Skip to content

Feature request: allow access control for regenerateButton using req #2

Description

@derXear

It would be very useful if the regenerateButton option could receive the current Payload request context, especially req.user, so the regenerate image button can be shown only to users with specific roles or permissions.

Currently, the option appears to support only a static boolean/object configuration:

regenerateButton?: boolean | {
  enabled?: boolean
  allowForceAll?: boolean
}

This makes it possible to enable or disable the button globally, but not conditionally based on the logged-in admin user.

Use case

In our Payload project, image regeneration can be an expensive operation because it may process many existing media files. We only want certain users, for example admins or users with a specific role, to be able to trigger regeneration.

For example:

imageOptimizer({
  regenerateButton: {
    enabled: ({ req }) => req.user?.role === 'admin',
    allowForceAll: ({ req }) => req.user?.role === 'admin',
  },
})

Desired behavior

The plugin should allow regenerateButton.enabled and regenerateButton.allowForceAll to be either static booleans or functions that receive the current Payload request.

Possible API:

type RegenerateButtonConfig =
  | boolean
  | {
      enabled?: boolean | ((args: { req: PayloadRequest }) => boolean | Promise<boolean>)
      allowForceAll?: boolean | ((args: { req: PayloadRequest }) => boolean | Promise<boolean>)
    }

This would allow projects to integrate the button with their existing Payload role/access logic.

Security consideration

Ideally, this should not only hide the button in the admin UI. The regenerate API endpoints should also respect the same access check, so users cannot trigger regeneration by calling the endpoint directly.

For example, if enabled resolves to false for the current user, the regenerate endpoint could return 403 Forbidden.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions