fix: locked documents with read access for users (#8950)

### What?

When read access is restricted on the `users` collection - restricted
users would not have access to other users complete user data object
only their IDs when accessing `user.value`.

### Why?

This is problematic when determining the lock status of a document from
a restricted users perspective as `user.id` would not exist - the user
data would not be an object in this case but instead a `string` or
`number` value for user ID

### How?

This PR properly handles both cases now and checks if the incoming user
data is an object or just a `string` / `number`.

Author: PatrikKozak

packages/next/src/elements/DocumentLocked/index.tsx

@@ -2,6 +2,7 @@
 import type { ClientUser } from 'payload'
 
 import { Button, Modal, useModal, useTranslation } from '@payloadcms/ui'
+import { isClientUserObject } from '@payloadcms/ui/shared'
 import React, { useEffect } from 'react'
 
 import './index.scss'
@@ -30,7 +31,7 @@ export const DocumentLocked: React.FC<{
   onReadOnly: () => void
   onTakeOver: () => void
   updatedAt?: null | number
-  user?: ClientUser
+  user?: ClientUser | number | string
 }> = ({ handleGoBack, isActive, onReadOnly, onTakeOver, updatedAt, user }) => {
   const { closeModal, openModal } = useModal()
   const { t } = useTranslation()
@@ -49,7 +50,10 @@ export const DocumentLocked: React.FC<{
         <div className={`${baseClass}__content`}>
           <h1>{t('general:documentLocked')}</h1>
           <p>
-            <strong>{user?.email ?? user?.id}</strong> {t('general:currentlyEditing')}
+            <strong>
+              {isClientUserObject(user) ? (user.email ?? user.id) : `${t('general:user')}: ${user}`}
+            </strong>{' '}
+            {t('general:currentlyEditing')}
           </p>
           <p>
             {t('general:editedSince')} <strong>{formatDate(updatedAt)}</strong>

packages/next/src/views/Dashboard/Default/index.tsx

@@ -17,7 +17,7 @@ const baseClass = 'dashboard'
 
 export type DashboardProps = {
   globalData: Array<{
-    data: { _isLocked: boolean; _lastEditedAt: string; _userEditing: ClientUser | null }
+    data: { _isLocked: boolean; _lastEditedAt: string; _userEditing: ClientUser | number | string }
     lockDuration?: number
     slug: string
   }>

packages/next/src/views/Dashboard/index.tsx

@@ -31,11 +31,10 @@ export const Dashboard: React.FC<AdminViewProps> = async ({
       payload,
       user,
     },
+    req,
     visibleEntities,
   } = initPageResult
 
-  const lockDurationDefault = 300 // Default 5 minutes in seconds
-
   const CustomDashboardComponent = config.admin.components?.views?.Dashboard
 
   const collections = config.collections.filter(
@@ -50,39 +49,44 @@ export const Dashboard: React.FC<AdminViewProps> = async ({
       visibleEntities.globals.includes(global.slug),
   )
 
-  const globalConfigs = config.globals.map((global) => ({
-    slug: global.slug,
-    lockDuration:
-      global.lockDocuments === false
-        ? null // Set lockDuration to null if locking is disabled
-        : typeof global.lockDocuments === 'object'
+  // Query locked global documents only if there are globals in the config
+  let globalData = []
+
+  if (config.globals.length > 0) {
+    const lockedDocuments = await payload.find({
+      collection: 'payload-locked-documents',
+      depth: 1,
+      overrideAccess: false,
+      pagination: false,
+      req,
+      where: {
+        globalSlug: {
+          exists: true,
+        },
+      },
+    })
+
+    // Map over globals to include `lockDuration` and lock data for each global slug
+    globalData = config.globals.map((global) => {
+      const lockDurationDefault = 300
+      const lockDuration =
+        typeof global.lockDocuments === 'object'
           ? global.lockDocuments.duration
-          : lockDurationDefault,
-  }))
-
-  // Filter the slugs based on permissions and visibility
-  const filteredGlobalConfigs = globalConfigs.filter(
-    ({ slug, lockDuration }) =>
-      lockDuration !== null && // Ensure lockDuration is valid
-      permissions?.globals?.[slug]?.read?.permission &&
-      visibleEntities.globals.includes(slug),
-  )
+          : lockDurationDefault
 
-  const globalData = await Promise.all(
-    filteredGlobalConfigs.map(async ({ slug, lockDuration }) => {
-      const data = await payload.findGlobal({
-        slug,
-        depth: 0,
-        includeLockStatus: true,
-      })
+      const lockedDoc = lockedDocuments.docs.find((doc) => doc.globalSlug === global.slug)
 
       return {
-        slug,
-        data,
+        slug: global.slug,
+        data: {
+          _isLocked: !!lockedDoc,
+          _lastEditedAt: lockedDoc?.updatedAt ?? null,
+          _userEditing: lockedDoc?.user?.value ?? null,
+        },
         lockDuration,
       }
-    }),
-  )
+    })
+  }
 
   const navGroups = groupNavItems(
     [

packages/next/src/views/Edit/Default/index.tsx

@@ -144,7 +144,7 @@ export const DefaultEditView: React.FC = () => {
   const documentLockStateRef = useRef<{
     hasShownLockedModal: boolean
     isLocked: boolean
-    user: ClientUser
+    user: ClientUser | number | string
   } | null>({
     hasShownLockedModal: false,
     isLocked: false,
@@ -268,7 +268,10 @@ export const DefaultEditView: React.FC = () => {
       setDocumentIsLocked(true)
 
       if (isLockingEnabled) {
-        const previousOwnerId = documentLockStateRef.current?.user?.id
+        const previousOwnerId =
+          typeof documentLockStateRef.current?.user === 'object'
+            ? documentLockStateRef.current?.user?.id
+            : documentLockStateRef.current?.user
 
         if (lockedState) {
           if (!documentLockStateRef.current || lockedState.user.id !== previousOwnerId) {
@@ -328,7 +331,11 @@ export const DefaultEditView: React.FC = () => {
       // Unlock the document only if we're actually navigating away from the document
       if (documentId && documentIsLocked && !isStayingWithinDocument) {
         // Check if this user is still the current editor
-        if (documentLockStateRef.current?.user?.id === user?.id) {
+        if (
+          typeof documentLockStateRef.current?.user === 'object'
+            ? documentLockStateRef.current?.user?.id === user?.id
+            : documentLockStateRef.current?.user === user?.id
+        ) {
           void unlockDocument(id, collectionSlug ?? globalSlug)
           setDocumentIsLocked(false)
           setCurrentEditor(null)
@@ -352,7 +359,9 @@ export const DefaultEditView: React.FC = () => {
   const shouldShowDocumentLockedModal =
     documentIsLocked &&
     currentEditor &&
-    currentEditor.id !== user?.id &&
+    (typeof currentEditor === 'object'
+      ? currentEditor.id !== user?.id
+      : currentEditor !== user?.id) &&
     !isReadOnlyForIncomingUser &&
     !showTakeOverModal &&
     !documentLockStateRef.current?.hasShownLockedModal &&

packages/next/src/views/LivePreview/index.client.tsx

@@ -129,7 +129,7 @@ const PreviewView: React.FC<Props> = ({
   const documentLockStateRef = useRef<{
     hasShownLockedModal: boolean
     isLocked: boolean
-    user: ClientUser
+    user: ClientUser | number | string
   } | null>({
     hasShownLockedModal: false,
     isLocked: false,
@@ -208,7 +208,10 @@ const PreviewView: React.FC<Props> = ({
       setDocumentIsLocked(true)
 
       if (isLockingEnabled) {
-        const previousOwnerId = documentLockStateRef.current?.user?.id
+        const previousOwnerId =
+          typeof documentLockStateRef.current?.user === 'object'
+            ? documentLockStateRef.current?.user?.id
+            : documentLockStateRef.current?.user
 
         if (lockedState) {
           if (!documentLockStateRef.current || lockedState.user.id !== previousOwnerId) {
@@ -267,7 +270,11 @@ const PreviewView: React.FC<Props> = ({
       // Unlock the document only if we're actually navigating away from the document
       if (documentId && documentIsLocked && !isStayingWithinDocument) {
         // Check if this user is still the current editor
-        if (documentLockStateRef.current?.user?.id === user?.id) {
+        if (
+          typeof documentLockStateRef.current?.user === 'object'
+            ? documentLockStateRef.current?.user?.id === user?.id
+            : documentLockStateRef.current?.user === user?.id
+        ) {
           void unlockDocument(id, collectionSlug ?? globalSlug)
           setDocumentIsLocked(false)
           setCurrentEditor(null)
@@ -291,7 +298,9 @@ const PreviewView: React.FC<Props> = ({
   const shouldShowDocumentLockedModal =
     documentIsLocked &&
     currentEditor &&
-    currentEditor.id !== user.id &&
+    (typeof currentEditor === 'object'
+      ? currentEditor.id !== user?.id
+      : currentEditor !== user?.id) &&
     !isReadOnlyForIncomingUser &&
     !showTakeOverModal &&
     // eslint-disable-next-line react-compiler/react-compiler

packages/payload/src/collections/operations/find.ts

@@ -187,6 +187,7 @@ export const findOperation = async <
           collection: 'payload-locked-documents',
           depth: 1,
           limit: sanitizedLimit,
+          overrideAccess: false,
           pagination: false,
           req,
           where: {

packages/payload/src/collections/operations/findByID.ts

@@ -139,6 +139,7 @@ export const findByIDOperation = async <
           collection: 'payload-locked-documents',
           depth: 1,
           limit: 1,
+          overrideAccess: false,
           pagination: false,
           req,
           where: {

packages/payload/src/globals/operations/findOne.ts

@@ -65,21 +65,37 @@ export const findOneOperation = async <T extends Record<string, unknown>>(
     // /////////////////////////////////////
     // Include Lock Status if required
     // /////////////////////////////////////
-
     if (includeLockStatus && slug) {
       let lockStatus = null
 
       try {
+        const lockDocumentsProp = globalConfig?.lockDocuments
+
+        const lockDurationDefault = 300 // Default 5 minutes in seconds
+        const lockDuration =
+          typeof lockDocumentsProp === 'object' ? lockDocumentsProp.duration : lockDurationDefault
+        const lockDurationInMilliseconds = lockDuration * 1000
+
         const lockedDocument = await req.payload.find({
           collection: 'payload-locked-documents',
           depth: 1,
           limit: 1,
+          overrideAccess: false,
           pagination: false,
           req,
           where: {
-            globalSlug: {
-              equals: slug,
-            },
+            and: [
+              {
+                globalSlug: {
+                  equals: slug,
+                },
+              },
+              {
+                updatedAt: {
+                  greater_than: new Date(new Date().getTime() - lockDurationInMilliseconds),
+                },
+              },
+            ],
           },
         })
 
@@ -91,7 +107,6 @@ export const findOneOperation = async <T extends Record<string, unknown>>(
       }
 
       doc._isLocked = !!lockStatus
-      doc._lastEditedAt = lockStatus?.updatedAt ?? null
       doc._userEditing = lockStatus?.user?.value ?? null
     }
 

packages/translations/src/clientKeys.ts

@@ -127,6 +127,7 @@ export const clientTranslationKeys = createClientTranslationKeys([
   'general:addFilter',
   'general:adminTheme',
   'general:and',
+  'general:anotherUser',
   'general:anotherUserTakenOver',
   'general:applyChanges',
   'general:ascending',

packages/translations/src/languages/ar.ts

@@ -177,6 +177,7 @@ export const arTranslations: DefaultTranslationsObject = {
     addFilter: 'أضف فلتر',
     adminTheme: 'شكل واجهة المستخدم',
     and: 'و',
+    anotherUser: 'مستخدم آخر',
     anotherUserTakenOver: 'قام مستخدم آخر بالاستيلاء على تحرير هذا المستند.',
     applyChanges: 'طبق التغييرات',
     ascending: 'تصاعدي',