Global config for Access Control the Local API

[paulpopus]

Following the discussion on Discord, it seems that some people may find it useful to have the default for overrideAccess configurable in the global config of Payload instead of manually doing it per use.

Source in documentation: https://payloadcms.com/docs/local-api/overview

I'd like to open a PR for this if it makes sense, it seems simple enough for my first PR to get accustomed with the core logic of Payload.

I'd make a new config item for the Local API:

export type LocalApiConfig = {
  /** Configures the default access control for the local API. Defaults to 'true'  */
  overrideAccess?: boolean;
};

And then in the find- functions I'd add a check for the global config with a default to true.

[xHomu]

Going through the docs, it wasn't obvious that the default Local API behavior ignores access controls altogether.

It's very easy to accidentally forget the prop, and thus exposing data that we didn't intent to. I understand that it might be too late to change overrideAccess to false by default, so global config for Local API would be much appreciated!

[xndyz]

This would be great QOL improvement

[johannesfritsch]

This is not purely a QOL improvement. This is a pressing security issue. We're developing many custom graphql endpoints. And if one of my devs forgets to pass the user and set overrideAccess to false to any of the payload functions, the whole security is dismissed and any document is accessible.

I would sharply recommend making overrideAccess configurable, either on collections or even better on the global configuration. This change should not break anything.

I will have a look at the code and maybe provide a patch. But I'm not deep enough into the codebase and therefore hesitant to provide a PR all too quickly. Some signal from the team would be awesome to save us all some time.