From 5f093846a71feed7e9ef4ef604afe2935a8ee6e3 Mon Sep 17 00:00:00 2001
From: Paul <paul@nouance.io>
Date: Tue, 12 Mar 2024 18:46:41 -0300
Subject: [PATCH] chore: add admin access control to buildFormState (#5310)

---
 .../next/src/routes/rest/buildFormState.ts    | 28 ++++++++++++++++++-
 1 file changed, 27 insertions(+), 1 deletion(-)

diff --git a/packages/next/src/routes/rest/buildFormState.ts b/packages/next/src/routes/rest/buildFormState.ts
index 6ff964ecf..a2c74cc0a 100644
--- a/packages/next/src/routes/rest/buildFormState.ts
+++ b/packages/next/src/routes/rest/buildFormState.ts
@@ -24,7 +24,33 @@ export const getFieldSchemaMap = (config: SanitizedConfig): FieldSchemaMap => {
 export const buildFormState = async ({ req }: { req: PayloadRequest }) => {
   const reqData: BuildFormStateArgs = req.data as BuildFormStateArgs
 
-  // TODO: run ADMIN access control for user
+  const incomingUserSlug = req.user?.collection
+  const adminUserSlug = req.payload.config.admin.user
+
+  // If we have a user slug, test it against the functions
+  if (incomingUserSlug) {
+    const adminAccessFunction = req.payload.collections[incomingUserSlug].config.access?.admin
+
+    // Run the admin access function from the config if it exists
+    if (adminAccessFunction) {
+      const canAccessAdmin = await adminAccessFunction(req)
+
+      if (!canAccessAdmin) {
+        return Response.json(null, {
+          status: httpStatus.UNAUTHORIZED,
+        })
+      }
+      // Match the user collection to the global admin config
+    } else if (adminUserSlug !== incomingUserSlug) {
+      return Response.json(null, {
+        status: httpStatus.UNAUTHORIZED,
+      })
+    }
+  } else {
+    return Response.json(null, {
+      status: httpStatus.UNAUTHORIZED,
+    })
+  }
 
   const fieldSchemaMap = getFieldSchemaMap(req.payload.config)