payload.find() hits the database directly, in the same process — no HTTP, no fetch. By default it also bypasses access control, on the assumption that server-side code trusts itself.
That assumption is exactly where holes appear. In server functions and endpoints that run on behalf of a user, you have to consciously turn enforcement on:
// DANGEROUS — full access, ignores access control
const docs = await payload.find({ collection: 'posts' })
// SAFE — respects access control for the given user
const docs = await payload.find({
collection: 'posts',
overrideAccess: false,
user,
})
The trap is the default: overrideAccess is true unless you say otherwise. Any Local API call that returns data to an end user should pass overrideAccess: false and the user.
Top comments (0)