UNPKG

payload

Version:

Node, React, Headless CMS and Application Framework built on Next.js

payloadcms/payload

84 lines (83 loc) • 3.74 kB

JavaScript

import defaultAccess from '../auth/defaultAccess.js'; const operations = [ 'delete', 'read', 'update', 'create' ]; const defaultCollectionAccess = { create: defaultAccess, delete: defaultAccess, read: defaultAccess, unlock: defaultAccess, update: defaultAccess }; export const getAccess = (config)=>operations.reduce((acc, operation)=>{ acc[operation] = async (args)=>{ const { req } = args; const collectionAccess = config?.queryPresets?.access?.[operation] ? await config.queryPresets.access[operation](args) : defaultCollectionAccess?.[operation] ? defaultCollectionAccess[operation](args) : true; // If collection-level access control is `false`, no need to continue to document-level access if (collectionAccess === false) { return false; } // The `create` operation does not affect the document-level access control if (operation === 'create') { return collectionAccess; } return { and: [ { or: [ // Default access control ensures a user exists, but custom access control may not ...req?.user ? [ { and: [ { [`access.${operation}.users`]: { in: [ req.user.id ] } }, { [`access.${operation}.constraint`]: { in: [ 'onlyMe', 'specificUsers' ] } } ] } ] : [], { [`access.${operation}.constraint`]: { equals: 'everyone' } }, ...await Promise.all((config?.queryPresets?.constraints?.[operation] || []).map(async (constraint)=>{ const constraintAccess = constraint.access ? await constraint.access(args) : undefined; return { and: [ ...typeof constraintAccess === 'object' ? [ constraintAccess ] : [], { [`access.${operation}.constraint`]: { equals: constraint.value } } ] }; })) ] }, ...typeof collectionAccess === 'object' ? [ collectionAccess ] : [] ] }; }; return acc; }, {}); //# sourceMappingURL=access.js.map