payload

Files

Jessica Rynkar 50029532aa fix(examples): checks requested tenant matches user tenant permissions (#13012 )

### What

This PR updates the `create` access control functions in the
`multi-tenant` example to ensure that any `tenant` specified in a create
request matches a tenant the user has admin access to.

### Why

Previously, while the admin panel UI restricted the tenant selection, it
was still possible to bypass this by making a request directly to the
API with a different `tenant`. This allowed users to create documents
under tenants they shouldn't have access to.

### How

The `access` functions on the `users` and `pages` collections now
explicitly check whether the tenant(s) in the request are included in
the user's tenant permissions. If not, access is denied by returning
`false`.

**Fixes: CMS2-Q225-03**

2025-07-02 14:30:47 +01:00

astro

feat(templates): added int and e2e tests to blank and website templates (#12866 )

2025-06-26 13:55:28 -04:00

auth

refactor: remove unused assets, move remaining assets out of payload packages (#12874 )

2025-06-23 23:23:44 +00:00

custom-components

feat!: bump minimum next version to 15.2.3 (#11823 )

2025-03-24 09:41:33 -04:00

custom-server

chore(examples): remove unused imports from custom server example (#12467 )