Add granular access control to uploads, and image sizes #5333
Replies: 1 comment 4 replies
-
|
I'm not sure I understand. Uploads collections have access control which you can do as with any other collections. For example, this would give you a collection that only users with a role of const Uploads: CollectionConfig = {
slug: 'uploads',
upload: true,
access: {
read: ({ req }) => req.user?.roles?.includes('admin')
},
fields: [],
}The static handler for reading files from the api calls on this access control to make sure requests are authorized for the content being requested. It is true that we don't have separate access control for imageSizes but you may be able to write that in a custom way using the incoming Let me know if I've missed something. We want this jto be as intuitive as possible. |
Beta Was this translation helpful? Give feedback.
-
|
Is it possible to restrict access to the original image file? (At least using file name obfuscation or so?). I would like to define the image sizes available through the API but not grant access to the uploaded image itself to anyone. Imagine a website for posters or post cards that you don't want visitors to easily access the original image sizes for, while you also want to take the pain of prior downsizing off the editors' shoulders. Greatly appreciate any suggestion. <3 |
Beta Was this translation helpful? Give feedback.
-
|
I've looked into the access function, but as far as I understand it, it can only return a boolean, but not alter the returned API response based on the user information. Am I missing something? |
Beta Was this translation helpful? Give feedback.
-
|
If you want different assets depending on the access control you will have to make a custom endpoint. An endpoint can override the default Payload handlers so you can use the normal URL and make it a GET method. |
Beta Was this translation helpful? Give feedback.
-
|
Thank you for pointing that out. I first feared that would be necessary but it is actually well-documented here and pretty straightforward. |
Beta Was this translation helpful? Give feedback.
-
Today we have very good Access Control for Collections and Fields, but there is no support for Access Control for Uploads, as stated in the documentation "All files that are uploaded to each Collection automatically support the read Access Control function from the Collection itself"
The problem is that Upload is not a Field and it has its own options but they don't have separate Access Control. Furthermore in case of images or files with previews it would be very useful to have Access Control for each size, so it is possible to define different access rights.
Beta Was this translation helpful? Give feedback.
All reactions