Describe the Bug
Hello!
It seems you can bypass access controls for users to the admin page if you have a custom dashboard view for the admin.
I am talking about these access controls:
https://payloadcms.com/docs/access-control/collections#admin
export const User: CollectionConfig = {
// ...
access: {
admin: ({ req: { user } }) => {
return Boolean(user)
},
},
}Link to the code that reproduces this issue
https://github.com/scastlara/payload-admin-bypass-repro
Reproduction Steps
For a case where we have role-based access permissions, where some users can't access the admin and others can (depending on their role), something strange happens that allows users to bypass access controls.
In the normal case (without a custom dashboard), no matter where you navigate to the admin, you always get this screen:
This is good, and intended. If you navigate directly to a collection (http://localhost:3001/admin/collections/media in the reproduction repo), you also get the same screen.
However, if you set this in your payload-config (an override of the dashboard), you get into a strange case:
components: {
views: {
dashboard: {
path: "/",
Component: "src/customComponents/Dashboard",
},
},
},
- If you navigate to
/admin you get the unauthorized page 👍
- BUT, if you navigate to
/admin/collections/media... you can see the media list! 👎
You can test it in the repro repo by commenting or uncommenting the payload-config definition for the dashboard override (https://github.com/scastlara/payload-admin-bypass-repro/blob/main/src/payload.config.ts#L19). You will need a user with the user role without the admin role:
Which area(s) are affected?
Not sure
Environment Info
Binaries:
Node: 24.13.0
npm: 11.6.2
Yarn: 1.22.22
pnpm: 10.29.3
Relevant Packages:
payload: 3.80.0
next: 16.2.1
@payloadcms/db-sqlite: 3.80.0
@payloadcms/drizzle: 3.80.0
@payloadcms/graphql: 3.80.0
@payloadcms/next/utilities: 3.80.0
@payloadcms/richtext-lexical: 3.80.0
@payloadcms/translations: 3.80.0
@payloadcms/ui/shared: 3.80.0
react: 19.2.4
react-dom: 19.2.4
Operating System:
Platform: darwin
Arch: arm64
Version: Darwin Kernel Version 25.4.0: Thu Mar 19 19:32:36 PDT 2026; root:xnu-12377.101.15~1/RELEASE_ARM64_T8103
Available memory (MB): 16384
Available CPU cores: 8
Describe the Bug
Hello!
It seems you can bypass access controls for users to the admin page if you have a custom dashboard view for the admin.
I am talking about these access controls:
https://payloadcms.com/docs/access-control/collections#admin
Link to the code that reproduces this issue
https://github.com/scastlara/payload-admin-bypass-repro
Reproduction Steps
For a case where we have role-based access permissions, where some users can't access the admin and others can (depending on their role), something strange happens that allows users to bypass access controls.
In the normal case (without a custom dashboard), no matter where you navigate to the admin, you always get this screen:
This is good, and intended. If you navigate directly to a collection (http://localhost:3001/admin/collections/media in the reproduction repo), you also get the same screen.
However, if you set this in your payload-config (an override of the dashboard), you get into a strange case:
/adminyou get the unauthorized page 👍/admin/collections/media... you can see the media list! 👎You can test it in the repro repo by commenting or uncommenting the
payload-configdefinition for the dashboard override (https://github.com/scastlara/payload-admin-bypass-repro/blob/main/src/payload.config.ts#L19). You will need a user with theuserrole without theadminrole:Which area(s) are affected?
Not sure
Environment Info