Access control - user = undefined

[markus9797]

Hi!
I have been following some sample projects & am trying to set some user access rules.
For a collection "Posts" the access control is set as follows:
const isLoggedIn: Access<any, User> = ({ req: { user } }): boolean => { // Return true if user is logged in, false if not console.log(user); return Boolean(user); }

with the access defined as:
const Posts: CollectionConfig = { // the slug is used for naming the collection in the database and the APIs that are open. For example: api/posts/${id} slug: 'posts', admin: { // this is the name of a field which will be visible for the edit screen and is also used for relationship fields useAsTitle: 'title', // defaultColumns is used on the listing screen in the admin UI for the collection defaultColumns: [ 'title', 'category', 'publishDate', 'tags', 'status' ], group: 'Content' }, access: { create: isLoggedIn, update: isLoggedIn, delete: isLoggedIn, read: isLoggedIn

The read works fine (get request), however all other requet (delete/post/update) fail, since the user somehow ends up undefined for the request object. I checked the session cookie, this one gets send along correctly, so I wonder where the failure might be coming from.

[markus9797]

Forgot to add markdown to the code sections ->

Hi!
I have been following some sample projects & am trying to set some user access rules.

For a collection "Posts" the access control is set as follows:
const isLoggedIn: Access<any, User> = ({ req: { user } }): boolean => { // Return true if user is logged in, false if not console.log(user); return Boolean(user); }

with the access defined as:
const Posts: CollectionConfig = { // the slug is used for naming the collection in the database and the APIs that are open. For example: api/posts/${id} slug: 'posts', admin: { // this is the name of a field which will be visible for the edit screen and is also used for relationship fields useAsTitle: 'title', // defaultColumns is used on the listing screen in the admin UI for the collection defaultColumns: [ 'title', 'category', 'publishDate', 'tags', 'status' ], group: 'Content' }, access: { create: isLoggedIn, update: isLoggedIn, delete: isLoggedIn, read: isLoggedIn

The read works fine (get request), however all other requet (delete/post/update) fail, since the user somehow ends up undefined for the request object. I checked the session cookie, this one gets send along correctly, so I wonder where the failure might be coming from.

[markus9797]

Turned out the problem was based on cors issues.
(The dev server ran on the local network & I configured dnsmasq (which is installed on a raspberry pi acting as local dns server) to map the ip to a domain name.
The PAYLOAD_PUBLIC_SERVER_URL in the .env was adapted to match that name, which resolved cors issues for GET requests.
However, for other types (e.g. POST) the issue persisted silenently (no errors indicating cors issue were logged).
As a fix for now I added the domain in the csrf array of the payload.config.ts file. -
in case anybody else runs into a similar situation in the future.

[jankohlbach]

you saved my evening with this
just adding the localhost url of payload also to the cors and csrf options fixed it, thanks