test(plugin-multi-tenant): verify that tenant selector respects access control (#14916)

### What?

Adds an E2E test to verify that `getTenantOptions` properly respects
access control when determining which tenants appear in the tenant
selector. This is a test for functionality added in #14620.

### Why?

The previous PR #14620 that simplified `getTenantOptions` had no tests
and got merged before @JarrodMFlesch confirmed whether it should be
tested.

### How?

1. **Added the `tenantRole` field** to the Users collection's tenants
array with options: `admin` (default) / `member`
2. **Updated Tenants access control** to check for `tenantRole: 'admin'`
- users can only read tenants where they have an admin role
3. **Added test user in seed data** with mixed tenant roles:
   - Steel Cat (admin role) → should appear in selector
   - Anchor Bar (admin role) → should appear in selector  
   - Blue Dog (member role) → should NOT appear in selector
4. **Added an E2E test** that logs in as this user and verifies the
tenant selector only shows tenants with read access

The test confirms that `getTenantOptions` respects the tenant
collection's access control configuration and doesn't blindly show all
tenants from the user's array.

Co-authored-by: Jarrod Flesch <jarrodmflesch@gmail.com>

Author: AdrianMaj

test/plugin-multi-tenant/collections/Tenants.ts

@@ -1,7 +1,5 @@
 import type { Access, CollectionConfig, Where } from 'payload'
 
-import { getUserTenantIDs } from '@payloadcms/plugin-multi-tenant/utilities'
-
 import { tenantsSlug } from '../shared.js'
 
 const tenantAccess: Access = ({ req }) => {
@@ -11,18 +9,21 @@ const tenantAccess: Access = ({ req }) => {
   }
 
   if (req.user) {
-    const assignedTenants = getUserTenantIDs(req.user, {
-      tenantsArrayFieldName: 'tenants',
-      tenantsArrayTenantFieldName: 'tenant',
-    })
+    // Filter tenants where user has 'admin' tenantRole
+    const adminTenants = (
+      (req.user.tenants as Array<{ tenant: { id: string } | string; tenantRole?: string }>) || []
+    )
+      .filter((t) => t.tenantRole === 'admin')
+      .map((t) => (typeof t.tenant === 'string' ? t.tenant : t.tenant?.id))
+      .filter(Boolean)
 
-    // if the user has assigned tenants, add id constraint
-    if (assignedTenants.length > 0) {
+    // User can access tenants where they have 'admin' tenantRole OR public tenants
+    if (adminTenants.length > 0) {
       return {
         or: [
           {
             id: {
-              in: assignedTenants,
+              in: adminTenants,
             },
           },
           {

test/plugin-multi-tenant/config.base.ts

@@ -74,6 +74,26 @@ export const baseConfig: Partial<Config> = {
       tenantField: {
         access: {},
       },
+      tenantsArrayField: {
+        rowFields: [
+          {
+            name: 'tenantRole',
+            type: 'select',
+            defaultValue: 'admin',
+            options: [
+              {
+                label: 'Admin',
+                value: 'admin',
+              },
+              {
+                label: 'Member',
+                value: 'member',
+              },
+            ],
+            saveToJWT: true,
+          },
+        ],
+      },
       collections: {
         [menuItemsSlug]: {
           useTenantAccess: false,

test/plugin-multi-tenant/credentials.ts

@@ -19,4 +19,8 @@ export const credentials = {
     email: 'huel@steel-cat.com',
     password: 'test',
   },
+  memberUser: {
+    email: 'member@test.com',
+    password: 'test',
+  },
 } as const

test/plugin-multi-tenant/e2e.spec.ts

@@ -903,6 +903,25 @@ test.describe('Multi Tenant', () => {
         .toBeFalsy()
     })
 
+    test('should only show tenants that user has read access to whether they are assigned to tenant or not', async () => {
+      // Login as user with Steel Cat (admin), Anchor Bar (admin), and Blue Dog (member)
+      await loginClientSide({
+        data: credentials.memberUser,
+        page,
+        serverURL,
+      })
+
+      await page.goto(tenantsURL.list)
+
+      // Should see: Steel Cat (admin role), Anchor Bar (admin role)
+      // Should NOT see: Blue Dog (member role - no read access)
+      await expect
+        .poll(async () => {
+          return (await getTenantOptions({ page })).sort()
+        })
+        .toEqual(['Anchor Bar', 'Steel Cat'].sort())
+    })
+
     test('should populate tenant selector after standard form login with tree-restructuring provider', async () => {
       // This test verifies the fix for a bug where TenantSelectionProviderClient
       // loses state on remount. The ConditionalWrapperProvider (registered in the

test/plugin-multi-tenant/payload-types.ts

@@ -161,6 +161,7 @@ export interface User {
   tenants?:
     | {
         tenant: string | Tenant;
+        tenantRole?: ('admin' | 'member') | null;
         id?: string | null;
       }[]
     | null;
@@ -413,6 +414,7 @@ export interface UsersSelect<T extends boolean = true> {
     | T
     | {
         tenant?: T;
+        tenantRole?: T;
         id?: T;
       };
   updatedAt?: T;

test/plugin-multi-tenant/seed/index.ts

@@ -228,6 +228,30 @@ export const seed = async (payload: Payload) => {
     },
   })
 
+  // User with mixed tenant roles: admin for Steel Cat, member for Blue Dog
+  await payload.create({
+    collection: usersSlug,
+    data: {
+      ...credentials.memberUser,
+      roles: ['user'],
+      tenants: [
+        {
+          tenant: steelCatTenant.id,
+          tenantRole: 'admin', // Has admin role - should see Steel Cat
+        },
+        {
+          tenant: anchorBarTenant.id,
+          tenantRole: 'admin',
+        },
+        {
+          tenant: blueDogTenant.id,
+          tenantRole: 'member', // Only member role - should NOT see Blue Dog
+        },
+      ],
+    },
+  })
+
+  // Create a user with no tenant associations
   await payload.create({
     collection: usersSlug,
     data: {