/src"
|
||||
|
||||
Reference in New Issue
Block a user