From 0789f4d0d40ef8ee6e36db0442c0db3dcc4e96d8 Mon Sep 17 00:00:00 2001
From: Paul <paul@payloadcms.com>
Date: Fri, 20 Sep 2024 10:54:33 -0600
Subject: [PATCH] fix(plugin-form-builder)!: emails array field has read access
 by authenticated users only by default now (#8338)

---
 docs/plugins/form-builder.mdx                               | 6 +++++-
 packages/plugin-form-builder/src/collections/Forms/index.ts | 3 +++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/docs/plugins/form-builder.mdx b/docs/plugins/form-builder.mdx
index 830d09a0b..ff3b33fe5 100644
--- a/docs/plugins/form-builder.mdx
+++ b/docs/plugins/form-builder.mdx
@@ -154,6 +154,10 @@ Override anything on the `forms` collection by sending a [Payload Collection Con
 
 Note that the `fields` property is a function that receives the default fields and returns an array of fields. This is because the `fields` property is a special case that is merged with the default fields, rather than replacing them. This allows you to map over default fields and modify them as needed.
 
+<Banner type="warning">
+Good to know: The form collection is publicly available to read by default. The emails field is locked for authenticated users only. If you have any frontend users you should override the access permissions for both the collection and the emails field to make sure you don't leak out any private emails.
+</Banner>
+
 ```ts
 // payload.config.ts
 formBuilder({
@@ -161,7 +165,7 @@ formBuilder({
   formOverrides: {
     slug: 'contact-forms',
     access: {
-      read: () => true,
+      read: ({ req: { user } }) => !!user, // authenticated users only
       update: () => false,
     },
     fields: ({ defaultFields }) => {
diff --git a/packages/plugin-form-builder/src/collections/Forms/index.ts b/packages/plugin-form-builder/src/collections/Forms/index.ts
index 63117bf9c..06b0f252c 100644
--- a/packages/plugin-form-builder/src/collections/Forms/index.ts
+++ b/packages/plugin-form-builder/src/collections/Forms/index.ts
@@ -138,6 +138,9 @@ export const generateFormCollection = (formConfig: FormBuilderPluginConfig): Col
     {
       name: 'emails',
       type: 'array',
+      access: {
+        read: ({ req: { user } }) => !!user,
+      },
       admin: {
         description:
           "Send custom emails when the form submits. Use comma separated lists to send the same email to multiple recipients. To reference a value from this form, wrap that field's name with double curly brackets, i.e. {{firstName}}. You can use a wildcard {{*}} to output all data and {{*:table}} to format it as an HTML table in the email.",