search

payloadcms / payload

The best way to build a modern backend + admin UI. No black magic, all TypeScript, and fully open-source, Payload is both an app framework and a headless CMS.
https://payloadcms.com
MIT License
21.04k stars 1.27k forks source link

feat!: remove properties without access from /access endpoint #6881

Open paulpopus opened 1 week ago

paulpopus commented 1 week ago

Removes any properties that result in false or an empty object {} from the /api/access endpoint

Improves security by not leaking out names of hidden or private collections

// before
{
  "canAccessAdmin": false,
  "collections": {
    "posts": {
      "fields": {
        "text": {
          "create": {
            "permission": false
          },
          "read": {
            "permission": true
          },
          "update": {
            "permission": false
          },
          "delete": {
            "permission": false
          },
          "readVersions": {
            "permission": false
          }
          // ...

// current
{
  "collections": {
    "posts": {
      "fields": {
        "text": {
          "read": {
            "permission": true
          },
          // ...