It would be very useful if the regenerateButton option could receive the current Payload request context, especially req.user, so the regenerate image button can be shown only to users with specific roles or permissions.
Currently, the option appears to support only a static boolean/object configuration:
regenerateButton?: boolean | {
enabled?: boolean
allowForceAll?: boolean
}
This makes it possible to enable or disable the button globally, but not conditionally based on the logged-in admin user.
Use case
In our Payload project, image regeneration can be an expensive operation because it may process many existing media files. We only want certain users, for example admins or users with a specific role, to be able to trigger regeneration.
For example:
imageOptimizer({
regenerateButton: {
enabled: ({ req }) => req.user?.role === 'admin',
allowForceAll: ({ req }) => req.user?.role === 'admin',
},
})
Desired behavior
The plugin should allow regenerateButton.enabled and regenerateButton.allowForceAll to be either static booleans or functions that receive the current Payload request.
Possible API:
type RegenerateButtonConfig =
| boolean
| {
enabled?: boolean | ((args: { req: PayloadRequest }) => boolean | Promise<boolean>)
allowForceAll?: boolean | ((args: { req: PayloadRequest }) => boolean | Promise<boolean>)
}
This would allow projects to integrate the button with their existing Payload role/access logic.
Security consideration
Ideally, this should not only hide the button in the admin UI. The regenerate API endpoints should also respect the same access check, so users cannot trigger regeneration by calling the endpoint directly.
For example, if enabled resolves to false for the current user, the regenerate endpoint could return 403 Forbidden.
It would be very useful if the regenerateButton option could receive the current Payload request context, especially req.user, so the regenerate image button can be shown only to users with specific roles or permissions.
Currently, the option appears to support only a static boolean/object configuration:
This makes it possible to enable or disable the button globally, but not conditionally based on the logged-in admin user.
Use case
In our Payload project, image regeneration can be an expensive operation because it may process many existing media files. We only want certain users, for example admins or users with a specific role, to be able to trigger regeneration.
For example:
Desired behavior
The plugin should allow regenerateButton.enabled and regenerateButton.allowForceAll to be either static booleans or functions that receive the current Payload request.
Possible API:
This would allow projects to integrate the button with their existing Payload role/access logic.
Security consideration
Ideally, this should not only hide the button in the admin UI. The regenerate API endpoints should also respect the same access check, so users cannot trigger regeneration by calling the endpoint directly.
For example, if enabled resolves to false for the current user, the regenerate endpoint could return 403 Forbidden.