Access control read function receives empty id when accessing media entity file URL

[timothylp]

Describe the Bug

When implementing access control on a media collection's read property, the id and data parameters are always empty when accessing the media URL. This prevents proper access control based on file ownership.

Expected behavior

The id parameter should contain the media item's ID, allowing for proper access control.

Actual behavior

id and data are empty, making it impossible to secure media files correctly.

Additional context

• The issue persists even when autoLogin is set to false.
• Reproducible across multiple projects.

Link to the code that reproduces this issue

https://github.com/timothylp/upload-empty-data-access-bug

Reproduction Steps

1. Create a Payload project using pnpx create-payload-app -t blank.
2. Implement a simple read access control function that logs the id and data values.
3. Upload an image and attempt to access its Payload-generated URL.

Which area(s) are affected? (Select all that apply)

area: core

Environment Info

Binaries:
  Node: 20.18.2
  npm: N/A
  Yarn: N/A
  pnpm: 9.15.4
Relevant Packages:
  payload: 3.23.0
  next: 15.1.5
  @payloadcms/email-nodemailer: 3.23.0
  @payloadcms/graphql: 3.23.0
  @payloadcms/next/utilities: 3.23.0
  @payloadcms/payload-cloud: 3.23.0
  @payloadcms/richtext-lexical: 3.23.0
  @payloadcms/translations: 3.23.0
  @payloadcms/ui/shared: 3.23.0
  react: 19.0.0
  react-dom: 19.0.0
Operating System:
  Platform: win32
  Arch: x64
  Version: Windows 11 Pro
  Available memory (MB): 32509
  Available CPU cores: 32

[DallasO]

I think this is intended behavior, what value is there in having the document ID at this point?

If you have the users ID, you should be able to authorize access accordingly.
Either

• the media collection is public, or tied to role/etc
• the collection has a userId field if they own the upload
• there is a many-to-many table between the upload and user

Changing this will double DB calls (1 to get the document ID, 1 for the existing flow), when there should be another path that avoids this.

[akhrarovsaid]

Hey @timothylp,

Pondering this, I think a workaround you can use for now is to leverage the req object to get the filename of the resource and perform further where queries against this. You can use req.pathname or req.routeParams here to help in the meantime.

[timothylp]

Thank you for your responses. In my case, I would like to automatically protect a media file if it is used in another collection.

Even with the example you provided: the collection has a userId field if they own the upload, I can't apply it because I have no way to access the data related to the media, and therefore no access to the userId. So, even if I can retrieve the user from the request, it doesn’t help if I don’t have any information about the requested entity.

When setting up access control for an upload collection, one would expect to have control over the uploaded files themselves.

As a temporary solution, I will try the one suggested by @akhrarovsaid, although I find it more of a workaround than a clean approach.