payload-rbac
Advanced tools
Easy to use Role based access for your Payload cms.
Main features:
With yarn:
yarn add payload-rbac
With npm:
npm install payload-rbac
Add the plugin to your payload config to extend your auth collection:
import { buildConfig } from 'payload/config';
import rbac from 'payload-rbac';
export default buildConfig({
plugins: [
rbac({
collections: ['users'], // collections to enable rbac on, default: all auth collections
roles: ['reader', 'maintainer', 'admin'], // roles
}),
],
// The rest of your config goes here
});
All access control functions allow you to control who can access your data and allow you to add an optional filter. This documentation assumes that you are familiar with the Payload documentation on access control.
Anyone has access
import { allowAnonymous } from 'payload-rbac';
const unfilteredAccess = allowAnonymous();
const filteredAccess = allowAnonymous<Page>({ _status: { equals: 'published' } });
You can also use the filtered alias, which might make you code more readable if you're using allowAnonymous in combiniation with other access control functions.
import { filtered } from 'payload-rbac';
const filteredAccess = filtered<Page>({ _status: { equals: 'published' } });
Any has access to published documents
import { allowPublished } from 'payload-rbac';
const allPublishedAccess = allowPublished();
const filteredAccess = allowPublished<Page>({ author: { equals: 'Santa' } });
Any logged in user has access
import { allowAnyUser } from 'payload-rbac';
const unfilteredAccess = allowAnyUser();
const filteredAccess = allowAnyUser<Post>({ author: { equals: ({ req }) => req.user!.id } });
Only users with the given role have access
import { allowUserWithRole } from 'payload-rbac';
const unfilteredAccess = allowUserWithRole('admin');
const filteredAccess = allowUserWithRole<Media>('reader', { _status: { equals: 'published' } });
Only allow access if the node environment variable with the given key has the given value
import { allowEnvironmentValues } from 'payload-rbac';
const unfilteredAccess = allowEnvironmentValues('SERVICE_ENV', 'staging');
const filteredAccess = allowEnvironmentValues<Alert>('SERVICE_ENV', 'staging', { _status: { equals: 'published' } });
Blocks all requests. If used with payload-openapi or payload-swagger, endpoints with this access control function are excluded from documentation.
import { blockAll } from 'payload-rbac';
const access = blockAll();
All payload-rbac access functions accept an optional where parameter. If a where paremeter is provided it is used as a query if access is granted. See payload documentation for more information queries.
As filter you can use a payload Where query, but you can also use functions as operands, that receive the AccessArgs as input.
import { Access } from 'payload';
import { filtered } from 'payload-rbac';
const access: Access = filtered<Page>({
or: [
{ _status: { equals: 'published' } }, // normal where
{ author: { equals: ({ req }) => req.user?.id || '#not-an-author#' } }, // active where
],
});
To get the most out of the typesystem, it is recommended to use the generic type parameter on the access control function to specify the collection you're using it on (Page in the example above). When you specify the collection the typesystem will be able to check that all paths are correct and your operands are of the correct type and it will be able to provide you autocomplete suggestions.
The composite access control functions allow you to easily combine access control functions, both the functions of payload-rbac as well as your own access control functions.
Allows access if at least one of the given control functions grants access. If all of the matching control functions return a query, those queries are combined with and or statement.
import { allowPublished, allowUserWithRole, requireOne } from 'payload-rbac';
// Anyone has access to published documents, but only editors can see draft documents
const requireOne(allowPublished(), allowUserWithRole('editor'));
Allows access if all of the given control functions grants access. If one or more of the access control functions return a query, those queries are combined with and and statement.
import { allowPublished, allowAnyUser, requireAll } from 'payload-rbac';
// User needs to login to see the published documents (and cannot see draft documents)
const requireAll(allowPublished(), allowAnyUser());
Composites can be nested:
import { allowPublished, allowAnyUser, allowUserWithRole, requireAll, requireOne } from 'payload-rbac';
const compositeAccess = requireOne(
requireAll(allowPublished(), allowAnyUser()), // any logged in user can access published documents
allowUserWithRole('editor'), // editors can access all documents
);
See changelog
FAQs
Simple role based access control for your Payload cms
The npm package payload-rbac receives a total of 31 weekly downloads. As such, payload-rbac popularity was classified as not popular.
We found that payload-rbac demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Create React App is officially deprecated due to React 19 issues and lack of maintenance—developers should switch to Vite or other modern alternatives.
Security News
Oracle seeks to dismiss fraud claims in the JavaScript trademark dispute, delaying the case and avoiding questions about its right to the name.
Security News
The Linux Foundation is warning open source developers that compliance with global sanctions is mandatory, highlighting legal risks and restrictions on contributions.