tabshift/payloadcms
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

fix: blocks non-admin users from admin access (#6127)

Browse Source
This commit is contained in:
Jacob Fletcher
2024-04-29 19:53:18 -04:00
committed by GitHub
parent 3e117f4e99
commit 4d7ef58e7e
5 changed files with 71 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
packages/payload/src/auth/getAccessResults.ts
View File

@@ -17,7 +17,7 @@ export async function getAccessResults({ req }: GetAccessResultsArgs): Promise<P
? payload.config.collections.find((collection) => collection.slug === user.collection) ? payload.config.collections.find((collection) => collection.slug === user.collection)
: null : null
if (userCollectionConfig) { if (userCollectionConfig && payload.config.admin.user === user.collection) {
results.canAccessAdmin = userCollectionConfig.access.admin results.canAccessAdmin = userCollectionConfig.access.admin
? await userCollectionConfig.access.admin({ req }) ? await userCollectionConfig.access.admin({ req })
: isLoggedIn : isLoggedIn

15
test/access-control/config.ts
View File

@@ -10,6 +10,8 @@ import {
hiddenAccessSlug, hiddenAccessSlug,
hiddenFieldsSlug, hiddenFieldsSlug,
noAdminAccessEmail, noAdminAccessEmail,
nonAdminUserEmail,
nonAdminUserSlug,
readOnlyGlobalSlug, readOnlyGlobalSlug,
readOnlySlug, readOnlySlug,
relyOnRequestHeadersSlug, relyOnRequestHeadersSlug,
@@ -122,6 +124,11 @@ export default buildConfigWithDefaults({
}, },
], ],
}, },
{
slug: nonAdminUserSlug,
auth: true,
fields: [],
},
{ {
slug, slug,
access: { access: {
@@ -487,6 +494,14 @@ export default buildConfigWithDefaults({
}, },
}) })
await payload.create({
collection: nonAdminUserSlug,
data: {
email: nonAdminUserEmail,
password: 'test',
},
})
await payload.create({ await payload.create({
collection: slug, collection: slug,
data: { data: {

52
test/access-control/e2e.spec.ts
View File

@@ -26,6 +26,8 @@ import { POLL_TOPASS_TIMEOUT } from '../playwright.config.js'
import { import {
docLevelAccessSlug, docLevelAccessSlug,
noAdminAccessEmail, noAdminAccessEmail,
nonAdminUserEmail,
nonAdminUserSlug,
readOnlyGlobalSlug, readOnlyGlobalSlug,
readOnlySlug, readOnlySlug,
restrictedSlug, restrictedSlug,
@@ -55,6 +57,7 @@ describe('access control', () => {
let readOnlyGlobalUrl: AdminUrlUtil let readOnlyGlobalUrl: AdminUrlUtil
let restrictedVersionsUrl: AdminUrlUtil let restrictedVersionsUrl: AdminUrlUtil
let serverURL: string let serverURL: string
let context: BrowserContext
beforeAll(async ({ browser }) => { beforeAll(async ({ browser }) => {
;({ payload, serverURL } = await initPayloadE2ENoConfig<Config>({ dirname })) ;({ payload, serverURL } = await initPayloadE2ENoConfig<Config>({ dirname }))
@@ -65,7 +68,7 @@ describe('access control', () => {
readOnlyGlobalUrl = new AdminUrlUtil(serverURL, readOnlySlug) readOnlyGlobalUrl = new AdminUrlUtil(serverURL, readOnlySlug)
restrictedVersionsUrl = new AdminUrlUtil(serverURL, restrictedVersionsSlug) restrictedVersionsUrl = new AdminUrlUtil(serverURL, restrictedVersionsSlug)
const context = await browser.newContext() context = await browser.newContext()
page = await context.newPage() page = await context.newPage()
initPageConsoleErrorCatch(page) initPageConsoleErrorCatch(page)
@@ -340,7 +343,7 @@ describe('access control', () => {
await expect(documentDrawer2.locator('#field-name')).toBeEnabled() await expect(documentDrawer2.locator('#field-name')).toBeEnabled()
}) })
test('should completely block admin access', async () => { test('should block admin access to admin user', async () => {
const adminURL = `${serverURL}/admin` const adminURL = `${serverURL}/admin`
await page.goto(adminURL) await page.goto(adminURL)
await page.waitForURL(adminURL) await page.waitForURL(adminURL)
@@ -360,6 +363,51 @@ describe('access control', () => {
}) })
await expect(page.locator('.next-error-h1')).toBeVisible() await expect(page.locator('.next-error-h1')).toBeVisible()
await page.goto(`${serverURL}/admin/logout`)
await page.waitForURL(`${serverURL}/admin/logout`)
// Log back in for the next test
await login({
page,
serverURL,
data: {
email: devUser.email,
password: devUser.password,
},
})
})
test('should block admin access to non-admin user', async () => {
const adminURL = `${serverURL}/admin`
await page.goto(adminURL)
await page.waitForURL(adminURL)
await expect(page.locator('.dashboard')).toBeVisible()
await page.goto(`${serverURL}/admin/logout`)
await page.waitForURL(`${serverURL}/admin/logout`)
const nonAdminUser = await payload.login({
collection: nonAdminUserSlug,
data: {
email: nonAdminUserEmail,
password: devUser.password,
},
})
context.addCookies([
{
name: 'payload-token',
value: nonAdminUser.token,
url: serverURL,
},
])
await page.goto(adminURL)
await page.waitForURL(adminURL)
await expect(page.locator('.next-error-h1')).toBeVisible()
}) })
}) })

4
test/access-control/shared.ts
View File

@@ -17,3 +17,7 @@ export const hiddenAccessSlug = 'hidden-access'
export const hiddenAccessCountSlug = 'hidden-access-count' export const hiddenAccessCountSlug = 'hidden-access-count'
export const noAdminAccessEmail = 'no-admin-access@payloadcms.com' export const noAdminAccessEmail = 'no-admin-access@payloadcms.com'
export const nonAdminUserEmail = 'non-admin-user@payloadcms.com'
export const nonAdminUserSlug = 'non-admin-user'

2
tsconfig.json
View File

@@ -37,7 +37,7 @@
], ],
"paths": { "paths": {
"@payload-config": [ "@payload-config": [
"./test/_community/config.ts" "./test/access-control/config.ts"
], ],
"@payloadcms/live-preview": [ "@payloadcms/live-preview": [
"./packages/live-preview/src" "./packages/live-preview/src"