Configure user access

payload/src/access/isAdmin.ts

@@ -0,0 +1,12 @@
+import { Access, FieldAccess } from "payload/types";
+import { User } from "../payload-types";
+
+export const isAdmin: Access<any, User> = ({ req: { user } }) => {
+  // Return true or false based on if the user has an admin role
+  return Boolean(user?.roles?.includes('admin'));
+}
+
+export const isAdminFieldLevel: FieldAccess<{ id: string }, unknown, User> = ({ req: { user } }) => {
+  // Return true or false based on if the user has an admin role
+  return Boolean(user?.roles?.includes('admin'));
+}

payload/src/access/isAdminOrSelf.ts

@@ -0,0 +1,21 @@
+import { Access } from "payload/config";
+
+export const isAdminOrSelf: Access = ({ req: { user } }) => {
+  // Need to be logged in
+  if (user) {
+    // If user has role of 'admin'
+    if (user.roles?.includes('admin')) {
+      return true;
+    }
+
+    // If any other type of user, only provide access to themselves
+    return {
+      id: {
+        equals: user.id,
+      }
+    }
+  }
+
+  // Reject everyone else
+  return false;
+}

payload/src/collections/Users.ts

@@ -1,6 +1,6 @@
 import { CollectionConfig } from 'payload/types';
-
-const isAdmin = ({ req: { user } }) => (user && user.role === 'admin');
+import { isAdmin, isAdminFieldLevel } from '../access/isAdmin';
+import { isAdminOrSelf } from '../access/isAdminOrSelf';
 
 const Users: CollectionConfig = {
   slug: 'users',
@@ -9,11 +9,14 @@ const Users: CollectionConfig = {
     useAsTitle: 'email',
   },
   access: {
-    read: isAdmin,
+    create: isAdmin,
+    read: isAdminOrSelf,
+    update: isAdminOrSelf,
+    delete: isAdmin,
   },
   fields: [ 
     {
-      name: 'role',
+      name: 'roles',
       type: 'select',
       options: [
         { label: 'ssg', value: 'ssg' }, //cRud
@@ -23,14 +26,14 @@ const Users: CollectionConfig = {
       ],
       required: true,
       defaultValue: "user",
+      // JWT so that role is accessible from 'req.user'
+      saveToJWT: true,
+      hasMany: true,
       access: {
-        create: isAdmin,
-        read: isAdmin,
-        update: isAdmin,
+        create: isAdminFieldLevel,
+        read: () => true,
+        update: isAdminFieldLevel,
       },
-      admin: {
-        readOnly: !isAdmin
-      }
     },
     {
       name: 'name',