fix: blocks access control not respecting update access whether on collection or on a per field basis (#14226)

Fixes #14221
Fixes #13569

Fixes a problem where blocks would have their fields disappear entirely
if update permissions were false on the collection or on the blocks
field itself.

This fixes that and makes sure that fields are always visible and that
the blocks fields are correctly being set to readOnly mode if you have
permissions to read but not update

Author: paulpopus

packages/payload/src/utilities/getEntityPolicies.ts

@@ -247,7 +247,12 @@ const executeFieldPolicies = async ({
 
           await Promise.all(
             (field.blockReferences ?? field.blocks).map(async (_block) => {
-              const block = typeof _block === 'string' ? payload.blocks[_block]! : _block
+              const block = typeof _block === 'string' ? payload.blocks[_block] : _block
+
+              // Skip if block doesn't exist (invalid block reference)
+              if (!block) {
+                return
+              }
 
               if (typeof _block === 'string') {
                 if (blockPolicies[_block]) {
@@ -264,22 +269,32 @@ const executeFieldPolicies = async ({
                   // so that any parallel calls will just await this same promise
                   // instead of re-running executeFieldPolicies.
                   blockPolicies[_block] = (async () => {
-                    // If the block doesn’t exist yet in our mutablePolicies, initialize it
+                    // If the block doesn't exist yet in our mutablePolicies, initialize it
                     if (!mutablePolicies[field.name].blocks?.[block.slug]) {
+                      // Use field-level permission instead of entityPermission for blocks
+                      // This ensures that if the field has access control, it applies to all blocks in the field
+                      const fieldPermission =
+                        mutablePolicies[field.name][operation]?.permission ?? entityPermission
+
                       mutablePolicies[field.name].blocks[block.slug] = {
                         fields: {},
-                        [operation]: { permission: entityPermission },
+                        [operation]: { permission: fieldPermission },
                       }
                     } else if (!mutablePolicies[field.name].blocks[block.slug][operation]) {
+                      // Use field-level permission for consistency
+                      const fieldPermission =
+                        mutablePolicies[field.name][operation]?.permission ?? entityPermission
+
                       mutablePolicies[field.name].blocks[block.slug][operation] = {
-                        permission: entityPermission,
+                        permission: fieldPermission,
                       }
                     }
 
                     await executeFieldPolicies({
                       blockPolicies,
                       createAccessPromise,
-                      entityPermission,
+                      entityPermission:
+                        mutablePolicies[field.name][operation]?.permission ?? entityPermission,
                       fields: block.fields,
                       operation,
                       payload,
@@ -296,20 +311,29 @@ const executeFieldPolicies = async ({
               }
 
               if (!mutablePolicies[field.name].blocks?.[block.slug]) {
+                // Use field-level permission instead of entityPermission for blocks
+                const fieldPermission =
+                  mutablePolicies[field.name][operation]?.permission ?? entityPermission
+
                 mutablePolicies[field.name].blocks[block.slug] = {
                   fields: {},
-                  [operation]: { permission: entityPermission },
+                  [operation]: { permission: fieldPermission },
                 }
               } else if (!mutablePolicies[field.name].blocks[block.slug][operation]) {
+                // Use field-level permission for consistency
+                const fieldPermission =
+                  mutablePolicies[field.name][operation]?.permission ?? entityPermission
+
                 mutablePolicies[field.name].blocks[block.slug][operation] = {
-                  permission: entityPermission,
+                  permission: fieldPermission,
                 }
               }
 
               await executeFieldPolicies({
                 blockPolicies,
                 createAccessPromise,
-                entityPermission,
+                entityPermission:
+                  mutablePolicies[field.name][operation]?.permission ?? entityPermission,
                 fields: block.fields,
                 operation,
                 payload,

packages/payload/src/utilities/getFieldPermissions.spec.ts

@@ -0,0 +1,86 @@
+import type { SanitizedDocumentPermissions } from '../auth/types.js'
+
+import { getFieldPermissions } from './getFieldPermissions.js'
+
+describe('getFieldPermissions with collection fallback', () => {
+  const mockField = {
+    name: 'testField',
+    type: 'text' as const,
+  }
+
+  describe('fallback to collection permissions', () => {
+    it('should enable read-only mode when field permissions are missing but collection has read access', () => {
+      const fieldPermissions = {} // Empty/sanitized field permissions
+      const collectionPermissions: SanitizedDocumentPermissions = {
+        read: true,
+        fields: {},
+      }
+
+      const result = getFieldPermissions({
+        field: mockField,
+        operation: 'update',
+        parentName: '',
+        permissions: fieldPermissions,
+        collectionPermissions,
+      })
+
+      expect(result.read).toBe(true)
+      expect(result.operation).toBe(false) // Should be read-only
+      expect(result.permissions).toEqual({ read: true })
+    })
+
+    it('should respect existing field permissions when they exist', () => {
+      const fieldPermissions = true // All permissions are true
+      const collectionPermissions: SanitizedDocumentPermissions = {
+        read: true,
+        fields: {},
+      }
+
+      const result = getFieldPermissions({
+        field: mockField,
+        operation: 'update',
+        parentName: '',
+        permissions: fieldPermissions,
+      })
+
+      expect(result.read).toBe(true)
+      expect(result.operation).toBe(true) // Should have operation permission
+      expect(result.permissions).toBe(true)
+    })
+
+    it('should not provide access when neither field nor collection has read permission', () => {
+      const fieldPermissions = {}
+      const collectionPermissions: SanitizedDocumentPermissions = {
+        // No read permission at collection level
+        fields: {},
+      }
+
+      const result = getFieldPermissions({
+        field: mockField,
+        operation: 'update',
+        parentName: '',
+        permissions: fieldPermissions,
+        collectionPermissions,
+      })
+
+      expect(result.read).toBe(false)
+      expect(result.operation).toBe(false)
+    })
+
+    it('should work without collection permissions (backward compatibility)', () => {
+      const fieldPermissions = true // All permissions
+
+      const result = getFieldPermissions({
+        field: mockField,
+        operation: 'update',
+        parentName: '',
+        permissions: fieldPermissions,
+        // No collectionPermissions provided
+      })
+
+      expect(result.read).toBe(true)
+      expect(result.operation).toBe(true)
+      expect(result.permissions).toBe(true)
+    })
+  })
+})

packages/payload/src/utilities/getFieldPermissions.ts

@@ -1,5 +1,9 @@
 /* eslint-disable @typescript-eslint/no-explicit-any */
-import type { SanitizedFieldPermissions, SanitizedFieldsPermissions } from '../auth/types.js'
+import type {
+  SanitizedDocumentPermissions,
+  SanitizedFieldPermissions,
+  SanitizedFieldsPermissions,
+} from '../auth/types.js'
 import type { ClientField, Field } from '../fields/config/types.js'
 import type { Operation } from '../types/index.js'
 
@@ -11,11 +15,13 @@ import type { Operation } from '../types/index.js'
  * - `read`: Whether the user has permission to read the field.
  */
 export const getFieldPermissions = ({
+  collectionPermissions,
   field,
   operation,
   parentName,
   permissions,
 }: {
+  readonly collectionPermissions?: SanitizedDocumentPermissions
   readonly field: ClientField | Field
   readonly operation: Operation
   readonly parentName: string
@@ -28,8 +34,9 @@ export const getFieldPermissions = ({
    */
   permissions: SanitizedFieldPermissions | SanitizedFieldsPermissions
   read: boolean
-} => ({
-  operation:
+} => {
+  // First, calculate permissions using the existing logic
+  const fieldOperation =
     permissions === true ||
     permissions?.[operation as keyof typeof permissions] === true ||
     permissions?.[parentName as keyof typeof permissions] === true ||
@@ -38,21 +45,53 @@ export const getFieldPermissions = ({
       permissions?.[field.name as keyof typeof permissions] &&
       (permissions[field.name as keyof typeof permissions] === true ||
         (operation in (permissions as any)[field.name] &&
-          (permissions as any)[field.name][operation]))),
+          (permissions as any)[field.name][operation])))
 
-  permissions:
+  const fieldPermissions =
     permissions === undefined || permissions === null || permissions === true
       ? true
       : 'name' in field
         ? (permissions as any)[field.name]
-        : permissions,
-  read:
+        : permissions
+
+  const fieldRead =
     permissions === true ||
     permissions?.read === true ||
     permissions?.[parentName as keyof typeof permissions] === true ||
     ('name' in field &&
       typeof permissions === 'object' &&
       permissions?.[field.name as keyof typeof permissions] &&
       ((permissions as any)[field.name] === true ||
-        ('read' in (permissions as any)[field.name] && (permissions as any)[field.name].read))),
-})
+        ('read' in (permissions as any)[field.name] && (permissions as any)[field.name].read)))
+
+  // Check if field permissions are effectively empty/missing
+  const hasFieldPermissions =
+    permissions === true ||
+    (typeof permissions === 'object' && permissions !== null && Object.keys(permissions).length > 0)
+
+  // If no field permissions are defined, fallback to collection permissions
+  if (!hasFieldPermissions && collectionPermissions) {
+    const collectionRead = Boolean(collectionPermissions.read)
+    let collectionOperation = false
+
+    // Check operation-specific permission on collection
+    if (operation === 'create' && 'create' in collectionPermissions) {
+      collectionOperation = Boolean(collectionPermissions.create)
+    } else if (operation === 'update') {
+      collectionOperation = Boolean(collectionPermissions.update)
+    }
+
+    return {
+      operation: collectionOperation,
+      permissions: { read: collectionRead } as SanitizedFieldPermissions,
+      read: collectionRead,
+    }
+  }
+
+  // Return the calculated permissions
+  return {
+    operation: Boolean(fieldOperation),
+    permissions: fieldPermissions,
+    read: Boolean(fieldRead),
+  }
+}

packages/ui/src/fields/Blocks/BlockRow.tsx

@@ -94,16 +94,39 @@ export const BlockRow: React.FC<BlocksFieldProps> = ({
     .filter(Boolean)
     .join(' ')
 
-  let blockPermissions: RenderFieldsProps['permissions'] = undefined
+  let blockPermissions: RenderFieldsProps['permissions'] = true
 
   if (permissions === true) {
     blockPermissions = true
   } else {
-    const permissionsBlockSpecific = permissions?.blocks?.[block.slug]
+    const permissionsBlockSpecific = permissions?.blocks?.[block.slug] || permissions?.blocks
     if (permissionsBlockSpecific === true) {
       blockPermissions = true
+    } else if (permissionsBlockSpecific?.fields) {
+      blockPermissions = permissionsBlockSpecific.fields
     } else {
-      blockPermissions = permissionsBlockSpecific?.fields
+      // Check if we should fall back to read-only mode based on permission structure
+      // This handles cases where field-level access control exists but block permissions were sanitized
+      if (typeof permissions === 'object' && permissions && !permissionsBlockSpecific) {
+        // If permissions object exists but has no block-specific permissions,
+        // check if it has any restrictive characteristics
+        const hasReadPermission = permissions.read === true
+        const missingCreateOrUpdate = !permissions.create || !permissions.update
+        const hasRestrictiveStructure =
+          hasReadPermission &&
+          (missingCreateOrUpdate ||
+            (typeof permissions === 'object' &&
+              Object.keys(permissions).length === 1 &&
+              permissions.read))
+
+        if (hasRestrictiveStructure) {
+          blockPermissions = { read: true }
+        } else {
+          blockPermissions = permissionsBlockSpecific?.fields
+        }
+      } else {
+        blockPermissions = permissionsBlockSpecific?.fields
+      }
     }
   }