Help with Access Control in Posts Collection

[SychMusti]

Hi community,

I'm working on setting up access control for my Posts collection in Payload CMS and need some assistance. Here’s what I’m trying to achieve:

• Anyone can read the Posts.
• Contributors should only be able to create and update drafts of blog posts, not publish them.
• Editors and Admins should have full access to update and publish posts.

export const Posts: CollectionConfig<'posts'> = {
  slug: 'posts',
  access: {
    create: isContributorOrAbove,
    delete: isAdmin,
    read: anyone,
    update: ({ req: { user } }) => {
      if (!user) return false;
      const roles = user.roles || [];
      if (roles.includes('editor') || roles.includes('admin')) {
        return true; // Editors and Admins can update any post
      }
      if (roles.includes('contributor')) {
        return {
          authors: { contains: user.id },
          _status: { equals: 'draft' },
        };
      }
      return false;
    },
  },
  // ... other fields and configurations
};

But this doesn't seem to work.
Are there any examples or best practices for implementing role-based access control with drafts in Payload CMS?

Note: The helper functions (isContributorOrAbove, isAdmin, anyone) are standard role checks, but I can share them if needed.

I’d really appreciate any insights, suggestions, or examples from the community to help me resolve this issue. Thank you in advance!

[DanRibbens]

I don't see anything incorrect here.

We have this older blog post about it https://payloadcms.com/posts/blog/build-your-own-rbac which appears pretty similar other than roles are hasMany in your case.

Is any part of your access control working?
Which role are you asking about and what methods—create, delete, read or update?

If the admin UI is working but not other API requests, it could be that you're not sending through the authorization token so the user isn't being recognized.