Collection list does not prevent user from deleting items, even though access control does

[iamlinkus]

Describe the Bug

Currently I have a localised website. We have a few editor roles for local markets, each of which has a few locales that they can edit and can't edit others.

For our collections, we have access controls set up in a way that should prevent users to delete/create/update locales that are not assigned to the role.

Now, probably because of the way locales are saved in payload (which is very unintuitive), an interesting phenomenon occurs with this setup: regardless of the access control rules, the user is able to delete the collection item when deleting from the list view, but is not able to delete (even his own assigned locale) from within the document edit view.

Link to the code that reproduces this issue

https://github.com/iamlinkus/payload-access-control-localization-bug

Reproduction Steps

1. Clone repro repo.
2. Create a user and assign it a locale role.
3. Switch to the locale that the user has assigned.
4. Create a post in the posts collection.
5. Try to delete the document from inside the document edit view -->>> Error.
6. Go back to list view without changing the locale, select the item in the list and click delete -->>> Success

Which area(s) are affected? (Select all that apply)

area: core, area: ui

Environment Info

Binaries:
  Node: 23.3.0
  npm: 10.9.0
  Yarn: N/A
  pnpm: 9.12.3
Relevant Packages:
  payload: 3.33.0
  next: 15.3.0
  @payloadcms/db-mongodb: 3.33.0
  @payloadcms/email-nodemailer: 3.33.0
  @payloadcms/graphql: 3.33.0
  @payloadcms/next/utilities: 3.33.0
  @payloadcms/payload-cloud: 3.33.0
  @payloadcms/richtext-lexical: 3.33.0
  @payloadcms/translations: 3.33.0
  @payloadcms/ui/shared: 3.33.0
  react: 19.1.0
  react-dom: 19.1.0
Operating System:
  Platform: darwin
  Arch: arm64
  Version: Darwin Kernel Version 24.4.0: Fri Apr 11 18:32:50 PDT 2025; root:xnu-11417.101.15~117/RELEASE_ARM64_T6041
  Available memory (MB): 49152
  Available CPU cores: 14

[DanRibbens]

First thing to consider regarding this:

For our collections, we have access controls set up in a way that should prevent users to delete/create/update locales that are not assigned to the role.

For delete it is important to keep in mind that documents are not confined to one locale, rather they have fields that are localized. With this your users aren't just deleting their own locale when deleting a doc, it is going to impact all locales. In order to make this work you will want to add your own locale field and not use the localized property in your configuration because you need to localized your collection on the document level.

This doesn't solve your UI problem. For the admin UI deleting from the list view, we cannot run the access control for all selected documents in the list view in realtime. For this reason we allow a user to select what they need and then click delete, only then will they encounter feedback that they are prevented from deleting documents. If you consider that the list view lets you select every document available and the access control functions need to be run on the server, there isn't a good way that this can happen programatically.

For your use-case it might make sense for us to add a config property to the collection config admin.disableBulkDelete which would turn off the ability to bulk delete from the UI.

What do you think about that option? Would you use it if given this choice?

[iamlinkus]

I would, as it's probably the easiest work-around, although it's taking away from the functionality that was promised for our client.

More and more, working with locales on payload we're coming to a realization that there are a lot of limitations in the current locales implementation and this probably stems from being used to a more standard way of working with locales within other content management systems, where you'd actually have the possibility to separate the locales of a document/page and be able to remove/unpublish each individually by default without doing too much custom stuff. The way that payload does this is more like "The document has duplicated fields for each locale, but depending on the locale selected we're just hiding the fields that do not belong to that locale", instead of having normal separation that we're used to.

I know you have an option to publish individual locales using versions, but we tried that with multiple clients and it was extremely confusing and didn't always work as expected, that's why we decided not to use versions for per-locale publishing and instead added our arbirtrary way of handling different users having access to different locales and somehow trying to have the separation at least visually in the panel (use baseListFilter and filter out list items that have no title in the current locale, this way "indicating" which documents "actually exist" in a locale), but it (obviously from this issue) still has many limitations due to the base implementation of locales in payload.

I got your suggestion, thanks for that. Hopefully payload will someday have proper locales without the need of custom solutions when trying to work with locale availability/access based on roles.

[mjaysona]

we allow a user to select what they need and then click delete, only then will they encounter feedback that they are prevented from deleting documents.

Hey @DanRibbens, I just want this clarified. For example, I have a collection with delete access that only allows deletion for items with specific slugs. In the collection list, I should still be able to select these deletable items but when I click "Delete", the deletion won't proceed? Is that right?