perf: up to 5000% faster permissions calculation

docs/access-control/overview.mdx

@@ -56,12 +56,14 @@ To accomplish this, Payload exposes the [Access Operation](../authentication/ope
 
 <Banner type="warning">
   **Important:** When your access control functions are executed via the [Access
-  Operation](../authentication/operations#access), the `id` and `data` arguments
-  will be `undefined`. This is because Payload is executing your functions
-  without referencing a specific Document.
+  Operation](../authentication/operations#access), the `id`, `data`, `siblingData`, `blockData` and `doc` arguments
+  will be `undefined`. Additionally, `Where` queries returned from access control functions will not be run - we'll assume the user does not have access instead.
+
+This is because Payload is executing your functions without referencing a specific Document.
+
 </Banner>
 
-If you use `id` or `data` within your access control functions, make sure to check that they are defined first. If they are not, then you can assume that your Access Control is being executed via the Access Operation to determine solely what the user can do within the Admin Panel.
+If you use `id`, `data`, `siblingData`, `blockData` and `doc` within your access control functions, make sure to check that they are defined first. If they are not, then you can assume that your Access Control is being executed via the Access Operation to determine solely what the user can do within the Admin Panel.
 
 ## Locale Specific Access Control
 

packages/next/src/views/Document/getDocumentPermissions.tsx

@@ -16,6 +16,9 @@ export const getDocumentPermissions = async (args: {
   collectionConfig?: SanitizedCollectionConfig
   data: Data
   globalConfig?: SanitizedGlobalConfig
+  /**
+   * When called for creating a new document, id is not provided.
+   */
   id?: number | string
   req: PayloadRequest
 }): Promise<{
@@ -35,29 +38,27 @@ export const getDocumentPermissions = async (args: {
         collection: {
           config: collectionConfig,
         },
-        req: {
-          ...req,
-          data: {
-            ...data,
-            _status: 'draft',
-          },
+        data: {
+          ...data,
+          _status: 'draft',
         },
+        req,
       })
 
       if (collectionConfig.versions?.drafts) {
-        hasPublishPermission = await docAccessOperation({
-          id,
-          collection: {
-            config: collectionConfig,
-          },
-          req: {
-            ...req,
+        hasPublishPermission = (
+          await docAccessOperation({
+            id,
+            collection: {
+              config: collectionConfig,
+            },
             data: {
               ...data,
               _status: 'published',
             },
-          },
-        }).then((permissions) => permissions.update)
+            req,
+          })
+        ).update
       }
     } catch (err) {
       logError({ err, payload: req.payload })
@@ -67,24 +68,22 @@ export const getDocumentPermissions = async (args: {
   if (globalConfig) {
     try {
       docPermissions = await docAccessOperationGlobal({
+        data,
         globalConfig,
-        req: {
-          ...req,
-          data,
-        },
+        req,
       })
 
       if (globalConfig.versions?.drafts) {
-        hasPublishPermission = await docAccessOperationGlobal({
-          globalConfig,
-          req: {
-            ...req,
+        hasPublishPermission = (
+          await docAccessOperationGlobal({
             data: {
               ...data,
               _status: 'published',
             },
-          },
-        }).then((permissions) => permissions.update)
+            globalConfig,
+            req,
+          })
+        ).update
       }
     } catch (err) {
       logError({ err, payload: req.payload })

packages/payload/package.json

@@ -45,6 +45,11 @@
       "types": "./src/index.ts",
       "default": "./src/index.ts"
     },
+    "./internal": {
+      "import": "./src/exports/internal.ts",
+      "types": "./src/exports/internal.ts",
+      "default": "./src/exports/internal.ts"
+    },
     "./shared": {
       "import": "./src/exports/shared.ts",
       "types": "./src/exports/shared.ts",
@@ -150,6 +155,11 @@
         "types": "./dist/index.d.ts",
         "default": "./dist/index.js"
       },
+      "./internal": {
+        "import": "./dist/exports/internal.js",
+        "types": "./dist/exports/internal.d.ts",
+        "default": "./dist/exports/internal.js"
+      },
       "./node": {
         "import": "./dist/exports/node.js",
         "types": "./dist/exports/node.d.ts",

packages/payload/src/auth/getAccessResults.ts

@@ -1,7 +1,7 @@
 import type { AllOperations, PayloadRequest } from '../types/index.js'
 import type { Permissions, SanitizedPermissions } from './types.js'
 
-import { getEntityPolicies } from '../utilities/getEntityPolicies.js'
+import { getEntityPermissions } from '../utilities/getEntityPermissions/getEntityPermissions.js'
 import { sanitizePermissions } from '../utilities/sanitizePermissions.js'
 
 type GetAccessResultsArgs = {
@@ -27,7 +27,7 @@ export async function getAccessResults({
   } else {
     results.canAccessAdmin = false
   }
-  const blockPolicies = {}
+  const blockReferencesPermissions = {}
 
   await Promise.all(
     payload.config.collections.map(async (collection) => {
@@ -45,14 +45,15 @@ export async function getAccessResults({
         collectionOperations.push('readVersions')
       }
 
-      const collectionPolicy = await getEntityPolicies({
-        type: 'collection',
-        blockPolicies,
+      const collectionPermissions = await getEntityPermissions({
+        blockReferencesPermissions,
         entity: collection,
+        entityType: 'collection',
+        fetchData: false,
         operations: collectionOperations,
         req,
       })
-      results.collections![collection.slug] = collectionPolicy
+      results.collections![collection.slug] = collectionPermissions
     }),
   )
 
@@ -64,14 +65,15 @@ export async function getAccessResults({
         globalOperations.push('readVersions')
       }
 
-      const globalPolicy = await getEntityPolicies({
-        type: 'global',
-        blockPolicies,
+      const globalPermissions = await getEntityPermissions({
+        blockReferencesPermissions,
         entity: global,
+        entityType: 'global',
+        fetchData: false,
         operations: globalOperations,
         req,
       })
-      results.globals![global.slug] = globalPolicy
+      results.globals![global.slug] = globalPermissions
     }),
   )
 

packages/payload/src/auth/types.ts

@@ -28,11 +28,9 @@ export type SanitizedBlockPermissions =
     }
   | true
 
-export type BlocksPermissions =
-  | {
-      [blockSlug: string]: BlockPermissions
-    }
-  | true
+export type BlocksPermissions = {
+  [blockSlug: string]: BlockPermissions
+}
 
 export type SanitizedBlocksPermissions =
   | {
@@ -42,10 +40,10 @@ export type SanitizedBlocksPermissions =
 
 export type FieldPermissions = {
   blocks?: BlocksPermissions
-  create: Permission
+  create?: Permission
   fields?: FieldsPermissions
-  read: Permission
-  update: Permission
+  read?: Permission
+  update?: Permission
 }
 
 export type SanitizedFieldPermissions =
@@ -65,12 +63,14 @@ export type SanitizedFieldsPermissions =
   | true
 
 export type CollectionPermission = {
-  create: Permission
-  delete: Permission
+  create?: Permission
+  delete?: Permission
   fields: FieldsPermissions
-  read: Permission
+  read?: Permission
   readVersions?: Permission
-  update: Permission
+  // Auth-enabled Collections only
+  unlock?: Permission
+  update?: Permission
 }
 
 export type SanitizedCollectionPermission = {
@@ -79,14 +79,16 @@ export type SanitizedCollectionPermission = {
   fields: SanitizedFieldsPermissions
   read?: true
   readVersions?: true
+  // Auth-enabled Collections only
+  unlock?: true
   update?: true
 }
 
 export type GlobalPermission = {
   fields: FieldsPermissions
-  read: Permission
+  read?: Permission
   readVersions?: Permission
-  update: Permission
+  update?: Permission
 }
 
 export type SanitizedGlobalPermission = {

packages/payload/src/collections/operations/docAccess.ts

@@ -1,23 +1,31 @@
 import type { SanitizedCollectionPermission } from '../../auth/index.js'
-import type { AllOperations, PayloadRequest } from '../../types/index.js'
+import type { AllOperations, JsonObject, PayloadRequest } from '../../types/index.js'
 import type { Collection } from '../config/types.js'
 
-import { getEntityPolicies } from '../../utilities/getEntityPolicies.js'
+import { getEntityPermissions } from '../../utilities/getEntityPermissions/getEntityPermissions.js'
 import { killTransaction } from '../../utilities/killTransaction.js'
 import { sanitizePermissions } from '../../utilities/sanitizePermissions.js'
 
 const allOperations: AllOperations[] = ['create', 'read', 'update', 'delete']
 
 type Arguments = {
   collection: Collection
-  id: number | string
+  /**
+   * If the document data is passed, it will be used to check access instead of fetching the document from the database.
+   */
+  data?: JsonObject
+  /**
+   * When called for creating a new document, id is not provided.
+   */
+  id?: number | string
   req: PayloadRequest
 }
 
 export async function docAccessOperation(args: Arguments): Promise<SanitizedCollectionPermission> {
   const {
     id,
     collection: { config },
+    data,
     req,
   } = args
 
@@ -36,11 +44,13 @@ export async function docAccessOperation(args: Arguments): Promise<SanitizedColl
   }
 
   try {
-    const result = await getEntityPolicies({
-      id,
-      type: 'collection',
-      blockPolicies: {},
+    const result = await getEntityPermissions({
+      id: id!,
+      blockReferencesPermissions: {},
+      data,
       entity: config,
+      entityType: 'collection',
+      fetchData: id ? true : (false as true),
       operations: collectionOperations,
       req,
     })

packages/payload/src/config/types.ts

@@ -43,6 +43,7 @@ import type { RootFoldersConfiguration } from '../folders/types.js'
 import type { GlobalConfig, Globals, SanitizedGlobalConfig } from '../globals/config/types.js'
 import type {
   Block,
+  DefaultDocumentIDType,
   FlattenedBlock,
   JobsConfig,
   KVAdapterResult,
@@ -314,7 +315,7 @@ export type AccessArgs<TData = any> = {
    */
   data?: TData
   /** ID of the resource being accessed */
-  id?: number | string
+  id?: DefaultDocumentIDType
   /** If true, the request is for a static file */
   isReadingStaticFile?: boolean
   /** The original request that requires an access check */

packages/payload/src/database/queryValidation/types.ts

@@ -1,6 +1,7 @@
 import type { CollectionPermission, GlobalPermission } from '../../auth/index.js'
 import type { FlattenedField } from '../../fields/config/types.js'
 
+// TODO: Rename to EntityPermissions in 4.0
 export type EntityPolicies = {
   collections?: {
     [collectionSlug: string]: CollectionPermission

packages/payload/src/database/queryValidation/validateQueryPaths.ts

@@ -11,6 +11,7 @@ import { validateSearchParam } from './validateSearchParams.js'
 type Args = {
   errors?: { path: string }[]
   overrideAccess: boolean
+  // TODO: Rename to permissions or entityPermissions in 4.0
   policies?: EntityPolicies
   polymorphicJoin?: boolean
   req: PayloadRequest

packages/payload/src/database/queryValidation/validateSearchParams.ts

@@ -5,7 +5,7 @@ import type { PayloadRequest, WhereField } from '../../types/index.js'
 import type { EntityPolicies, PathToQuery } from './types.js'
 
 import { fieldAffectsData } from '../../fields/config/types.js'
-import { getEntityPolicies } from '../../utilities/getEntityPolicies.js'
+import { getEntityPermissions } from '../../utilities/getEntityPermissions/getEntityPermissions.js'
 import { isolateObjectProperty } from '../../utilities/isolateObjectProperty.js'
 import { getLocalizedPaths } from '../getLocalizedPaths.js'
 import { validateQueryPaths } from './validateQueryPaths.js'
@@ -20,6 +20,7 @@ type Args = {
   overrideAccess: boolean
   parentIsLocalized?: boolean
   path: string
+  // TODO: Rename to permissions or entityPermissions in 4.0
   policies: EntityPolicies
   polymorphicJoin?: boolean
   req: PayloadRequest
@@ -56,13 +57,14 @@ export async function validateSearchParam({
   let paths: PathToQuery[] = []
   const { slug } = (collectionConfig || globalConfig)!
 
-  const blockPolicies = {}
+  const blockReferencesPermissions = {}
 
   if (globalConfig && !policies.globals![slug]) {
-    policies.globals![slug] = await getEntityPolicies({
-      type: 'global',
-      blockPolicies,
+    policies.globals![slug] = await getEntityPermissions({
+      blockReferencesPermissions,
       entity: globalConfig,
+      entityType: 'global',
+      fetchData: false,
       operations: ['read'],
       req,
     })
@@ -123,10 +125,11 @@ export async function validateSearchParam({
       if (!overrideAccess && fieldAffectsData(field)) {
         if (collectionSlug) {
           if (!policies.collections![collectionSlug]) {
-            policies.collections![collectionSlug] = await getEntityPolicies({
-              type: 'collection',
-              blockPolicies,
+            policies.collections![collectionSlug] = await getEntityPermissions({
+              blockReferencesPermissions,
               entity: req.payload.collections[collectionSlug]!.config,
+              entityType: 'collection',
+              fetchData: false,
               operations: ['read'],
               req: isolateObjectProperty(req, 'transactionID'),
             })

packages/payload/src/exports/internal.ts

@@ -0,0 +1,6 @@
+/**
+ * Modules exported here are not part of the public API and are subject to change without notice and without a major version bump.
+ */
+
+export { getEntityPermissions } from '../utilities/getEntityPermissions/getEntityPermissions.js'
+export { sanitizePermissions } from '../utilities/sanitizePermissions.js'