Admin users see all records in frontend when they should only see their own

[abdhass]

I use Payload for Auth for frontend. I have a orders collection. But if a admin has access to all records, it seems to return all records if they are also a customer in the front end.

How do i setup RBAC in a way that a admin can also be a user on the front end and only see records related to them but when they log into admin, they should be able to see everything.

[DanRibbens]

For the admin users to only see their own orders you will need to add a where query to your fetch to filter all the other orders from appearing.

I don't know if you're using graphql or REST but the fetch url might look like this, though could be different based on the name of your relationship field referencing the user.

/api/orders?where[user][equals]=${user.id}

Payload's API will merge your orders collection read access control written into the config with the incoming where query to give the accurate results.

I hope that helps!

[abdhass]

Thanks that makes sense, didnt know it will merge it. Im mainly using local api via server actions.

So what about with findByID. If i do something like

const booking = await payload.findByID({
    collection: "bookings",
    id: id,
  });

This will by default return every record that gets passed in as long as the user is a admin. You cant also put a where clause here. Will i have to generally stick to find?

To workaround this, I was thinking if theres a way to detect if the user is in the frontend. Maybe settting headers on every request. But would appreciate any advice.

How im working around at the moment

This is how im dealing with this problem now by checking if the user owns the record in JS.

const bookingUserId =
 // always have to do this as sometimes the relationship returns a number according to the Type. any advice on that appreciated too
    typeof booking.user === "object" ? booking.user.id : booking.user;
// here im checking if the user owns this
  if (bookingUserId !== user.id) {
    redirect("/dashboard");
  }

[DanRibbens]

How do you have the id of the booking? You must be fetching bookings some place in your frontend and I would expect that to happen as a find.
Assuming you can't combine queries to do what you need in one request and you have the id somehow (url maybe?) Then instead of findByID you could make the fetch with something like:

const result = await payload.find({
  collection: 'bookings',
  where: {
    id: { equals: id }, 
    user: { equals: user.id },
  },
})
const booking = result.docs[0]