fix: Enhances field-level access controls on Users collection to address s… (#13197)

Enhance field-level access controls on Users collection to address security concerns - Restricted read/update access on `email` field to admins and the user themselves - Locked down `roles` field so only admins can create, read, or update it
2025-07-16 12:36:32 -07:00
parent 41cff6d436
commit cab7ba4a8a
1 changed files with 35 additions and 0 deletions
--- a/examples/auth/src/collections/Users.ts
+++ b/examples/auth/src/collections/Users.ts
@@ -6,6 +6,8 @@ import { anyone } from './access/anyone'
 import { checkRole } from './access/checkRole'
 import { loginAfterCreate } from './hooks/loginAfterCreate'
 import { protectRoles } from './hooks/protectRoles'
 import { access } from 'fs'
 import { create } from 'domain'
 export const Users: CollectionConfig = {
  slug: 'users',
@@ -32,6 +34,34 @@ export const Users: CollectionConfig = {
    afterChange: [loginAfterCreate],
  },
  fields: [
    {
      name: 'email',
      type: 'email',
      required: true,
      unique: true,
      access: {
        read: adminsAndUser,
        update: adminsAndUser,
      },
    },
    {
      name: 'password',
      type: 'password',
      required: true,
      admin: {
        description: 'Leave blank to keep the current password.',
      },
    },
    {
      name: 'resetPasswordToken',
      type: 'text',
      hidden: true,
    },
    {
      name: 'resetPasswordExpiration',
      type: 'date',
      hidden: true,
    },
    {
      name: 'firstName',
      type: 'text',
@@ -45,6 +75,11 @@ export const Users: CollectionConfig = {
      type: 'select',
      hasMany: true,
      saveToJWT: true,
      access: {
        read: admins,
        update: admins,
        create: admins,
      },
      hooks: {
        beforeChange: [protectRoles],
      },