fix: make SEO global read public to prevent 403 during admin SSR

The SEO Settings global had `read: ({ req: { user } }) => Boolean(user)` which requires authentication. During admin panel server-side rendering (after saves), the user context is not propagated to global reads, causing a Forbidden error that crashes the entire page render. SEO data is not sensitive, so public read access is appropriate. Also removes temporary debug logging. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-17 18:34:13 +00:00 · 2026-02-25 13:32:00 +00:00 · 2026-02-25 13:32:00 +00:00 · a77c2b747d
commit a77c2b747d
parent 36823b2d9f
2 changed files with 4 additions and 42 deletions
--- a/src/globals/SEOSettings.ts
+++ b/src/globals/SEOSettings.ts
@ -17,18 +17,11 @@ export const SEOSettings: GlobalConfig = {
    description: 'Globale SEO-Konfiguration und Schema.org Daten',
  },
  access: {
-    // Alle angemeldeten Benutzer können lesen
-    read: ({ req: { user } }) => {
-      const result = Boolean(user)
-      if (!result) console.log('[DEBUG:SEO] read ACCESS DENIED - no user')
-      return result
-    },
+    // Öffentlich lesbar - SEO-Daten sind nicht sensitiv und werden
+    // beim Admin-Panel SSR benötigt (wo der User-Kontext fehlen kann)
+    read: () => true,
    // Nur Super Admins können bearbeiten
-    update: ({ req: { user } }) => {
-      const result = Boolean(user?.isSuperAdmin)
-      console.log('[DEBUG:SEO] update access:', { email: user?.email, isSuperAdmin: user?.isSuperAdmin, result })
-      return result
-    },
+    update: ({ req: { user } }) => Boolean(user?.isSuperAdmin),
  },
  fields: [
    // === META DEFAULTS ===
--- a/src/payload.config.ts
+++ b/src/payload.config.ts
@ -131,37 +131,6 @@ const filename = fileURLToPath(import.meta.url)
 const dirname = path.dirname(filename)

 export default buildConfig({
-  // DEBUG: Log all API requests that result in 403
-  onInit: async (payload) => {
-    // eslint-disable-next-line @typescript-eslint/no-explicit-any
-    const origFindGlobal = payload.findGlobal.bind(payload) as any
-    // eslint-disable-next-line @typescript-eslint/no-explicit-any
-    ;(payload as any).findGlobal = async (args: any) => {
-      try { return await origFindGlobal(args) } catch (err: any) {
-        if (err?.status === 403) console.log('[DEBUG:403] Global read FORBIDDEN:', { slug: args.slug, user: args.req?.user?.email || 'no user' })
-        throw err
-      }
-    }
-    // eslint-disable-next-line @typescript-eslint/no-explicit-any
-    const origUpdate = payload.update.bind(payload) as any
-    // eslint-disable-next-line @typescript-eslint/no-explicit-any
-    ;(payload as any).update = async (args: any) => {
-      try { return await origUpdate(args) } catch (err: any) {
-        if (err?.status === 403) console.log('[DEBUG:403] Collection update FORBIDDEN:', { collection: args.collection, id: args.id, user: args.req?.user?.email || 'no user' })
-        throw err
-      }
-    }
-    // eslint-disable-next-line @typescript-eslint/no-explicit-any
-    const origUpdateGlobal = payload.updateGlobal.bind(payload) as any
-    // eslint-disable-next-line @typescript-eslint/no-explicit-any
-    ;(payload as any).updateGlobal = async (args: any) => {
-      try { return await origUpdateGlobal(args) } catch (err: any) {
-        if (err?.status === 403) console.log('[DEBUG:403] Global update FORBIDDEN:', { slug: args.slug, user: args.req?.user?.email || 'no user' })
-        throw err
-      }
-    }
-    console.log('[DEBUG] 403 interceptors installed')
-  },
  serverURL: process.env.PAYLOAD_PUBLIC_SERVER_URL || 'https://pl.porwoll.tech',
  admin: {
    user: Users.slug,