fix: isolate payload-preferences by auth collection (#15425)

PatrikKozak · web-flow · commit 2dc2e7c07f24 · 2026-01-30T06:07:52.000-08:00
### What
Fixes preferences being accessible across different auth collections in
multi-auth setups.

### Why
The `preferenceAccess` function only checked user ID without verifying
which auth collection the user belonged to. In setups with multiple auth
collections using sequential IDs, this could allow unintended access to
preferences.

### How
Updated `preferenceAccess` to check both user ID and auth collection,
consistent with the existing operation handlers. Added tests to verify
proper isolation.
diff --git a/packages/payload/src/preferences/config.ts b/packages/payload/src/preferences/config.ts
@@ -1,5 +1,6 @@
 import type { CollectionConfig } from '../collections/config/types.js'
 import type { Access, Config } from '../config/types.js'
+import type { Where } from '../types/index.js'
 
 import { deleteHandler } from './requestHandlers/delete.js'
 import { findByIDHandler } from './requestHandlers/findOne.js'
@@ -10,11 +11,21 @@ const preferenceAccess: Access = ({ req }) => {
     return false
   }
 
-  return {
+  const userValueCondition: Where = {
     'user.value': {
-      equals: req?.user?.id,
+      equals: req.user.id,
+    },
+  }
+
+  const userRelationCondition: Where = {
+    'user.relationTo': {
+      equals: req.user.collection,
     },
   }
+
+  return {
+    and: [userValueCondition, userRelationCondition],
+  }
 }
 
 export const preferencesCollectionSlug = 'payload-preferences'
diff --git a/test/auth/int.spec.ts b/test/auth/int.spec.ts
@@ -560,8 +560,8 @@ describe('Auth', () => {
             },
           })
 
-          expect(result.docs[0].value.property).toStrictEqual('updated')
-          expect(result.docs[0].value.property2).toStrictEqual('updated')
+          expect((result.docs[0]?.value as any)?.property).toStrictEqual('updated')
+          expect((result.docs[0]?.value as any)?.property2).toStrictEqual('updated')
 
           expect(result.docs).toHaveLength(1)
         })
@@ -600,6 +600,105 @@ describe('Auth', () => {
         })
       })
 
+      describe('Cross-Collection Preference Isolation', () => {
+        const adminKey = 'cross-collection-admin'
+        const publicKey = 'cross-collection-public'
+        let publicUserToken: string
+        let publicUserId: number | string
+        const createdIDs: (number | string)[] = []
+
+        beforeAll(async () => {
+          // Admin creates preference
+          const adminPref = await restClient.POST(`/payload-preferences/${adminKey}`, {
+            body: JSON.stringify({ value: { data: 'admin-sensitive' } }),
+            headers: { Authorization: `JWT ${token}` },
+          })
+          createdIDs.push(((await adminPref.json()) as any).doc.id)
+
+          // Create and verify public user
+          const userRes = await restClient.POST(`/${publicUsersSlug}`, {
+            body: JSON.stringify({ email: 'crosscollection@test.com', password: 'test123!' }),
+            headers: { Authorization: `JWT ${token}` },
+          })
+          publicUserId = ((await userRes.json()) as any).doc.id
+
+          const user = await payload.findByID({
+            collection: publicUsersSlug,
+            id: publicUserId,
+            showHiddenFields: true,
+          })
+          await restClient.POST(`/${publicUsersSlug}/verify/${(user as any)._verificationToken}`)
+
+          // Login as public user
+          const login = await restClient.POST(`/${publicUsersSlug}/login`, {
+            body: JSON.stringify({ email: 'crosscollection@test.com', password: 'test123!' }),
+          })
+          publicUserToken = ((await login.json()) as any).token
+
+          // Public user creates preference
+          const publicPref = await restClient.POST(`/payload-preferences/${publicKey}`, {
+            body: JSON.stringify({ value: { data: 'public-data' } }),
+            headers: { Authorization: `JWT ${publicUserToken}` },
+          })
+          createdIDs.push(((await publicPref.json()) as any).doc.id)
+        })
+
+        afterAll(async () => {
+          await Promise.all(
+            createdIDs.map((id) =>
+              payload.delete({ collection: 'payload-preferences', id }).catch(() => {}),
+            ),
+          )
+          if (publicUserId) {
+            await payload.delete({ collection: publicUsersSlug, id: publicUserId }).catch(() => {})
+          }
+        })
+
+        it('should only return own preferences via REST find', async () => {
+          const res = await restClient.GET('/payload-preferences', {
+            headers: { Authorization: `JWT ${publicUserToken}` },
+          })
+          const data: any = await res.json()
+
+          expect(data.docs).toHaveLength(1)
+          expect(data.docs[0].user.relationTo).toBe(publicUsersSlug)
+          expect(data.docs.some((doc: any) => doc.user.relationTo === 'users')).toBe(false)
+        })
+
+        it('should not delete other collection preferences via REST', async () => {
+          const before = await payload.find({
+            collection: 'payload-preferences',
+            where: { 'user.relationTo': { equals: 'users' } },
+          })
+          expect(before.docs).toHaveLength(1)
+
+          await restClient.DELETE(`/payload-preferences?where[key][equals]=${adminKey}`, {
+            headers: { Authorization: `JWT ${publicUserToken}` },
+          })
+
+          const after = await payload.find({
+            collection: 'payload-preferences',
+            where: { 'user.relationTo': { equals: 'users' } },
+          })
+          expect(after.docs).toHaveLength(1)
+          expect((after.docs[0]?.value as any)?.data).toBe('admin-sensitive')
+        })
+
+        it('should isolate preferences by user ID and collection', async () => {
+          const publicPrefs = await payload.find({
+            collection: 'payload-preferences',
+            where: { 'user.relationTo': { equals: publicUsersSlug } },
+          })
+          expect(publicPrefs.docs).toHaveLength(1)
+
+          const adminPrefs = await payload.find({
+            collection: 'payload-preferences',
+            where: { 'user.relationTo': { equals: 'users' } },
+          })
+          expect(adminPrefs.docs).toHaveLength(1)
+        })
+      })
+
       describe('Account Locking', () => {
         const userEmail = 'lock@me.com'
 
