fix: sanitizes modifyResponseHeaders from client config (#7876)

packages/payload/src/collections/config/client.ts

@@ -14,6 +14,15 @@ export type ServerOnlyCollectionAdminProperties = keyof Pick<
   'hidden' | 'preview'
 >
 
+export type ServerOnlyUploadProperties = keyof Pick<
+  SanitizedCollectionConfig['upload'],
+  | 'adminThumbnail'
+  | 'externalFileHeaderFilter'
+  | 'handlers'
+  | 'modifyResponseHeaders'
+  | 'withMetadata'
+>
+
 export type ClientCollectionConfig = {
   _isPreviewEnabled?: true
   admin: {

packages/payload/src/index.ts

@@ -663,6 +663,7 @@ export type { ClientCollectionConfig } from './collections/config/client.js'
 export type {
   ServerOnlyCollectionAdminProperties,
   ServerOnlyCollectionProperties,
+  ServerOnlyUploadProperties,
 } from './collections/config/client.js'
 export type {
   AfterChangeHook as CollectionAfterChangeHook,

packages/ui/src/providers/Config/createClientConfig/collections.tsx

@@ -11,6 +11,7 @@ import type {
   SanitizedCollectionConfig,
   ServerOnlyCollectionAdminProperties,
   ServerOnlyCollectionProperties,
+  ServerOnlyUploadProperties,
 } from 'payload'
 import type React from 'react'
 
@@ -18,6 +19,30 @@ import { deepCopyObjectSimple } from 'payload'
 
 import { createClientFields } from './fields.js'
 
+const serverOnlyCollectionProperties: Partial<ServerOnlyCollectionProperties>[] = [
+  'hooks',
+  'access',
+  'endpoints',
+  'custom',
+  // `upload`
+  // `admin`
+  // are all handled separately
+]
+
+const serverOnlyUploadProperties: Partial<ServerOnlyUploadProperties>[] = [
+  'adminThumbnail',
+  'externalFileHeaderFilter',
+  'handlers',
+  'modifyResponseHeaders',
+  'withMetadata',
+]
+
+const serverOnlyCollectionAdminProperties: Partial<ServerOnlyCollectionAdminProperties>[] = [
+  'hidden',
+  'preview',
+  // `livePreview` is handled separately
+]
+
 export const createClientCollectionConfig = ({
   DefaultEditView,
   DefaultListView,
@@ -46,16 +71,6 @@ export const createClientCollectionConfig = ({
     payload,
   })
 
-  const serverOnlyCollectionProperties: Partial<ServerOnlyCollectionProperties>[] = [
-    'hooks',
-    'access',
-    'endpoints',
-    'custom',
-    // `upload`
-    // `admin`
-    // are all handled separately
-  ]
-
   serverOnlyCollectionProperties.forEach((key) => {
     if (key in clientCollection) {
       delete clientCollection[key]
@@ -63,10 +78,11 @@ export const createClientCollectionConfig = ({
   })
 
   if ('upload' in clientCollection && typeof clientCollection.upload === 'object') {
-    delete clientCollection.upload.handlers
+    serverOnlyUploadProperties.forEach((key) => {
-    delete clientCollection.upload.adminThumbnail
+      if (key in clientCollection.upload) {
-    delete clientCollection.upload.externalFileHeaderFilter
+        delete clientCollection.upload[key]
-    delete clientCollection.upload.withMetadata
+      }
+    })
 
     if ('imageSizes' in clientCollection.upload && clientCollection.upload.imageSizes.length) {
       clientCollection.upload.imageSizes = clientCollection.upload.imageSizes.map((size) => {
@@ -91,12 +107,6 @@ export const createClientCollectionConfig = ({
     })
   }
 
-  const serverOnlyCollectionAdminProperties: Partial<ServerOnlyCollectionAdminProperties>[] = [
-    'hidden',
-    'preview',
-    // `livePreview` is handled separately
-  ]
-
   serverOnlyCollectionAdminProperties.forEach((key) => {
     if (key in clientCollection.admin) {
       delete clientCollection.admin[key]