templates: ecommerce add missing access control on collections (#15744)

Adds some missing access control on various collections in the template
to ensure only admin can do these updates.

Author: paulpopus

templates/ecommerce/src/app/(app)/next/seed/route.ts

@@ -3,6 +3,8 @@ import { seed } from '@/endpoints/seed'
 import config from '@payload-config'
 import { headers } from 'next/headers'
 
+import { checkRole } from '@/access/utilities'
+
 export const maxDuration = 300 // This function can run for a maximum of 300 seconds
 
 export async function POST(): Promise<Response> {
@@ -12,7 +14,7 @@ export async function POST(): Promise<Response> {
   // Authenticate by passing request headers
   const { user } = await payload.auth({ headers: requestHeaders })
 
-  if (!user) {
+  if (!user || !checkRole(['admin'], user)) {
     return new Response('Action forbidden.', { status: 403 })
   }
 

templates/ecommerce/src/collections/Categories.ts

@@ -1,10 +1,15 @@
 import { slugField } from 'payload'
 import type { CollectionConfig } from 'payload'
 
+import { adminOnly } from '@/access/adminOnly'
+
 export const Categories: CollectionConfig = {
   slug: 'categories',
   access: {
+    create: adminOnly,
+    delete: adminOnly,
     read: () => true,
+    update: adminOnly,
   },
   admin: {
     useAsTitle: 'title',

templates/ecommerce/src/collections/Media.ts

@@ -8,6 +8,8 @@ import {
 import path from 'path'
 import { fileURLToPath } from 'url'
 
+import { adminOnly } from '@/access/adminOnly'
+
 const filename = fileURLToPath(import.meta.url)
 const dirname = path.dirname(filename)
 
@@ -17,7 +19,10 @@ export const Media: CollectionConfig = {
   },
   slug: 'media',
   access: {
+    create: adminOnly,
+    delete: adminOnly,
     read: () => true,
+    update: adminOnly,
   },
   fields: [
     {

templates/ecommerce/src/collections/Users/index.ts

@@ -15,6 +15,7 @@ export const Users: CollectionConfig = {
     create: publicAccess,
     delete: adminOnly,
     read: adminOrSelf,
+    unlock: adminOnly,
     update: adminOrSelf,
   },
   admin: {

templates/ecommerce/src/globals/Footer.ts

@@ -1,11 +1,13 @@
 import type { GlobalConfig } from 'payload'
 
+import { adminOnly } from '@/access/adminOnly'
 import { link } from '@/fields/link'
 
 export const Footer: GlobalConfig = {
   slug: 'footer',
   access: {
     read: () => true,
+    update: adminOnly,
   },
   fields: [
     {

templates/ecommerce/src/globals/Header.ts

@@ -1,11 +1,13 @@
 import type { GlobalConfig } from 'payload'
 
+import { adminOnly } from '@/access/adminOnly'
 import { link } from '@/fields/link'
 
 export const Header: GlobalConfig = {
   slug: 'header',
   access: {
     read: () => true,
+    update: adminOnly,
   },
   fields: [
     {

templates/ecommerce/src/plugins/index.ts

@@ -36,11 +36,22 @@ export const plugins: Plugin[] = [
       payment: false,
     },
     formSubmissionOverrides: {
+      access: {
+        delete: isAdmin,
+        read: isAdmin,
+        update: isAdmin,
+      },
       admin: {
         group: 'Content',
       },
     },
     formOverrides: {
+      access: {
+        delete: isAdmin,
+        read: isAdmin,
+        update: isAdmin,
+        create: isAdmin,
+      },
       admin: {
         group: 'Content',
       },