fix: corrects permission access reading for disabling fields (#6815)

Fixes issues where access control was not properly affecting the read-only setting on fields.

test/access-control/collections/Disabled/index.ts

@@ -0,0 +1,42 @@
+import type { CollectionConfig, Field } from 'payload/types'
+
+import { disabledSlug } from '../../shared.js'
+
+const disabledFromUpdateAccessControl = (fieldName = 'text'): Field => ({
+  type: 'text',
+  name: fieldName,
+  access: {
+    update: () => {
+      return false
+    },
+  },
+})
+
+export const Disabled: CollectionConfig = {
+  slug: disabledSlug,
+  fields: [
+    {
+      type: 'group',
+      name: 'group',
+      fields: [disabledFromUpdateAccessControl()],
+    },
+    {
+      type: 'tabs',
+      tabs: [
+        {
+          name: 'namedTab',
+          fields: [disabledFromUpdateAccessControl()],
+        },
+        {
+          label: 'unnamedTab',
+          fields: [disabledFromUpdateAccessControl('unnamedTab')],
+        },
+      ],
+    },
+    {
+      type: 'array',
+      name: 'array',
+      fields: [disabledFromUpdateAccessControl()],
+    },
+  ],
+}

test/access-control/config.ts

@@ -7,6 +7,7 @@ import type { FieldAccess } from 'payload'
 import { buildConfigWithDefaults } from '../buildConfigWithDefaults.js'
 import { devUser } from '../credentials.js'
 import { TestButton } from './TestButton.js'
+import { Disabled } from './collections/Disabled/index.js'
 import {
   createNotUpdateCollectionSlug,
   docLevelAccessSlug,
@@ -533,6 +534,7 @@ export default buildConfigWithDefaults({
         },
       ],
     },
+    Disabled,
   ],
   onInit: async (payload) => {
     await payload.create({

test/access-control/e2e.spec.ts

@@ -30,6 +30,7 @@ import { initPayloadE2ENoConfig } from '../helpers/initPayloadE2ENoConfig.js'
 import { POLL_TOPASS_TIMEOUT, TEST_TIMEOUT_LONG } from '../playwright.config.js'
 import {
   createNotUpdateCollectionSlug,
+  disabledSlug,
   docLevelAccessSlug,
   fullyRestrictedSlug,
   noAdminAccessEmail,
@@ -67,6 +68,7 @@ describe('access control', () => {
   let restrictedVersionsUrl: AdminUrlUtil
   let userRestrictedCollectionURL: AdminUrlUtil
   let userRestrictedGlobalURL: AdminUrlUtil
+  let disabledFields: AdminUrlUtil
   let serverURL: string
   let context: BrowserContext
   let logoutURL: string
@@ -83,6 +85,7 @@ describe('access control', () => {
     restrictedVersionsUrl = new AdminUrlUtil(serverURL, restrictedVersionsSlug)
     userRestrictedCollectionURL = new AdminUrlUtil(serverURL, userRestrictedCollectionSlug)
     userRestrictedGlobalURL = new AdminUrlUtil(serverURL, userRestrictedGlobalSlug)
+    disabledFields = new AdminUrlUtil(serverURL, disabledSlug)
 
     context = await browser.newContext()
     page = await context.newPage()
@@ -521,6 +524,34 @@ describe('access control', () => {
       await expect(page.locator('.next-error-h1')).toBeVisible()
     })
   })
+
+  describe('read-only from access control', () => {
+    test('should be read-only when update returns false', async () => {
+      await page.goto(disabledFields.create)
+
+      // group field
+      await page.locator('#field-group__text').fill('group')
+
+      // named tab
+      await page.locator('#field-namedTab__text').fill('named tab')
+
+      // unnamed tab
+      await page.locator('.tabs-field__tab-button').nth(1).click()
+      await page.locator('#field-unnamedTab').fill('unnamed tab')
+
+      // array field
+      await page.locator('#field-array button').click()
+      await page.locator('#field-array__0__text').fill('array row 0')
+
+      await saveDocAndAssert(page)
+
+      await expect(page.locator('#field-group__text')).toBeDisabled()
+      await expect(page.locator('#field-namedTab__text')).toBeDisabled()
+      await page.locator('.tabs-field__tab-button').nth(1).click()
+      await expect(page.locator('#field-unnamedTab')).toBeDisabled()
+      await expect(page.locator('#field-array__0__text')).toBeDisabled()
+    })
+  })
 })
 
 // eslint-disable-next-line @typescript-eslint/require-await

test/access-control/shared.ts

@@ -24,3 +24,5 @@ export const noAdminAccessEmail = 'no-admin-access@payloadcms.com'
 export const nonAdminUserEmail = 'non-admin-user@payloadcms.com'
 
 export const nonAdminUserSlug = 'non-admin-user'
+
+export const disabledSlug = 'disabled'