Default access function(s)

[chladog]

I'm considered about the default access function that sits in DefaultConfig which permits all operations under simple condition "isUser" which can be quite risky regarding future updates that add new access controls - latest those were"readVersions" and "readDrafts" -> if I miss information about those in the changelog when updating my project I do not explicitly set the proper access handlers and someone can simply login as an user ("not admin") and mess with those non-covered operations.

In my application I'm using Payload's Authentication system to signup and authenticate users.
Therefore I have collection of Admins, and collection of Users. Public Users need obviously tight access control to allow only explicitly allowed stuff. If I didn't add new rules readDraft | readVersions anyone that signs up in the app can also read drafts and versions even in collections that suppose to be only "for admins".

My proposal is quite simple, allow in the Config to set default access hook that will be used whenever access function in CollectionConfig | GlobalConfig is not set explicitly.

export default buildConfig({
  serverURL: "http://localhost:3000",
  ...
  defaultAccess: () => false
  ...
})

Ideally this would take in either single function that would be applied to all operations of all collections/globals, or object of "operation: function" that will be applied to all collections/globals without explicit setting + one "fallback" that would be applied anywhere without explicit settings..

defaultAccess: () => boolean | {
   fallback: () => boolean,
   read?: () => boolean,
   create?: () => boolean ,
   ... all others
}

The object would work like this:

defaultAccess: {
   fallback: () => false // <= this one would be applied to all not set, those are "delete", "readDrafts", "admin", "unlock"
   read: () => true,
   create: () => false,
   update: () => false,
   readVersions: () => true
}

I'm asking for a lot of stuff around here lately, but I'm buiding my latest project with Payload for the first time so I want it to be as future-proof as possible. O:-)
Keep up the great work you're doing!

[denolfe]

Hey @chladog, I like this idea a lot. It could definitely reduce the tedium of putting the same access function on every collection while also making your access control less prone to oversights. We can look into getting this implemented 👍