mirror of
https://github.com/complexcaresolutions/cms.c2sgmbh.git
synced 2026-03-17 16:14:12 +00:00
Martin Porwoll
47c6500679
- Add pl.c2sgmbh.de and cms.c2sgmbh.de to cors and csrf arrays to fix Forbidden error on PATCH requests from these domains - Add saveToJWT: true to isSuperAdmin field so multiTenantPlugin correctly grants super admins access to all tenants Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
121 lines
3.5 KiB
TypeScript
121 lines
3.5 KiB
TypeScript
import type { CollectionConfig, Access, FieldAccess } from 'payload'
|
|
import { auditUserAfterChange, auditUserAfterDelete } from '../hooks/auditUserChanges'
|
|
import {
|
|
auditAfterLogin,
|
|
auditAfterLogout,
|
|
auditAfterForgotPassword,
|
|
} from '../hooks/auditAuthEvents'
|
|
|
|
// Users können ihren eigenen Account bearbeiten
|
|
const canUpdateOwnAccount: Access = ({ req: { user }, id }) => {
|
|
// Super Admins können alle User bearbeiten
|
|
if (user?.isSuperAdmin) {
|
|
return true
|
|
}
|
|
// User können ihren eigenen Account bearbeiten
|
|
if (user?.id && id && String(user.id) === String(id)) {
|
|
return true
|
|
}
|
|
// Ansonsten kein Zugriff
|
|
return false
|
|
}
|
|
|
|
const superAdminFieldAccess: FieldAccess = ({ req: { user } }) => {
|
|
return Boolean(user?.isSuperAdmin)
|
|
}
|
|
|
|
export const Users: CollectionConfig = {
|
|
slug: 'users',
|
|
admin: {
|
|
useAsTitle: 'email',
|
|
},
|
|
access: {
|
|
// Erlaubt Benutzern, ihren eigenen Account zu aktualisieren
|
|
update: canUpdateOwnAccount,
|
|
},
|
|
auth: {
|
|
// Cookie-Konfiguration für Production hinter Reverse-Proxy (Cloudflare/Caddy)
|
|
cookies: {
|
|
sameSite: 'Lax',
|
|
secure: process.env.NODE_ENV === 'production',
|
|
domain: undefined, // Automatisch vom Browser gesetzt
|
|
},
|
|
// Sicherheitseinstellungen
|
|
lockTime: 10 * 60 * 1000, // 10 Minuten Lock nach max. Fehlversuchen
|
|
maxLoginAttempts: 5,
|
|
tokenExpiration: 7200, // 2 Stunden
|
|
},
|
|
hooks: {
|
|
afterChange: [auditUserAfterChange],
|
|
afterDelete: [auditUserAfterDelete],
|
|
afterLogin: [auditAfterLogin],
|
|
afterLogout: [auditAfterLogout],
|
|
afterForgotPassword: [auditAfterForgotPassword],
|
|
},
|
|
fields: [
|
|
{
|
|
name: 'isSuperAdmin',
|
|
type: 'checkbox',
|
|
label: 'Super Admin',
|
|
defaultValue: false,
|
|
saveToJWT: true,
|
|
access: {
|
|
read: superAdminFieldAccess,
|
|
create: superAdminFieldAccess,
|
|
update: superAdminFieldAccess,
|
|
},
|
|
admin: {
|
|
description: 'Super Admins haben Zugriff auf alle Tenants und können neue Tenants erstellen.',
|
|
position: 'sidebar',
|
|
},
|
|
},
|
|
// YouTube Operations Hub Felder
|
|
{
|
|
name: 'youtubeRole',
|
|
type: 'select',
|
|
label: 'YouTube-Rolle',
|
|
admin: {
|
|
position: 'sidebar',
|
|
description: 'Rolle im YouTube Operations Hub',
|
|
},
|
|
options: [
|
|
{ label: 'Kein Zugriff', value: 'none' },
|
|
{ label: 'Viewer (nur Lesen)', value: 'viewer' },
|
|
{ label: 'Editor (Schnitt)', value: 'editor' },
|
|
{ label: 'Producer (Produktion)', value: 'producer' },
|
|
{ label: 'Creator (Inhalte)', value: 'creator' },
|
|
{ label: 'Manager (Vollzugriff)', value: 'manager' },
|
|
],
|
|
defaultValue: 'none',
|
|
},
|
|
{
|
|
name: 'youtubeChannels',
|
|
type: 'relationship',
|
|
relationTo: 'youtube-channels',
|
|
hasMany: true,
|
|
label: 'YouTube-Kanäle',
|
|
admin: {
|
|
position: 'sidebar',
|
|
description: 'Zugewiesene YouTube-Kanäle',
|
|
condition: (data) => data?.youtubeRole && data.youtubeRole !== 'none',
|
|
},
|
|
},
|
|
// Community Management Felder
|
|
{
|
|
name: 'communityRole',
|
|
type: 'select',
|
|
label: 'Community-Rolle',
|
|
defaultValue: 'none',
|
|
options: [
|
|
{ label: 'Kein Zugriff', value: 'none' },
|
|
{ label: 'Viewer (nur Lesen)', value: 'viewer' },
|
|
{ label: 'Moderator', value: 'moderator' },
|
|
{ label: 'Manager (Vollzugriff)', value: 'manager' },
|
|
],
|
|
admin: {
|
|
position: 'sidebar',
|
|
description: 'Zugriff auf Community Management Features',
|
|
},
|
|
},
|
|
],
|
|
}
|