Skip to content

[plugin-multi-tenant]: richtext BlocksFeature with relationship exposes other tenants collections #14823

New issue
New issue
Open
Open
[plugin-multi-tenant]: richtext BlocksFeature with relationship exposes other tenants collections#14823
Assignees
GermanJablo
Labels
plugin: multi-tenant@payloadcms/plugin-multi-tenant
@simovicaleksa

Description

@simovicaleksa
simovicaleksa
opened on Dec 5, 2025

Describe the Bug

When using the BlocksFeature to extend lexical editor with a block that contains a relationship the tenant filter is not applied. This leads to relationship drawer displaying collections from other tenants making it possible to create relationships between tenants.

I don't think this is a security vulnerability as I've only confirmed it happening to the user with userHasAccessToAllTenants: true and access control probably blocking it for normal tenants.

Here is the screenshot with letters labeling where the objects come from. In this case "Test" tenant is selected (A). The first "Main CTA" comes from the A tenant but the rest are from tenants B, C and D.

Image

The expected behavior would be for the drawer to list only "Main CTA" from tenant A, as it does in the rest of the application.

I would used the provided RelationshipsFeature, but it looks unintuitive to look for Call-To-Action block under "relationships".

Link to the code that reproduces this issue

.

Reproduction Steps

  1. Create a payload project
  2. Add multi-tenant plugin with userHasAccessToAllTenants: true user
  3. Create a type: "richtext" field with BlocksFeature and the following configuration:
{
  name: "content",
  type: "richtext",
  editor: lexicalEditor({
    features: ({ defaultFeatures }) => [
      ...defaultFeatures,
      BlocksFeature({
        blocks: [
          {
            slug: "block-with-relationship",
            fields: [
              {
                name: "relationship",
                type: "relationship",
                relationTo: "some-collection",
              },
            ],
          },
        ],
      }),
    ],
  }),
}
  1. Open the relationship drawer in admin and you should be able to see options for all tenants instead of the currently selected one of the document

Which area(s) are affected?

plugin: multi-tenant

Environment Info

Binaries:
  Node: 24.10.0
  npm: N/A
  Yarn: N/A
  pnpm: 10.24.0
Relevant Packages:
  payload: 3.66.0
  next: 16.0.7
  @payloadcms/db-postgres: 3.66.0
  @payloadcms/drizzle: 3.66.0
  @payloadcms/email-nodemailer: 3.66.0
  @payloadcms/graphql: 3.66.0
  @payloadcms/live-preview: 3.66.0
  @payloadcms/live-preview-react: 3.66.0
  @payloadcms/next/utilities: 3.66.0
  @payloadcms/payload-cloud: 3.66.0
  @payloadcms/plugin-cloud-storage: 3.66.0
  @payloadcms/plugin-multi-tenant: 3.66.0
  @payloadcms/plugin-seo: 3.66.0
  @payloadcms/richtext-lexical: 3.66.0
  @payloadcms/storage-s3: 3.66.0
  @payloadcms/translations: 3.66.0
  @payloadcms/ui/shared: 3.66.0
  react: 19.2.1
  react-dom: 19.2.1
Operating System:
  Platform: win32
  Arch: x64
  Version: Windows 11 Pro
  Available memory (MB): 32689
  Available CPU cores: 16

Metadata

Metadata

Assignees

Labels

plugin: multi-tenant@payloadcms/plugin-multi-tenant

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions