fix(next): admin access control (#5887)

test/access-control/config.ts

@@ -8,6 +8,7 @@ import {
   firstArrayText,
   hiddenAccessSlug,
   hiddenFieldsSlug,
+  noAdminAccessEmail,
   readOnlySlug,
   relyOnRequestHeadersSlug,
   restrictedSlug,
@@ -41,6 +42,7 @@ const UseRequestHeadersAccess: FieldAccess = ({ req: { headers } }) => {
 export default buildConfigWithDefaults({
   admin: {
     user: 'users',
+    autoLogin: false,
   },
   globals: [
     {
@@ -76,12 +78,17 @@ export default buildConfigWithDefaults({
       slug: 'users',
       auth: true,
       access: {
-        // admin: () => true,
-        admin: async () =>
-          new Promise((resolve) => {
+        // admin:  () => true,
+        admin: async ({ req }) => {
+          if (req.user?.email === noAdminAccessEmail) {
+            return false
+          }
+
+          return new Promise((resolve) => {
             // Simulate a request to an external service to determine access, i.e. another instance of Payload
             setTimeout(resolve, 50, true) // set to 'true' or 'false' here to simulate the response
-          }),
+          })
+        },
       },
       fields: [
         {
@@ -431,6 +438,14 @@ export default buildConfigWithDefaults({
       },
     })
 
+    await payload.create({
+      collection: 'users',
+      data: {
+        email: noAdminAccessEmail,
+        password: 'test',
+      },
+    })
+
     await payload.create({
       collection: slug,
       data: {

test/access-control/e2e.spec.ts

@@ -1,8 +1,10 @@
 import type { Page } from '@playwright/test'
-import type { Payload, TypeWithID } from 'payload/types'
+import type { TypeWithID } from 'payload/types'
 
 import { expect, test } from '@playwright/test'
+import { devUser } from 'credentials.js'
 import path from 'path'
+import { wait } from 'payload/utilities'
 import { fileURLToPath } from 'url'
 
 import type { PayloadTestSDK } from '../helpers/sdk/index.js'
@@ -13,6 +15,7 @@ import {
   ensureAutoLoginAndCompilationIsDone,
   exactText,
   initPageConsoleErrorCatch,
+  login,
   openDocControls,
   openNav,
   saveDocAndAssert,
@@ -22,6 +25,7 @@ import { initPayloadE2ENoConfig } from '../helpers/initPayloadE2ENoConfig.js'
 import { POLL_TOPASS_TIMEOUT } from '../playwright.config.js'
 import {
   docLevelAccessSlug,
+  noAdminAccessEmail,
   readOnlySlug,
   restrictedSlug,
   restrictedVersionsSlug,
@@ -61,7 +65,8 @@ describe('access control', () => {
     const context = await browser.newContext()
     page = await context.newPage()
     initPageConsoleErrorCatch(page)
-    await ensureAutoLoginAndCompilationIsDone({ page, serverURL })
+
+    await login({ page, serverURL })
   })
 
   test('field without read access should not show', async () => {
@@ -328,6 +333,28 @@ describe('access control', () => {
     // ensure user is allowed to edit this document
     await expect(documentDrawer2.locator('#field-name')).toBeEnabled()
   })
+
+  test('should completely block admin access', async () => {
+    const adminURL = `${serverURL}/admin`
+    await page.goto(adminURL)
+    await page.waitForURL(adminURL)
+
+    await expect(page.locator('.dashboard')).toBeVisible()
+
+    await page.goto(`${serverURL}/admin/logout`)
+    await page.waitForURL(`${serverURL}/admin/logout`)
+
+    await login({
+      page,
+      serverURL,
+      data: {
+        email: noAdminAccessEmail,
+        password: 'test',
+      },
+    })
+
+    await expect(page.locator('.next-error-h1')).toBeVisible()
+  })
 })
 
 // eslint-disable-next-line @typescript-eslint/require-await

test/access-control/shared.ts

@@ -14,3 +14,5 @@ export const docLevelAccessSlug = 'doc-level-access'
 export const hiddenFieldsSlug = 'hidden-fields'
 
 export const hiddenAccessSlug = 'hidden-access'
+
+export const noAdminAccessEmail = 'no-admin-access@payloadcms.com'