fix(plugin-multi-tenant): constrain results to assigned tenants when present (#13365)

Extension of #13213

This PR correctly filters tenants, users and documents based on the
users assigned tenants if any are set. If a user is assigned tenants
then list results should only show documents with those tenants (when
selector is not set). Previously you could construct access results that
allows them to see them, but in the confines of the admin panel they
should not see them. If you wanted a user to be able to see a "public"
tenant while inside the admin panel they either need to be added to the
tenant or have no tenants at all.

Note that this is for filtering only, access control still controls what
documents a user has _access_ to a document. The filters are and always
have been a way to filter out results in the list view.

Author: JarrodMFlesch

packages/plugin-multi-tenant/src/exports/utilities.ts

@@ -1,4 +1,4 @@
-export { filterDocumentsBySelectedTenant as getTenantListFilter } from '../list-filters/filterDocumentsBySelectedTenant.js'
+export { filterDocumentsByTenants as getTenantListFilter } from '../filters/filterDocumentsByTenants.js'
 export { getGlobalViewRedirect } from '../utilities/getGlobalViewRedirect.js'
 export { getTenantAccess } from '../utilities/getTenantAccess.js'
 export { getTenantFromCookie } from '../utilities/getTenantFromCookie.js'

packages/plugin-multi-tenant/src/filters/filterDocumentsByTenants.ts

@@ -0,0 +1,52 @@
+import type { PayloadRequest, Where } from 'payload'
+
+import { defaults } from '../defaults.js'
+import { getCollectionIDType } from '../utilities/getCollectionIDType.js'
+import { getTenantFromCookie } from '../utilities/getTenantFromCookie.js'
+import { getUserTenantIDs } from '../utilities/getUserTenantIDs.js'
+
+type Args = {
+  filterFieldName: string
+  req: PayloadRequest
+  tenantsArrayFieldName?: string
+  tenantsArrayTenantFieldName?: string
+  tenantsCollectionSlug: string
+}
+export const filterDocumentsByTenants = ({
+  filterFieldName,
+  req,
+  tenantsArrayFieldName = defaults.tenantsArrayFieldName,
+  tenantsArrayTenantFieldName = defaults.tenantsArrayTenantFieldName,
+  tenantsCollectionSlug,
+}: Args): null | Where => {
+  const idType = getCollectionIDType({
+    collectionSlug: tenantsCollectionSlug,
+    payload: req.payload,
+  })
+
+  // scope results to selected tenant
+  const selectedTenant = getTenantFromCookie(req.headers, idType)
+  if (selectedTenant) {
+    return {
+      [filterFieldName]: {
+        in: [selectedTenant],
+      },
+    }
+  }
+
+  // scope to user assigned tenants
+  const userAssignedTenants = getUserTenantIDs(req.user, {
+    tenantsArrayFieldName,
+    tenantsArrayTenantFieldName,
+  })
+  if (userAssignedTenants.length > 0) {
+    return {
+      [filterFieldName]: {
+        in: userAssignedTenants,
+      },
+    }
+  }
+
+  // no tenant selected and no user tenants, return null to allow access control to handle it
+  return null
+}

packages/plugin-multi-tenant/src/index.ts

@@ -10,10 +10,8 @@ import { defaults } from './defaults.js'
 import { getTenantOptionsEndpoint } from './endpoints/getTenantOptionsEndpoint.js'
 import { tenantField } from './fields/tenantField/index.js'
 import { tenantsArrayField } from './fields/tenantsArrayField/index.js'
+import { filterDocumentsByTenants } from './filters/filterDocumentsByTenants.js'
 import { addTenantCleanup } from './hooks/afterTenantDelete.js'
-import { filterDocumentsBySelectedTenant } from './list-filters/filterDocumentsBySelectedTenant.js'
-import { filterTenantsBySelectedTenant } from './list-filters/filterTenantsBySelectedTenant.js'
-import { filterUsersBySelectedTenant } from './list-filters/filterUsersBySelectedTenant.js'
 import { translations } from './translations/index.js'
 import { addCollectionAccess } from './utilities/addCollectionAccess.js'
 import { addFilterOptionsToFields } from './utilities/addFilterOptionsToFields.js'
@@ -148,7 +146,8 @@ export const multiTenantPlugin =
       adminUsersCollection.admin.baseListFilter = combineListFilters({
         baseListFilter: adminUsersCollection.admin?.baseListFilter,
         customFilter: (args) =>
-          filterUsersBySelectedTenant({
+          filterDocumentsByTenants({
+            filterFieldName: `${tenantsArrayFieldName}.${tenantsArrayTenantFieldName}`,
             req: args.req,
             tenantsArrayFieldName,
             tenantsArrayTenantFieldName,
@@ -211,8 +210,11 @@ export const multiTenantPlugin =
           collection.admin.baseListFilter = combineListFilters({
             baseListFilter: collection.admin?.baseListFilter,
             customFilter: (args) =>
-              filterTenantsBySelectedTenant({
+              filterDocumentsByTenants({
+                filterFieldName: 'id',
                 req: args.req,
+                tenantsArrayFieldName,
+                tenantsArrayTenantFieldName,
                 tenantsCollectionSlug,
               }),
           })
@@ -306,9 +308,11 @@ export const multiTenantPlugin =
           collection.admin.baseListFilter = combineListFilters({
             baseListFilter: collection.admin?.baseListFilter,
             customFilter: (args) =>
-              filterDocumentsBySelectedTenant({
+              filterDocumentsByTenants({
+                filterFieldName: tenantFieldName,
                 req: args.req,
-                tenantFieldName,
+                tenantsArrayFieldName,
+                tenantsArrayTenantFieldName,
                 tenantsCollectionSlug,
               }),
           })

packages/plugin-multi-tenant/src/list-filters/filterDocumentsBySelectedTenant.ts

@@ -19,10 +19,9 @@ export const getUserTenantIDs = <IDType extends number | string>(
     return []
   }
 
-  const {
-    tenantsArrayFieldName = defaults.tenantsArrayFieldName,
-    tenantsArrayTenantFieldName = defaults.tenantsArrayTenantFieldName,
-  } = options || {}
+  const tenantsArrayFieldName = options?.tenantsArrayFieldName || defaults.tenantsArrayFieldName
+  const tenantsArrayTenantFieldName =
+    options?.tenantsArrayTenantFieldName || defaults.tenantsArrayTenantFieldName
 
   return (
     (Array.isArray(user[tenantsArrayFieldName]) ? user[tenantsArrayFieldName] : [])?.reduce<

packages/plugin-multi-tenant/src/list-filters/filterTenantsBySelectedTenant.ts

@@ -1,9 +1,85 @@
-import type { CollectionConfig } from 'payload'
+import type { Access, CollectionConfig, Where } from 'payload'
+
+import { getUserTenantIDs } from '@payloadcms/plugin-multi-tenant/utilities'
 
 import { menuItemsSlug } from '../shared.js'
 
+const collectionTenantReadAccess: Access = ({ req }) => {
+  // admins can access all tenants
+  if (req?.user?.roles?.includes('admin')) {
+    return true
+  }
+
+  if (req.user) {
+    const assignedTenants = getUserTenantIDs(req.user, {
+      tenantsArrayFieldName: 'tenants',
+      tenantsArrayTenantFieldName: 'tenant',
+    })
+
+    // if the user has assigned tenants, add id constraint
+    if (assignedTenants.length > 0) {
+      return {
+        or: [
+          {
+            tenant: {
+              in: assignedTenants,
+            },
+          },
+          {
+            'tenant.isPublic': {
+              equals: true,
+            },
+          },
+        ],
+      }
+    }
+  }
+
+  // if the user has no assigned tenants, return a filter that allows access to public tenants
+  return {
+    'tenant.isPublic': {
+      equals: true,
+    },
+  } as Where
+}
+
+const collectionTenantUpdateAccess: Access = ({ req }) => {
+  // admins can update all tenants
+  if (req?.user?.roles?.includes('admin')) {
+    return true
+  }
+
+  if (req.user) {
+    const assignedTenants = getUserTenantIDs(req.user, {
+      tenantsArrayFieldName: 'tenants',
+      tenantsArrayTenantFieldName: 'tenant',
+    })
+
+    // if the user has assigned tenants, add id constraint
+    if (assignedTenants.length > 0) {
+      return {
+        tenant: {
+          in: assignedTenants,
+        },
+      }
+    }
+  }
+
+  return false
+}
+
 export const MenuItems: CollectionConfig = {
   slug: menuItemsSlug,
+  access: {
+    read: collectionTenantReadAccess,
+    create: ({ req }) => {
+      return Boolean(req?.user?.roles?.includes('admin'))
+    },
+    update: collectionTenantUpdateAccess,
+    delete: ({ req }) => {
+      return Boolean(req?.user?.roles?.includes('admin'))
+    },
+  },
   admin: {
     useAsTitle: 'name',
     group: 'Tenant Collections',

packages/plugin-multi-tenant/src/list-filters/filterUsersBySelectedTenant.ts

@@ -1,9 +1,56 @@
-import type { CollectionConfig } from 'payload'
+import type { Access, CollectionConfig, Where } from 'payload'
+
+import { getUserTenantIDs } from '@payloadcms/plugin-multi-tenant/utilities'
 
 import { tenantsSlug } from '../shared.js'
 
+const tenantAccess: Access = ({ req }) => {
+  // admins can access all tenants
+  if (req?.user?.roles?.includes('admin')) {
+    return true
+  }
+
+  if (req.user) {
+    const assignedTenants = getUserTenantIDs(req.user, {
+      tenantsArrayFieldName: 'tenants',
+      tenantsArrayTenantFieldName: 'tenant',
+    })
+
+    // if the user has assigned tenants, add id constraint
+    if (assignedTenants.length > 0) {
+      return {
+        or: [
+          {
+            id: {
+              in: assignedTenants,
+            },
+          },
+          {
+            isPublic: {
+              equals: true,
+            },
+          },
+        ],
+      }
+    }
+  }
+
+  // if the user has no assigned tenants, return a filter that allows access to public tenants
+  return {
+    isPublic: {
+      equals: true,
+    },
+  } as Where
+}
+
 export const Tenants: CollectionConfig = {
   slug: tenantsSlug,
+  access: {
+    read: tenantAccess,
+    create: tenantAccess,
+    update: tenantAccess,
+    delete: tenantAccess,
+  },
   labels: {
     singular: 'Tenant',
     plural: 'Tenants',
@@ -30,5 +77,10 @@ export const Tenants: CollectionConfig = {
       collection: 'users',
       on: 'tenants.tenant',
     },
+    {
+      name: 'isPublic',
+      type: 'checkbox',
+      label: 'Public Tenant',
+    },
   ],
 }

packages/plugin-multi-tenant/src/utilities/getUserTenantIDs.ts

@@ -32,11 +32,14 @@ export default buildConfigWithDefaults({
   plugins: [
     multiTenantPlugin<ConfigType>({
       userHasAccessToAllTenants: (user) => Boolean(user.roles?.includes('admin')),
+      useTenantsCollectionAccess: false,
       tenantField: {
         access: {},
       },
       collections: {
-        [menuItemsSlug]: {},
+        [menuItemsSlug]: {
+          useTenantAccess: false,
+        },
         [menuSlug]: {
           isGlobal: true,
         },