payload

tabshift/payload

Fork 0

Commit Graph

Author	SHA1	Message	Date
Jarrod Flesch	9c25e7b68e	fix(plugin-multi-tenant): scope access constraint to admin collection (#11430 ) ### What? The idea of this plugin is to only add constraints when a user is present on a request. This change makes it so access control only applies to admin panel users as they are the ones assigned to tenants. This change allows you to more freely write access functions on tenant enabled collections. Say you have 2 auth enabled collections, the plugin would incorrectly assume since there is a user on the req that it needs to apply tenant constraints. When really, you should be able to just add in your own access check for `req.user.collection` and return true/false if you want to prevent/allow other auth enabled collections for certain operations. ```ts import { Access } from 'payload' const readByTenant: Access = ({ req }) => { const { user } = req if (!user \|\| user.collection === 'auth2') return false return true } ``` When you have a function like this that returns `true` and the collection is multi-tenant enabled - the plugin injects constraints ensuring the user on the request is assigned to the tenant on the doc being accessed. Before this change, you would need to opt out of access control with `useTenantAccess` and then wire up your own access function: ```ts import type { Access } from 'payload' import { getTenantAccess } from '@payloadcms/plugin-multi-tenant/utilities' export const tenantAccess: Access = async ({ req: { user } }) => { if (user) { if (user.collection === 'auth2') { return true } // Before, you would need to re-implement // internal multi-tenant access constraints if (user.roles?.includes('super-admin')) return true return getTenantAccess({ fieldName: 'tenant', user, }) } return false } ``` After this change you would not need to opt out of `useTenantAccess` and can just write: ```ts import type { Access } from 'payload' import { getTenantAccess } from '@payloadcms/plugin-multi-tenant/utilities' export const tenantAccess: Access = async ({ req: { user } }) => { return Boolean(user) } ``` This is because internally the plugin will only add the tenant constraint when the access function returns true/Where _AND_ the user belongs to the admin panel users collection.	2025-02-27 13:53:45 -05:00
Jarrod Flesch	37781808eb	fix(plugin-multi-tenant): user access, thread field names through (#11365 ) ### What? Two things: 1. Users unassigned to a tenant could not access their own account 2. Custom `tenantsArrayFieldName` and `tenantsArrayTenantFieldName` configurations were not being used in all cases ### Why? 1. The access constraint provided by the plugin would not allow them to make changes to their own account 2. `getUserTenantIDs` and `afterTenantDelete` were not using the custom field names properly ### How? 1. Adds constraint for users allowing them to manage their own account by default. Externally nothing has changed. If you need to lock your users access control down you should do that just as you would without this plugin. 2. Threads the field names through for usage. Fixes https://github.com/payloadcms/payload/issues/11317	2025-02-24 11:17:09 -05:00
Jarrod Flesch	813e70be1f	feat: adds multi-tenant plugin (#10447 ) ### Multi Tenant Plugin This PR adds a `@payloadcms/plugin-multi-tenant` package. The goal is to consolidate a source of truth for multi-tenancy. Currently we are maintaining different implementations for clients, users in discord and our examples repo. When updates or new paradigms arise we need to communicate this with everyone and update code examples which is hard to maintain. ### What does it do? - adds a tenant selector to the sidebar, above the nav links - adds a hidden tenant field to every collection that you specify - adds an array field to your users collection, allowing you to assign users to tenants - by default combines the access control (to enabled collections) that you define, with access control based on the tenants assigned to user on the request - by default adds a baseListFilter that filters the documents shown in the list view with the selected tenant in the admin panel ### What does it not do? - it does not implement multi-tenancy for your frontend. You will need to query data for specific tenants to build your website/application - it does not add a tenants collection, you NEED to add a tenants collection, where you can define what types of fields you would like on it ### The plugin config Most of the options listed below are _optional_, but it is easier to just lay out all of the configuration options. TS Type ```ts type MultiTenantPluginConfig<ConfigTypes = unknown> = { /** * After a tenant is deleted, the plugin will attempt to clean up related documents * - removing documents with the tenant ID * - removing the tenant from users * * @default true / cleanupAfterTenantDelete?: boolean /* * Automatically / collections: { [key in CollectionSlug]?: { /* * Set to `true` if you want the collection to behave as a global * * @default false / isGlobal?: boolean /* * Set to `false` if you want to manually apply the baseListFilter * * @default true / useBaseListFilter?: boolean /* * Set to `false` if you want to handle collection access manually without the multi-tenant constraints applied * * @default true / useTenantAccess?: boolean } } /* * Enables debug mode * - Makes the tenant field visible in the admin UI within applicable collections * * @default false / debug?: boolean /* * Enables the multi-tenant plugin * * @default true / enabled?: boolean /* * Field configuration for the field added to all tenant enabled collections / tenantField?: { access?: RelationshipField['access'] /* * The name of the field added to all tenant enabled collections * * @default 'tenant' / name?: string } /* * Field configuration for the field added to the users collection * * If `includeDefaultField` is `false`, you must include the field on your users collection manually * This is useful if you want to customize the field or place the field in a specific location / tenantsArrayField?: \| { /* * Access configuration for the array field / arrayFieldAccess?: ArrayField['access'] /* * When `includeDefaultField` is `true`, the field will be added to the users collection automatically / includeDefaultField?: true /* * Additional fields to include on the tenants array field / rowFields?: Field[] /* * Access configuration for the tenant field / tenantFieldAccess?: RelationshipField['access'] } \| { arrayFieldAccess?: never /* * When `includeDefaultField` is `false`, you must include the field on your users collection manually / includeDefaultField?: false rowFields?: never tenantFieldAccess?: never } /* * The slug for the tenant collection * * @default 'tenants' / tenantsSlug?: string /* * Function that determines if a user has access to _all_ tenants * * Useful for super-admin type users / userHasAccessToAllTenants?: ( user: ConfigTypes extends { user: User } ? ConfigTypes['user'] : User, ) => boolean } ``` Example usage* ```ts import type { Config } from './payload-types' import { buildConfig } from 'payload' export default buildConfig({ plugins: [ multiTenantPlugin<Config>({ collections: { pages: {}, }, userHasAccessToAllTenants: (user) => isSuperAdmin(user), }), ], }) ``` ### How to configure Collections as Globals for multi-tenant When using multi-tenant, globals need to actually be configured as collections so the content can be specific per tenant. To do that, you can mark a collection with `isGlobal` and it will behave like a global and users will not see the list view. ```ts multiTenantPlugin({ collections: { navigation: { isGlobal: true, }, }, }) ```	2025-01-15 14:47:46 -05:00

Author

SHA1

Message

Date

Jarrod Flesch

9c25e7b68e

fix(plugin-multi-tenant): scope access constraint to admin collection (#11430 )

### What?
The idea of this plugin is to only add constraints when a user is
present on a request. This change makes it so access control only
applies to admin panel users as they are the ones assigned to tenants.

This change allows you to more freely write access functions on tenant
enabled collections. Say you have 2 auth enabled collections, the plugin
would incorrectly assume since there is a user on the req that it needs
to apply tenant constraints. When really, you should be able to just add
in your own access check for `req.user.collection` and return true/false
if you want to prevent/allow other auth enabled collections for certain
operations.

```ts
import { Access } from 'payload'

const readByTenant: Access = ({ req }) => {
  const { user } = req
  if (!user || user.collection === 'auth2') return false
  return true
}
```

When you have a function like this that returns `true` and the
collection is multi-tenant enabled - the plugin injects constraints
ensuring the user on the request is assigned to the tenant on the doc
being accessed.

Before this change, you would need to opt out of access control with
`useTenantAccess` and then wire up your own access function:

```ts
import type { Access } from 'payload'
import { getTenantAccess } from '@payloadcms/plugin-multi-tenant/utilities'

export const tenantAccess: Access = async ({ req: { user } }) => {
  if (user) {
    if (user.collection === 'auth2') {
      return true
    }

    // Before, you would need to re-implement
    // internal multi-tenant access constraints
    if (user.roles?.includes('super-admin')) return true

    return getTenantAccess({
      fieldName: 'tenant',
      user,
    })
  }

  return false
}
```

After this change you would not need to opt out of `useTenantAccess` and
can just write:

```ts
import type { Access } from 'payload'
import { getTenantAccess } from '@payloadcms/plugin-multi-tenant/utilities'

export const tenantAccess: Access = async ({ req: { user } }) => {
  return Boolean(user)
}
```

This is because internally the plugin will only add the tenant
constraint when the access function returns true/Where _AND_ the user
belongs to the admin panel users collection.

2025-02-27 13:53:45 -05:00

Jarrod Flesch

37781808eb

fix(plugin-multi-tenant): user access, thread field names through (#11365 )

### What?
Two things:
1. Users unassigned to a tenant could not access their own account
2. Custom `tenantsArrayFieldName` and `tenantsArrayTenantFieldName`
configurations were not being used in all cases

### Why?
1. The access constraint provided by the plugin would not allow them to
make changes to their own account
2. `getUserTenantIDs` and `afterTenantDelete` were not using the custom
field names properly

### How?
1. Adds constraint for users allowing them to manage their own account
by default. Externally nothing has changed. If you need to lock your
users access control down you should do that just as you would without
this plugin.
2. Threads the field names through for usage.

Fixes https://github.com/payloadcms/payload/issues/11317

2025-02-24 11:17:09 -05:00

Jarrod Flesch

813e70be1f

feat: adds multi-tenant plugin (#10447 )

### Multi Tenant Plugin
This PR adds a `@payloadcms/plugin-multi-tenant` package. The goal is to
consolidate a source of truth for multi-tenancy. Currently we are
maintaining different implementations for clients, users in discord and
our examples repo. When updates or new paradigms arise we need to
communicate this with everyone and update code examples which is hard to
maintain.

### What does it do?
- adds a tenant selector to the sidebar, above the nav links
- adds a hidden tenant field to every collection that you specify
- adds an array field to your users collection, allowing you to assign
users to tenants
- by default combines the access control (to enabled collections) that
you define, with access control based on the tenants assigned to user on
the request
- by default adds a baseListFilter that filters the documents shown in
the list view with the selected tenant in the admin panel

### What does it not do?
- it does not implement multi-tenancy for your frontend. You will need
to query data for specific tenants to build your website/application
- it does not add a tenants collection, you **NEED** to add a tenants
collection, where you can define what types of fields you would like on
it

### The plugin config

Most of the options listed below are _optional_, but it is easier to
just lay out all of the configuration options.

**TS Type**
```ts
type MultiTenantPluginConfig<ConfigTypes = unknown> = {
  /**
   * After a tenant is deleted, the plugin will attempt to clean up related documents
   * - removing documents with the tenant ID
   * - removing the tenant from users
   *
   * @default true
   */
  cleanupAfterTenantDelete?: boolean
  /**
   * Automatically
   */
  collections: {
    [key in CollectionSlug]?: {
      /**
       * Set to `true` if you want the collection to behave as a global
       *
       * @default false
       */
      isGlobal?: boolean
      /**
       * Set to `false` if you want to manually apply the baseListFilter
       *
       * @default true
       */
      useBaseListFilter?: boolean
      /**
       * Set to `false` if you want to handle collection access manually without the multi-tenant constraints applied
       *
       * @default true
       */
      useTenantAccess?: boolean
    }
  }
  /**
   * Enables debug mode
   * - Makes the tenant field visible in the admin UI within applicable collections
   *
   * @default false
   */
  debug?: boolean
  /**
   * Enables the multi-tenant plugin
   *
   * @default true
   */
  enabled?: boolean
  /**
   * Field configuration for the field added to all tenant enabled collections
   */
  tenantField?: {
    access?: RelationshipField['access']
    /**
     * The name of the field added to all tenant enabled collections
     *
     * @default 'tenant'
     */
    name?: string
  }
  /**
   * Field configuration for the field added to the users collection
   *
   * If `includeDefaultField` is `false`, you must include the field on your users collection manually
   * This is useful if you want to customize the field or place the field in a specific location
   */
  tenantsArrayField?:
    | {
        /**
         * Access configuration for the array field
         */
        arrayFieldAccess?: ArrayField['access']
        /**
         * When `includeDefaultField` is `true`, the field will be added to the users collection automatically
         */
        includeDefaultField?: true
        /**
         * Additional fields to include on the tenants array field
         */
        rowFields?: Field[]
        /**
         * Access configuration for the tenant field
         */
        tenantFieldAccess?: RelationshipField['access']
      }
    | {
        arrayFieldAccess?: never
        /**
         * When `includeDefaultField` is `false`, you must include the field on your users collection manually
         */
        includeDefaultField?: false
        rowFields?: never
        tenantFieldAccess?: never
      }
  /**
   * The slug for the tenant collection
   *
   * @default 'tenants'
   */
  tenantsSlug?: string
  /**
   * Function that determines if a user has access to _all_ tenants
   *
   * Useful for super-admin type users
   */
  userHasAccessToAllTenants?: (
    user: ConfigTypes extends { user: User } ? ConfigTypes['user'] : User,
  ) => boolean
}
```

**Example usage**
```ts
import type { Config } from './payload-types'
import { buildConfig } from 'payload'

export default buildConfig({
  plugins: [
    multiTenantPlugin<Config>({
      collections: {
        pages: {},
      },
      userHasAccessToAllTenants: (user) => isSuperAdmin(user),
    }),
  ],
})
```


### How to configure Collections as Globals for multi-tenant

When using multi-tenant, globals need to actually be configured as
collections so the content can be specific per tenant.
To do that, you can mark a collection with `isGlobal` and it will behave
like a global and users will not see the list view.

```ts
multiTenantPlugin({
  collections: {
    navigation: {
      isGlobal: true,
    },
  },
})
```

2025-01-15 14:47:46 -05:00

3 Commits