fix: #2592, allows usage of hidden fields within access query constraints (#2599)

Co-authored-by: Dan Ribbens <dan.ribbens@gmail.com>
2023-05-01 17:15:14 -04:00
parent 870838e756
commit a0bb13a412
18 changed files with 262 additions and 325 deletions
--- a/test/access-control/config.ts
+++ b/test/access-control/config.ts
@@ -15,6 +15,8 @@ export const relyOnRequestHeadersSlug = 'rely-on-request-headers';
 export const docLevelAccessSlug = 'doc-level-access';
 export const hiddenFieldsSlug = 'hidden-fields';

+export const hiddenAccessSlug = 'hidden-access';
+
 const openAccess = {
  create: () => true,
  read: () => true,
@@ -187,9 +189,31 @@ export default buildConfig({
          name: 'name',
          type: 'text',
        },
+        {
+          name: 'hidden',
+          type: 'checkbox',
+          hidden: true,
+        },
      ],
      access: {
-        readVersions: () => false,
+        read: ({ req: { user } }) => {
+          if (user) return true;
+
+          return {
+            hidden: {
+              not_equals: true,
+            },
+          };
+        },
+        readVersions: ({ req: { user } }) => {
+          if (user) return true;
+
+          return {
+            'version.hidden': {
+              not_equals: true,
+            },
+          };
+        },
      },
    },
    {
@@ -320,6 +344,37 @@ export default buildConfig({
            },
          ],
        },
+        {
+          name: 'hidden',
+          type: 'checkbox',
+          hidden: true,
+        },
+      ],
+    },
+    {
+      slug: hiddenAccessSlug,
+      access: {
+        read: ({ req: { user } }) => {
+          if (user) return true;
+
+          return {
+            hidden: {
+              not_equals: true,
+            },
+          };
+        },
+      },
+      fields: [
+        {
+          name: 'title',
+          type: 'text',
+          required: true,
+        },
+        {
+          name: 'hidden',
+          type: 'checkbox',
+          hidden: true,
+        },
      ],
    },
  ],
--- a/test/access-control/int.spec.ts
+++ b/test/access-control/int.spec.ts
@@ -3,8 +3,17 @@ import payload from '../../src';
 import { Forbidden } from '../../src/errors';
 import type { PayloadRequest } from '../../src/types';
 import { initPayloadTest } from '../helpers/configHelpers';
-import { hiddenFieldsSlug, relyOnRequestHeadersSlug, requestHeaders, restrictedSlug, siblingDataSlug, slug } from './config';
-import type { Restricted, Post, RelyOnRequestHeader } from './payload-types';
+import {
+  hiddenAccessSlug,
+  hiddenFieldsSlug,
+  relyOnRequestHeadersSlug,
+  requestHeaders,
+  restrictedSlug,
+  restrictedVersionsSlug,
+  siblingDataSlug,
+  slug,
+} from './config';
+import type { Post, RelyOnRequestHeader, Restricted } from './payload-types';
 import { firstArrayText, secondArrayText } from './shared';

 describe('Access Control', () => {
@@ -359,6 +368,59 @@ describe('Access Control', () => {
      });
    });
  });
+
+  describe('Querying', () => {
+    it('should respect query constraint using hidden field', async () => {
+      await payload.create({
+        collection: hiddenAccessSlug,
+        data: {
+          title: 'hello',
+        },
+      });
+
+      await payload.create({
+        collection: hiddenAccessSlug,
+        data: {
+          title: 'hello',
+          hidden: true,
+        },
+      });
+
+      const { docs } = await payload.find({
+        collection: hiddenAccessSlug,
+        overrideAccess: false,
+      });
+
+      expect(docs).toHaveLength(1);
+    });
+
+    it('should respect query constraint using hidden field on versions', async () => {
+      await payload.create({
+        collection: restrictedVersionsSlug,
+        data: {
+          name: 'match',
+          hidden: true,
+        },
+      });
+
+      await payload.create({
+        collection: restrictedVersionsSlug,
+        data: {
+          name: 'match',
+          hidden: false,
+        },
+      });
+      const { docs } = await payload.findVersions({
+        where: {
+          'version.name': { equals: 'match' },
+        },
+        collection: restrictedVersionsSlug,
+        overrideAccess: false,
+      });
+
+      expect(docs).toHaveLength(1);
+    });
+  });
 });

 async function createDoc<Collection>(data: Partial<Collection>, overrideSlug = slug, options?: Partial<Collection>): Promise<Collection> {