diff --git a/packages/payload/src/auth/getAccessResults.ts b/packages/payload/src/auth/getAccessResults.ts index 751b32ac3..0a6dc1e19 100644 --- a/packages/payload/src/auth/getAccessResults.ts +++ b/packages/payload/src/auth/getAccessResults.ts @@ -17,7 +17,7 @@ export async function getAccessResults({ req }: GetAccessResultsArgs): Promise

collection.slug === user.collection) : null - if (userCollectionConfig) { + if (userCollectionConfig && payload.config.admin.user === user.collection) { results.canAccessAdmin = userCollectionConfig.access.admin ? await userCollectionConfig.access.admin({ req }) : isLoggedIn diff --git a/test/access-control/config.ts b/test/access-control/config.ts index 259d09121..9fcb322d0 100644 --- a/test/access-control/config.ts +++ b/test/access-control/config.ts @@ -10,6 +10,8 @@ import { hiddenAccessSlug, hiddenFieldsSlug, noAdminAccessEmail, + nonAdminUserEmail, + nonAdminUserSlug, readOnlyGlobalSlug, readOnlySlug, relyOnRequestHeadersSlug, @@ -122,6 +124,11 @@ export default buildConfigWithDefaults({ }, ], }, + { + slug: nonAdminUserSlug, + auth: true, + fields: [], + }, { slug, access: { @@ -487,6 +494,14 @@ export default buildConfigWithDefaults({ }, }) + await payload.create({ + collection: nonAdminUserSlug, + data: { + email: nonAdminUserEmail, + password: 'test', + }, + }) + await payload.create({ collection: slug, data: { diff --git a/test/access-control/e2e.spec.ts b/test/access-control/e2e.spec.ts index fc61ee15c..09fa116f1 100644 --- a/test/access-control/e2e.spec.ts +++ b/test/access-control/e2e.spec.ts @@ -26,6 +26,8 @@ import { POLL_TOPASS_TIMEOUT } from '../playwright.config.js' import { docLevelAccessSlug, noAdminAccessEmail, + nonAdminUserEmail, + nonAdminUserSlug, readOnlyGlobalSlug, readOnlySlug, restrictedSlug, @@ -55,6 +57,7 @@ describe('access control', () => { let readOnlyGlobalUrl: AdminUrlUtil let restrictedVersionsUrl: AdminUrlUtil let serverURL: string + let context: BrowserContext beforeAll(async ({ browser }) => { ;({ payload, serverURL } = await initPayloadE2ENoConfig({ dirname })) @@ -65,7 +68,7 @@ describe('access control', () => { readOnlyGlobalUrl = new AdminUrlUtil(serverURL, readOnlySlug) restrictedVersionsUrl = new AdminUrlUtil(serverURL, restrictedVersionsSlug) - const context = await browser.newContext() + context = await browser.newContext() page = await context.newPage() initPageConsoleErrorCatch(page) @@ -340,7 +343,7 @@ describe('access control', () => { await expect(documentDrawer2.locator('#field-name')).toBeEnabled() }) - test('should completely block admin access', async () => { + test('should block admin access to admin user', async () => { const adminURL = `${serverURL}/admin` await page.goto(adminURL) await page.waitForURL(adminURL) @@ -360,6 +363,51 @@ describe('access control', () => { }) await expect(page.locator('.next-error-h1')).toBeVisible() + + await page.goto(`${serverURL}/admin/logout`) + await page.waitForURL(`${serverURL}/admin/logout`) + + // Log back in for the next test + await login({ + page, + serverURL, + data: { + email: devUser.email, + password: devUser.password, + }, + }) + }) + + test('should block admin access to non-admin user', async () => { + const adminURL = `${serverURL}/admin` + await page.goto(adminURL) + await page.waitForURL(adminURL) + + await expect(page.locator('.dashboard')).toBeVisible() + + await page.goto(`${serverURL}/admin/logout`) + await page.waitForURL(`${serverURL}/admin/logout`) + + const nonAdminUser = await payload.login({ + collection: nonAdminUserSlug, + data: { + email: nonAdminUserEmail, + password: devUser.password, + }, + }) + + context.addCookies([ + { + name: 'payload-token', + value: nonAdminUser.token, + url: serverURL, + }, + ]) + + await page.goto(adminURL) + await page.waitForURL(adminURL) + + await expect(page.locator('.next-error-h1')).toBeVisible() }) }) diff --git a/test/access-control/shared.ts b/test/access-control/shared.ts index 5944244ef..0fc23f712 100644 --- a/test/access-control/shared.ts +++ b/test/access-control/shared.ts @@ -17,3 +17,7 @@ export const hiddenAccessSlug = 'hidden-access' export const hiddenAccessCountSlug = 'hidden-access-count' export const noAdminAccessEmail = 'no-admin-access@payloadcms.com' + +export const nonAdminUserEmail = 'non-admin-user@payloadcms.com' + +export const nonAdminUserSlug = 'non-admin-user' diff --git a/tsconfig.json b/tsconfig.json index f09927d18..046160a5d 100644 --- a/tsconfig.json +++ b/tsconfig.json @@ -37,7 +37,7 @@ ], "paths": { "@payload-config": [ - "./test/_community/config.ts" + "./test/access-control/config.ts" ], "@payloadcms/live-preview": [ "./packages/live-preview/src"