fix(plugin-form-builder)!: emails array field has read access by authenticated users only by default now (#8338)

docs/plugins/form-builder.mdx

@@ -154,6 +154,10 @@ Override anything on the `forms` collection by sending a [Payload Collection Con
 
 Note that the `fields` property is a function that receives the default fields and returns an array of fields. This is because the `fields` property is a special case that is merged with the default fields, rather than replacing them. This allows you to map over default fields and modify them as needed.
 
+<Banner type="warning">
+Good to know: The form collection is publicly available to read by default. The emails field is locked for authenticated users only. If you have any frontend users you should override the access permissions for both the collection and the emails field to make sure you don't leak out any private emails.
+</Banner>
+
 ```ts
 // payload.config.ts
 formBuilder({
@@ -161,7 +165,7 @@ formBuilder({
   formOverrides: {
     slug: 'contact-forms',
     access: {
-      read: () => true,
+      read: ({ req: { user } }) => !!user, // authenticated users only
       update: () => false,
     },
     fields: ({ defaultFields }) => {

packages/plugin-form-builder/src/collections/Forms/index.ts

@@ -138,6 +138,9 @@ export const generateFormCollection = (formConfig: FormBuilderPluginConfig): Col
     {
       name: 'emails',
       type: 'array',
+      access: {
+        read: ({ req: { user } }) => !!user,
+      },
       admin: {
         description:
           "Send custom emails when the form submits. Use comma separated lists to send the same email to multiple recipients. To reference a value from this form, wrap that field's name with double curly brackets, i.e. {{firstName}}. You can use a wildcard {{*}} to output all data and {{*:table}} to format it as an HTML table in the email.",