You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
feat(plugin-ecommerce)!: add ability to enable guest carts with reworked access config (#14565)
This PR introduce a breaking change into the plugin as it was necessary
in order to provide more secure guest carts.
With this change you can now configure `allowGuestCarts` (enabled by
default) to enable or disable this kind of access control.
- Carts will have a generated secret if they're created by guest users.
- Guest users will use this token to retrieve or update the cart,
without making all non-claimed carts publicly available
- This secret is stored in local storage, it's not super critical
information either
The access config has changed
**Before**
```ts
ecommercePlugin({
access: {
adminOnly,
adminOnlyFieldAccess,
adminOrCustomerOwner,
adminOrPublishedStatus,
customerOnlyFieldAccess,
}
})
```
**After**
```ts
ecommercePlugin({
access: {
adminOnlyFieldAccess,
adminOrPublishedStatus,
customerOnlyFieldAccess,
isAdmin,
isDocumentOwner,
}
})
```
This PR also adds a new `isLoading` status to all hooks that will be
true when any action is being taken allowing you to disable buttons or
UI conditionally.
---------
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
|`adminOrCustomerOwner`|`Access`| Access control to check if the user has `admin` permissions or is the owner of the document via the `customer` field. Used to limit read, update or delete to only the customers that own this address. |
42
-
|`authenticatedOnly`|`Access`| Access control to check if the user is authenticated. Use on the `create` access to allow any customer to create a new address. |
43
-
|`customerOnlyFieldAccess`|`FieldAccess`| Field level access control to check if the user has `customer` permissions. |
|`isAdmin`|`Access`| Access control to check if the user has `admin` permissions. |
42
+
|`isAuthenticated`|`Access`| Access control to check if the user is authenticated. Use on the `create` access to allow any customer to create a new address. |
43
+
|`isDocumentOwner`|`Access`| Access control to check if the user owns the document via the `customer` field. Used to limit read, update or delete to only the customers that own this address. |
44
+
|`customerOnlyFieldAccess`|`FieldAccess`| Field level access control to check if the user has `customer` permissions. |
44
45
45
46
See the [access control section](./plugin#access) for more details on each of these functions.
46
47
@@ -51,8 +52,9 @@ import { createAddressesCollection } from 'payload-plugin-ecommerce'
51
52
52
53
const Addresses =createAddressesCollection({
53
54
access: {
54
-
adminOrCustomerOwner,
55
-
authenticatedOnly,
55
+
isAdmin,
56
+
isAuthenticated,
57
+
isDocumentOwner,
56
58
customerOnlyFieldAccess,
57
59
},
58
60
addressFields: [
@@ -80,10 +82,12 @@ Use this to create the `carts` collection to store customer carts. It takes the
80
82
81
83
The access object can contain the following properties:
|`adminOrCustomerOwner`|`Access`| Access control to check if the user has `admin` permissions or is the owner of the document via the `customer` field. Used to limit read, update or delete to only the customers that own this cart. |
86
-
|`publicAccess`|`Access`| Allow anyone to create a new cart, useful for guests. |
|`isAdmin`|`Access`| Access control to check if the user has `admin` permissions. |
88
+
|`isAuthenticated`|`Access`| Access control to check if the user is authenticated. |
89
+
|`isDocumentOwner`|`Access`| Access control to check if the user owns the document via the `customer` field. Used to limit read, update or delete to only the customers that own this cart. |
90
+
|`publicAccess`|`Access`| (Optional) Allow anyone to create a new cart, useful for guests. |
87
91
88
92
See the [access control section](./plugin#access) for more details on each of these functions.
89
93
@@ -94,8 +98,9 @@ import { createCartsCollection } from 'payload-plugin-ecommerce'
94
98
95
99
const Carts =createCartsCollection({
96
100
access: {
97
-
adminOrCustomerOwner,
98
-
publicAccess,
101
+
isAdmin,
102
+
isAuthenticated,
103
+
isDocumentOwner,
99
104
},
100
105
enableVariants: true,
101
106
currenciesConfig: {
@@ -131,11 +136,11 @@ Use this to create the `orders` collection to store customer orders. It takes th
131
136
132
137
The access object can contain the following properties:
|`adminOrCustomerOwner`|`Access`| Access control to check if the user has `admin` permissions or is the owner of the document via the `customer` field. Used to limit read to only the customers that own this order.|
137
-
|`adminOnly`|`Access`| Access control to check if the user has `admin` permissions. Used to limit create, update and delete access to only admins. |
138
-
|`adminOnlyFieldAccess`|`FieldAccess`| Field level access control to check if the user has `admin` permissions. Limits the transaction ID field to admins only. |
|`isAdmin`|`Access`| Access control to check if the user has `admin` permissions. Used to limit create, update and delete access to only admins. |
142
+
|`isDocumentOwner`|`Access`| Access control to check if the user owns the document via the `customer` field. Used to limit read to only the customers that own this order.|
143
+
|`adminOnlyFieldAccess`|`FieldAccess`| Field level access control to check if the user has `admin` permissions. Limits the transaction ID field to admins only. |
139
144
140
145
See the [access control section](./plugin#access) for more details on each of these functions.
141
146
@@ -146,8 +151,8 @@ import { createOrdersCollection } from 'payload-plugin-ecommerce'
146
151
147
152
const Orders =createOrdersCollection({
148
153
access: {
149
-
adminOrCustomerOwner,
150
-
adminOnly,
154
+
isAdmin,
155
+
isDocumentOwner,
151
156
adminOnlyFieldAccess,
152
157
},
153
158
enableVariants: true,
@@ -193,9 +198,9 @@ Use this to create the `transactions` collection to store payment transactions.
193
198
194
199
The access object can contain the following properties:
|`adminOnly`|`Access`| Access control to check if the user has `admin` permissions. Used to limit create, update or delete to only admins. |
260
+
|`isAdmin`|`Access`| Access control to check if the user has `admin` permissions. Used to limit create, update or delete to only admins. |
256
261
|`adminOrPublishedStatus`|`Access`| Access control to check if the user has `admin` permissions or if the product has a `published` status. Used to limit read access to published products for non-admins. |
257
262
258
263
See the [access control section](./plugin#access) for more details on each of these functions.
@@ -264,7 +269,7 @@ import { createProductsCollection } from 'payload-plugin-ecommerce'
264
269
265
270
const Products =createProductsCollection({
266
271
access: {
267
-
adminOnly,
272
+
isAdmin,
268
273
adminOrPublishedStatus,
269
274
},
270
275
enableVariants: true,
@@ -305,7 +310,7 @@ The access object can contain the following properties:
|`adminOnly`|`Access`| Access control to check if the user has `admin` permissions. Used to limit all access to only admins. |
313
+
|`isAdmin`|`Access`| Access control to check if the user has `admin` permissions. Used to limit all access to only admins. |
309
314
|`adminOrPublishedStatus`|`Access`| Access control to check if the user has `admin` permissions or if the related product has a `published` status. Used to limit read access to variants of published products for non-admins. |
310
315
311
316
See the [access control section](./plugin#access) for more details on each of these functions.
@@ -317,7 +322,7 @@ import { createVariantsCollection } from 'payload-plugin-ecommerce'
317
322
318
323
const Variants =createVariantsCollection({
319
324
access: {
320
-
adminOnly,
325
+
isAdmin,
321
326
adminOrPublishedStatus,
322
327
},
323
328
currenciesConfig: {
@@ -353,8 +358,8 @@ The access object can contain the following properties:
0 commit comments