Copy to locale does not care about access control

[iamlinkus]

Describe the Bug

When using localization and if a collection has access controls that forbid for a user to create/update collection items for specific locales, the "Copy to locale" button still lets the user copy to any locale. We need to either have control over what locales are available in the copy to locale modal, or respect the access controls for that collection.

Link to the code that reproduces this issue

https://github.com/iamlinkus/payload-access-control-localization-bug

Reproduction Steps

1. Create a user and assign it a specific locale role.
2. Login with the user, switch to the locale that he/she's able to create/edit the collection.
3. Create a collection item.
4. Open that collection item and click "Copy to locale".
5. See that all locales are available to copy to, which is unexpected. Confirm copy -->>>> Looks like it's copied, but the server throws an error:

key not found: error:notAllowedToPerformAction
[15:12:48] ERROR: There was an error copying data from "es" to "fr"
    err: {
      "type": "Forbidden",
      "message": "error:notAllowedToPerformAction",
      "stack":
          Forbidden: error:notAllowedToPerformAction
              at executeAccess (file:///Users/linkus/Github/temp/payload-access-control-localization-bug/node_modules/.pnpm/payload@3.33.0_graphql@16.11.0_typescript@5.7.3/node_modules/payload/dist/auth/executeAccess.js:12:23)
              at process.processTicksAndRejections (node:internal/process/task_queues:105:5)
              at async updateByIDOperation (file:///Users/linkus/Github/temp/payload-access-control-localization-bug/node_modules/.pnpm/payload@3.33.0_graphql@16.11.0_typescript@5.7.3/node_modules/payload/dist/collections/operations/updateByID.js:46:49)
              at async copyDataFromLocale (webpack-internal:///(rsc)/./node_modules/.pnpm/@payloadcms+ui@3.33.0_@types+react@19.1.0_monaco-editor@0.52.2_next@15.3.0_react-dom@19_d1ef1662e1311f584ef2883101bfa43e/node_modules/@payloadcms/ui/dist/utilities/copyDataFromLocale.js:221:8)
              at async copyDataFromLocaleHandler (webpack-internal:///(rsc)/./node_modules/.pnpm/@payloadcms+ui@3.33.0_@types+react@19.1.0_monaco-editor@0.52.2_next@15.3.0_react-dom@19_d1ef1662e1311f584ef2883101bfa43e/node_modules/@payloadcms/ui/dist/utilities/copyDataFromLocale.js:127:12)
              at async /Users/linkus/Github/temp/payload-access-control-localization-bug/node_modules/.pnpm/next@15.3.0_react-dom@19.1.0_react@19.1.0__react@19.1.0_sass@1.77.4/node_modules/next/dist/compiled/next-server/app-page.runtime.dev.js:417:2449
              at async handleAction (/Users/linkus/Github/temp/payload-access-control-localization-bug/node_modules/.pnpm/next@15.3.0_react-dom@19.1.0_react@19.1.0__react@19.1.0_sass@1.77.4/node_modules/next/dist/compiled/next-server/app-page.runtime.dev.js:416:21371)
              at async renderToHTMLOrFlightImpl (/Users/linkus/Github/temp/payload-access-control-localization-bug/node_modules/.pnpm/next@15.3.0_react-dom@19.1.0_react@19.1.0__react@19.1.0_sass@1.77.4/node_modules/next/dist/compiled/next-server/app-page.runtime.dev.js:422:27153)
              at async doRender (/Users/linkus/Github/temp/payload-access-control-localization-bug/node_modules/.pnpm/next@15.3.0_react-dom@19.1.0_react@19.1.0__react@19.1.0_sass@1.77.4/node_modules/next/dist/server/base-server.js:1650:34)
              at async DevServer.renderToResponseWithComponentsImpl (/Users/linkus/Github/temp/payload-access-control-localization-bug/node_modules/.pnpm/next@15.3.0_react-dom@19.1.0_react@19.1.0__react@19.1.0_sass@1.77.4/node_modules/next/dist/server/base-server.js:1915:28)
              at async DevServer.renderPageComponent (/Users/linkus/Github/temp/payload-access-control-localization-bug/node_modules/.pnpm/next@15.3.0_react-dom@19.1.0_react@19.1.0__react@19.1.0_sass@1.77.4/node_modules/next/dist/server/base-server.js:2403:24)
              at async DevServer.renderToResponseImpl (/Users/linkus/Github/temp/payload-access-control-localization-bug/node_modules/.pnpm/next@15.3.0_react-dom@19.1.0_react@19.1.0__react@19.1.0_sass@1.77.4/node_modules/next/dist/server/base-server.js:2440:32)
              at async DevServer.pipeImpl (/Users/linkus/Github/temp/payload-access-control-localization-bug/node_modules/.pnpm/next@15.3.0_react-dom@19.1.0_react@19.1.0__react@19.1.0_sass@1.77.4/node_modules/next/dist/server/base-server.js:1007:25)
              at async NextNodeServer.handleCatchallRenderRequest (/Users/linkus/Github/temp/payload-access-control-localization-bug/node_modules/.pnpm/next@15.3.0_react-dom@19.1.0_react@19.1.0__react@19.1.0_sass@1.77.4/node_modules/next/dist/server/next-server.js:305:17)
              at async DevServer.handleRequestImpl (/Users/linkus/Github/temp/payload-access-control-localization-bug/node_modules/.pnpm/next@15.3.0_react-dom@19.1.0_react@19.1.0__react@19.1.0_sass@1.77.4/node_modules/next/dist/server/base-server.js:899:17)
              at async /Users/linkus/Github/temp/payload-access-control-localization-bug/node_modules/.pnpm/next@15.3.0_react-dom@19.1.0_react@19.1.0__react@19.1.0_sass@1.77.4/node_modules/next/dist/server/dev/next-dev-server.js:371:20
              at async Span.traceAsyncFn (/Users/linkus/Github/temp/payload-access-control-localization-bug/node_modules/.pnpm/next@15.3.0_react-dom@19.1.0_react@19.1.0__react@19.1.0_sass@1.77.4/node_modules/next/dist/trace/trace.js:157:20)
              at async DevServer.handleRequest (/Users/linkus/Github/temp/payload-access-control-localization-bug/node_modules/.pnpm/next@15.3.0_react-dom@19.1.0_react@19.1.0__react@19.1.0_sass@1.77.4/node_modules/next/dist/server/dev/next-dev-server.js:368:24)
              at async invokeRender (/Users/linkus/Github/temp/payload-access-control-localization-bug/node_modules/.pnpm/next@15.3.0_react-dom@19.1.0_react@19.1.0__react@19.1.0_sass@1.77.4/node_modules/next/dist/server/lib/router-server.js:237:21)
              at async handleRequest (/Users/linkus/Github/temp/payload-access-control-localization-bug/node_modules/.pnpm/next@15.3.0_react-dom@19.1.0_react@19.1.0__react@19.1.0_sass@1.77.4/node_modules/next/dist/server/lib/router-server.js:428:24)
              at async requestHandlerImpl (/Users/linkus/Github/temp/payload-access-control-localization-bug/node_modules/.pnpm/next@15.3.0_react-dom@19.1.0_react@19.1.0__react@19.1.0_sass@1.77.4/node_modules/next/dist/server/lib/router-server.js:452:13)
              at async Server.requestListener (/Users/linkus/Github/temp/payload-access-control-localization-bug/node_modules/.pnpm/next@15.3.0_react-dom@19.1.0_react@19.1.0__react@19.1.0_sass@1.77.4/node_modules/next/dist/server/lib/start-server.js:158:13)
      "data": null,
      "isOperational": true,
      "isPublic": false,
      "status": 403,
      "name": "Forbidden"
    }

Which area(s) are affected? (Select all that apply)

area: ui, area: core

Environment Info

Binaries:
  Node: 23.3.0
  npm: 10.9.0
  Yarn: N/A
  pnpm: 9.12.3
Relevant Packages:
  payload: 3.33.0
  next: 15.3.0
  @payloadcms/db-mongodb: 3.33.0
  @payloadcms/email-nodemailer: 3.33.0
  @payloadcms/graphql: 3.33.0
  @payloadcms/next/utilities: 3.33.0
  @payloadcms/payload-cloud: 3.33.0
  @payloadcms/richtext-lexical: 3.33.0
  @payloadcms/translations: 3.33.0
  @payloadcms/ui/shared: 3.33.0
  react: 19.1.0
  react-dom: 19.1.0
Operating System:
  Platform: darwin
  Arch: arm64
  Version: Darwin Kernel Version 24.4.0: Fri Apr 11 18:32:50 PDT 2025; root:xnu-11417.101.15~117/RELEASE_ARM64_T6041
  Available memory (MB): 49152
  Available CPU cores: 14