fix: default values inconsistent between Local and REST APIs (#14556)

PatrikKozak · web-flow · commit 8f7ef352742c · 2025-11-13T07:39:49.000-08:00
### What? Default values were incorrectly appearing (or not appearing) depending on access control configuration. When access control denied access to a global or collection document, default values would sometimes still populate, and conversely, when access was allowed, defaults would sometimes be blocked. ### Why? The previous logic checked `args.data` before querying the database, making it impossible to distinguish between: 1. A document that doesn't exist and access is allowed (should populate defaults for globals) 2. A document that was filtered by access control (should NOT populate defaults) This caused default values like `_status: 'draft'` to appear when access control should have returned an empty response, and also blocked legitimate defaults on uncreated globals without access restrictions. ### How? - **Query first**: Both globals and collections now query the database before checking `args.data` - **Detect access denial**: Only return early when `!docFromDB && !args.data && !overrideAccess && accessResult !== true` - **Correct fallback**: Use `args.data ?? docFromDB ?? {}` (globals) or `args.data ?? docFromDB` (collections) - **Simplified**: Removed `shouldSkipDefaults` logic from `promise.ts` since it's now handled at the operation level Fixes #14493 Fixes #14476
diff --git a/packages/payload/src/collections/operations/findByID.ts b/packages/payload/src/collections/operations/findByID.ts
@@ -170,17 +170,18 @@ export const findByIDOperation = async <
       throw new NotFound(t)
     }
 
-    let result: DataFromCollectionSlug<TSlug> =
-      (args.data as DataFromCollectionSlug<TSlug>) ?? (await req.payload.db.findOne(findOneArgs))!
+    const docFromDB = await req.payload.db.findOne(findOneArgs)
 
-    if (!result) {
+    if (!docFromDB && !args.data) {
       if (!disableErrors) {
         throw new NotFound(req.t)
       }
-
       return null!
     }
 
+    let result: DataFromCollectionSlug<TSlug> =
+      (args.data as DataFromCollectionSlug<TSlug>) ?? docFromDB!
+
     // /////////////////////////////////////
     // Include Lock Status if required
     // /////////////////////////////////////
diff --git a/packages/payload/src/fields/hooks/afterRead/promise.ts b/packages/payload/src/fields/hooks/afterRead/promise.ts
@@ -374,18 +374,11 @@ export const promise = async ({
 
     // Set defaultValue on the field for globals being returned without being first created
     // or collection documents created prior to having a default.
-
-    // Skip setting defaults when: global has no ID (never created or filtered by access)
-    // AND access control is active (not overriding). This prevents default values like
-    // `_status: 'draft'` from appearing when access control filters out the document.
-    const shouldSkipDefaults = global && !doc.id && !overrideAccess
-
     if (
       !removedFieldValue &&
       allowDefaultValue &&
       typeof siblingDoc[field.name!] === 'undefined' &&
-      typeof field.defaultValue !== 'undefined' &&
-      !shouldSkipDefaults
+      typeof field.defaultValue !== 'undefined'
     ) {
       siblingDoc[field.name!] = await getDefaultValue({
         defaultValue: field.defaultValue,
diff --git a/packages/payload/src/globals/operations/findOne.ts b/packages/payload/src/globals/operations/findOne.ts
@@ -9,6 +9,7 @@ import type {
 import type { SanitizedGlobalConfig } from '../config/types.js'
 
 import { executeAccess } from '../../auth/executeAccess.js'
+import { NotFound } from '../../errors/NotFound.js'
 import { afterRead, type AfterReadArgs } from '../../fields/hooks/afterRead/index.js'
 import { lockedDocumentsCollectionSlug } from '../../locked-documents/config.js'
 import { getSelectMode } from '../../utilities/getSelectMode.js'
@@ -80,6 +81,10 @@ export const findOneOperation = async <T extends Record<string, unknown>>(
       accessResult = await executeAccess({ req }, globalConfig.access.read)
     }
 
+    if (accessResult === false) {
+      throw new NotFound(req.t)
+    }
+
     const select = sanitizeSelect({
       fields: globalConfig.flattenedFields,
       forceSelect: globalConfig.forceSelect,
@@ -90,19 +95,23 @@ export const findOneOperation = async <T extends Record<string, unknown>>(
     // Perform database operation
     // /////////////////////////////////////
 
-    let doc =
-      (args.data as any) ??
-      (await req.payload.db.findGlobal({
-        slug,
-        locale: locale!,
-        req,
-        select,
-        where: overrideAccess ? undefined : (accessResult as Where),
-      }))
-    if (!doc) {
-      doc = {}
+    const docFromDB = await req.payload.db.findGlobal({
+      slug,
+      locale: locale!,
+      req,
+      select,
+      where: overrideAccess ? undefined : (accessResult as Where),
+    })
+
+    // Check if no document was returned (Postgres returns {} instead of null)
+    const hasDoc = docFromDB && Object.keys(docFromDB).length > 0
+
+    if (!hasDoc && !args.data && !overrideAccess && accessResult !== true) {
+      return {} as any
     }
 
+    let doc = (args.data as any) ?? (hasDoc ? docFromDB : null) ?? {}
+
     // /////////////////////////////////////
     // Include Lock Status if required
     // /////////////////////////////////////
diff --git a/test/live-preview/int.spec.ts b/test/live-preview/int.spec.ts
@@ -929,6 +929,8 @@ describe('Collections - Live Preview', () => {
       initialData,
     })
 
+    merge1.id = initialData.id
+
     expect(merge1.relationshipMonoHasOne).toMatchObject(testPost)
     expect(merge1.relationshipMonoHasMany).toMatchObject([testPost])
 
