fix(examples): checks requested tenant matches user tenant permissions (#13012)

jessrynkar · web-flow · commit 50029532aa68 · 2025-07-02T14:30:47.000+01:00
### What

This PR updates the `create` access control functions in the
`multi-tenant` example to ensure that any `tenant` specified in a create
request matches a tenant the user has admin access to.

### Why

Previously, while the admin panel UI restricted the tenant selection, it
was still possible to bypass this by making a request directly to the
API with a different `tenant`. This allowed users to create documents
under tenants they shouldn't have access to.

### How

The `access` functions on the `users` and `pages` collections now
explicitly check whether the tenant(s) in the request are included in
the user's tenant permissions. If not, access is denied by returning
`false`.

**Fixes: CMS2-Q225-03**
diff --git a/examples/multi-tenant/src/collections/Pages/access/superAdminOrTenantAdmin.ts b/examples/multi-tenant/src/collections/Pages/access/superAdminOrTenantAdmin.ts
@@ -14,9 +14,12 @@ export const superAdminOrTenantAdminAccess: Access = ({ req }) => {
     return true
   }
 
-  return {
-    tenant: {
-      in: getUserTenantIDs(req.user, 'tenant-admin'),
-    },
+  const adminTenantAccessIDs = getUserTenantIDs(req.user, 'tenant-admin')
+  const requestedTenant = req?.data?.tenant
+
+  if (requestedTenant && adminTenantAccessIDs.includes(requestedTenant)) {
+    return true
   }
+
+  return false
 }
diff --git a/examples/multi-tenant/src/collections/Users/access/create.ts b/examples/multi-tenant/src/collections/Users/access/create.ts
@@ -1,6 +1,6 @@
 import type { Access } from 'payload'
 
-import type { User } from '../../../payload-types'
+import type { Tenant, User } from '../../../payload-types'
 
 import { isSuperAdmin } from '../../../access/isSuperAdmin'
 import { getUserTenantIDs } from '../../../utilities/getUserTenantIDs'
@@ -16,7 +16,14 @@ export const createAccess: Access<User> = ({ req }) => {
 
   const adminTenantAccessIDs = getUserTenantIDs(req.user, 'tenant-admin')
 
-  if (adminTenantAccessIDs.length) {
+  const requestedTenants: Tenant['id'][] =
+    req.data?.tenants?.map((t: { tenant: Tenant['id'] }) => t.tenant) ?? []
+
+  const hasAccessToAllRequestedTenants = requestedTenants.every((tenantID) =>
+    adminTenantAccessIDs.includes(tenantID),
+  )
+
+  if (hasAccessToAllRequestedTenants) {
     return true
   }
 

Original file line number	Diff line number	Diff line change
`@@ -14,9 +14,12 @@ export const superAdminOrTenantAdminAccess: Access = ({ req }) => {`
`14`	`14`	`return true`
`15`	`15`	`}`
`16`	`16`
`17`		`- return {`
`18`		`- tenant: {`
`19`		`- in: getUserTenantIDs(req.user, 'tenant-admin'),`
`20`		`- },`
	`17`	`+ const adminTenantAccessIDs = getUserTenantIDs(req.user, 'tenant-admin')`
	`18`	`+ const requestedTenant = req?.data?.tenant`
	`19`	`+`
	`20`	`+ if (requestedTenant && adminTenantAccessIDs.includes(requestedTenant)) {`
	`21`	`+ return true`
`21`	`22`	`}`
	`23`	`+`
	`24`	`+ return false`
`22`	`25`	`}`