user.collection is undefined in access control functions for MCP requests #14923
Description
Describe the Bug
When using access control functions in Payload CMS, the user object provided in the req should include a collection field according to TypeScript types. However, for operations made by the MCP plugin, at runtime, user.collection is always undefined.
This breaks access control patterns that rely on checking which collection the authenticated user belongs to, such as:
export const isEditor: Access = ({ req: { user } }) => {
// TypeScript says user.collection exists, but it's undefined at runtime
return Boolean(user && user.collection === 'users' && user.roles.includes('editor'))
}The TypeScript types indicate that user.collection should be a string identifying which auth collection the user was authenticated from, but this field is never populated at runtime.
Link to the code that reproduces this issue
https://github.com/jhb-dev/payload-mcp-user-collection-undefined
Reproduction Steps
- Clone the reproduction repository and run the development server with
pnpm dev - Try to create a new post with an LLM model via the MCP
- Observe the server console output - it will show:
--- Access Control Debug --- user: { id: '...', email: '...', ... } user?.collection: undefined ---------------------------- - The access control check will fail because
user.collectionisundefined
Which area(s) are affected?
plugin: mcp
Environment Info
Binaries:
Node: 24.3.0
npm: 11.4.2
Yarn: 1.22.22
pnpm: 10.12.4
Relevant Packages:
payload: 3.68.4
next: 15.4.10
@payloadcms/db-mongodb: 3.68.4
@payloadcms/graphql: 3.68.4
@payloadcms/next/utilities: 3.68.4
@payloadcms/plugin-mcp: 3.68.4
@payloadcms/richtext-lexical: 3.68.4
@payloadcms/translations: 3.68.4
@payloadcms/ui/shared: 3.68.4
react: 19.2.1
react-dom: 19.2.1
Operating System:
Platform: darwin
Arch: arm64