search

chladog / payload-webp

payloadcms/payload plugin for automatic image conversion to webp format.
https://www.npmjs.com/package/payload-webp
GNU General Public License v3.0
44 stars 5 forks source link

Cannot access payload-webp optimized images using query return in access control #15

Open DanielKraemer opened 1 year ago

DanielKraemer commented 1 year ago

Original-Post https://github.com/payloadcms/payload/issues/3101

If you need further information feel free to ask ;-)

Original Post from payloadcms/payload

To Reproduce

Upload images to a media collection with a relationship field (e. g. to a site) and have payload-webp installed and activated. Only allow user to read the webp files if they have a relationship to the same site and use a query constrained for checking this.

Access-configuration for my media collection: access: { create: ****, read: hasBasicReadAccess('site'), update: ****, delete: **** },

Function "hasBasicReadAccess":

export const hasBasicReadAccess = (siteIdFieldName = 'siteId'): Access => ({
  req: {
    user,
  },
}) => {
  if (user?.isSystemAdmin) return true;
  if (user) {

    const userSiteIds = [];

    if (user.sites && user.sites.length > 0) {
      user.sites.forEach(({ site } : { site: string | Site }) => {
        userSiteIds.push((typeof site === 'string') ? site : site.id);
      });
    }

    return {
      or: [
        {
          author: {
            equals: user.id,
          },
        },
        {
          [siteIdFieldName]: {
            in: userSiteIds,
          },
        },
      ],
    };
  }
  return false;
};

Describe the Bug

I cannot access a .webp media file created by payload-webp when return a query constrain while checking read-access.

Testing it as a mongodb query using robo3t for example all is fine.

Always receiving error Forbidden: You are not allowed to perform this action. at /home/user/payloadcms/node_modules/payload/src/auth/getExecuteStaticAccess.ts:53:17 at processTicksAndRejections (node:internal/process/task_queues:95:5)

payload-webp version: ^1.1.0

Payload Version

1.8.2

MinSomai commented 3 months ago

for me, this happened because I had conflicting logins. I have two collection with auth: true and it was causing the issue. If you open in incognito, this goes aways. To fix this , you can simply clear your cookies/localStorage.