fix: passes id and data to read access func when accessing upload URLs (#11684)
### What? When accessing an upload directly from the generated URL, the `read` access runs but returns undefined `id` and `data`. As a result, any access conditions that rely on `id` or `data` will fail and users cannot accurately determine whether or not to grant access. ### Why? Accessing the file URL runs `packages/payload/src/uploads/endpoints/getFile.ts`. In this endpoint, we use `checkFileAccess()` from `packages/payload/src/uploads/checkFileAccess.ts`. Within the `checkFileAccess` function we are only passing the `req` to `executeAccess()`. ### How? Passes `filename` to the `executeAccess()` function from `uploads/checkFileAccess`, this is the available data within the file and will provide a way for users to make a request to get the full data. Fixes #11263
This commit is contained in:
Jessica Chowdhury
committed by
GitHub
GitHub
parent
ea66e2167c
commit
4a712e1d2c
@@ -17,9 +17,12 @@ export const checkFileAccess = async ({
|
||||
if (filename.includes('../') || filename.includes('..\\')) {
|
||||
throw new Forbidden(req.t)
|
||||
}
|
||||
|
||||
const { config } = collection
|
||||
const accessResult = await executeAccess({ isReadingStaticFile: true, req }, config.access.read)
|
||||
|
||||
const accessResult = await executeAccess(
|
||||
{ data: { filename }, isReadingStaticFile: true, req },
|
||||
config.access.read,
|
||||
)
|
||||
|
||||
if (typeof accessResult === 'object') {
|
||||
const queryToBuild: Where = {
|
||||
|
||||
Reference in New Issue
Block a user