search

payloadcms / payload

Payload is the open-source, fullstack Next.js framework, giving you instant backend superpowers. Get a full TypeScript backend and admin panel instantly. Use Payload as a headless CMS or for building powerful applications.
https://payloadcms.com
MIT License
28.27k stars 1.75k forks source link

fix: skip validation of `where` query paths from access result #9349

Open r1tsuu opened 6 days ago

r1tsuu commented 6 days ago

What?

Previously, payload.findByID with overrideAccess: false and this collection config

{
  slug: 'fields-and-top-access',
  access: {
    read: () => ({
      secret: {
        equals: '12345',
      },
    }),
  },
  fields: [
    {
      type: 'text',
      name: 'secret',
      access: { read: () => false },
    },
  ],
},

Led to the The following path cannot be queried: secret error because where input to validateQueryPaths also includes the result from access control, which shouldn't be.

This works when using payload.find.

The same applies to find with drafts / joins where. We need to validate only user where input, not access control that we defined in our config.

Also, this exact logic seems be used in find without drafts - we don't use fullWhere here but where, that's why this error isn't being thrown with find but only findByID. https://github.com/payloadcms/payload/blob/d9c6288cb20f8bdcc6e4e85705640952018cadd1/packages/payload/src/collections/operations/find.ts#L134 https://github.com/payloadcms/payload/blob/d9c6288cb20f8bdcc6e4e85705640952018cadd1/packages/payload/src/collections/operations/find.ts#L166-L171

Fixes https://github.com/payloadcms/payload/issues/9210