From cab7ba4a8aae9c806bf64fb2b23bb2ec95534e60 Mon Sep 17 00:00:00 2001
From: Sean Zubrickas <zubricks@gmail.com>
Date: Wed, 16 Jul 2025 12:36:32 -0700
Subject: [PATCH] =?UTF-8?q?fix:=20Enhances=20field-level=20access=20contro?=
 =?UTF-8?q?ls=20on=20Users=20collection=20to=20address=20s=E2=80=A6=20(#13?=
 =?UTF-8?q?197)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Enhance field-level access controls on Users collection to address
security concerns

- Restricted read/update access on `email` field to admins and the user
themselves
- Locked down `roles` field so only admins can create, read, or update
it
---
 examples/auth/src/collections/Users.ts | 35 ++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)

diff --git a/examples/auth/src/collections/Users.ts b/examples/auth/src/collections/Users.ts
index 67f00ebdd4..a0f9d334a0 100644
--- a/examples/auth/src/collections/Users.ts
+++ b/examples/auth/src/collections/Users.ts
@@ -6,6 +6,8 @@ import { anyone } from './access/anyone'
 import { checkRole } from './access/checkRole'
 import { loginAfterCreate } from './hooks/loginAfterCreate'
 import { protectRoles } from './hooks/protectRoles'
+import { access } from 'fs'
+import { create } from 'domain'
 
 export const Users: CollectionConfig = {
   slug: 'users',
@@ -32,6 +34,34 @@ export const Users: CollectionConfig = {
     afterChange: [loginAfterCreate],
   },
   fields: [
+    {
+      name: 'email',
+      type: 'email',
+      required: true,
+      unique: true,
+      access: {
+        read: adminsAndUser,
+        update: adminsAndUser,
+      },
+    },
+    {
+      name: 'password',
+      type: 'password',
+      required: true,
+      admin: {
+        description: 'Leave blank to keep the current password.',
+      },
+    },
+    {
+      name: 'resetPasswordToken',
+      type: 'text',
+      hidden: true,
+    },
+    {
+      name: 'resetPasswordExpiration',
+      type: 'date',
+      hidden: true,
+    },
     {
       name: 'firstName',
       type: 'text',
@@ -45,6 +75,11 @@ export const Users: CollectionConfig = {
       type: 'select',
       hasMany: true,
       saveToJWT: true,
+      access: {
+        read: admins,
+        update: admins,
+        create: admins,
+      },
       hooks: {
         beforeChange: [protectRoles],
       },