The permissions returned by payload.auth() are effectively useless when 'context' is used inside access control.

[DriesCruyskens]

Since payload.auth() also returns permission, they are effectively useless as soon as any access control uses the context.

Let's say we have a UIField on a products collection that renders a form to generate documents in a credits collection for it. We only want to allow this server action to run if the user has permission to create credits. A good reason for needing context.fromCreditsGenerator: true is to disable creation of credits throughout the admin dashboard.

export const Credits: CollectionConfig = {
  slug: "credits",
  fields: [
    ...
  ],
  access: {
    create: async ({ req }) => {
      const { context, user} = req;

      if (
        // Only allow create if called from withing postGenerator server action
        context.fromPostsGenerator && user.role === Roles.admin
      ) {
        return true;
      }

      return false;
    },
  },
};

export async function generateCredits() {
  const headers = await headersPromise();
  const { user, permissions } = await payload.auth({
    headers,
    // This is currently not possible
    req: { context: { fromCreditsGenerator: true },
  });
  
  // Should be true but since we can't pass a context it will return false
  const hasCreatePermissionOnCredits = permissions.collections?.credits.create
  
  if (!hasCreatePermissionOnCredits) return;
  
  payload.create({
    collection: "credits",
    data: {},
    context: {
      // Notice how we can set the context here. This should also be possible when calling auth()
      fromCreditsGenerator: true,
    },
}),