Payload access control isn't a boolean — it's a query constraint

Kacper Zawojski | Zavcode — Fri, 05 Jun 2026 19:12:17 +0000

This is, in my opinion, Payload's most underrated feature.

An access function can return true/false — or it can return a Where object that Payload stitches into every query at the database level. That's row-level security, for free:

export const canReadPage: Access<Page> = ({ req: { user } }) => {
  if (user) return true

  // A guest only sees public documents — the filter goes to the DB, not to JS
  return {
    isPublic: { equals: true },
  }
}

You don't fetch everything and then filter in memory — this Where becomes part of the WHERE clause in SQL (or $match in Mongo). And it works identically for read, update, and delete.

Once it clicks that access control is a constraint, not a gate, a whole class of "filter the user's own records" problems just disappears.

A year ago I spoke at Google during a WarsawJS meetup

Kacper Zawojski | Zavcode — Fri, 05 Jun 2026 17:58:23 +0000

A year ago I spoke at Google during a WarsawJS meetup — back then I was already migrating companies from legacy CMSes to PayloadCMS. Now at WAYF we do it for S&P 500 giants. Want to stay current on PayloadCMS - not just the tech, but real implementations too? Follow me.

PAYLOAD #TELLMEICANT #ZAVCODE #WAYF

DEV Community: Kacper Zawojski | Zavcode

Payload access control isn't a boolean — it's a query constraint

A year ago I spoke at Google during a WarsawJS meetup

PAYLOAD #TELLMEICANT #ZAVCODE #WAYF