Payload CMS Release: Release 0.10.8

TL;DR

Payload CMS v0.10.8 fixes a critical bug in field access control during update operations. This patch ensures that the document ID is properly passed to access control functions when updating fields, allowing for more accurate permission checks based on document context.

Highlight of the Release

• Fixed a bug where document IDs were not being passed to field-level access control functions during update operations
• Improved security and reliability of access control implementations that depend on document context

Migration Guide

No migration steps are required for this release. The fix is applied automatically when you upgrade to v0.10.8.

However, if you have implemented custom field-level access control functions that were working around the missing ID issue, you may want to review and potentially simplify those implementations now that IDs are properly provided.

Upgrade Recommendations

This release is recommended for all Payload CMS users, especially those utilizing field-level access control in their applications. The fix addresses a fundamental issue with access control during update operations and could prevent potential security or permission enforcement problems.

Upgrade steps:

1. Update your Payload dependency to v0.10.8:

   npm install [email protected]
   # or
   yarn add [email protected]
   

2. Review any custom field-level access control functions that might have been working around the missing ID issue.

Bug Fixes

Field Access Control Fix

This release addresses an important bug in Payload's field-level access control system. Previously, when updating documents, the document ID was not being properly passed to access control functions for fields. This could lead to inconsistent access control behavior, especially in cases where permissions needed to be determined based on the specific document being updated.

The fix ensures that field access control functions now correctly receive the document ID during update operations, allowing for more precise and context-aware permission checks.

New Features

No new features were added in this release.

Security Updates

While not explicitly labeled as a security fix, the correction to field access control could address potential security issues where permissions might not have been properly enforced due to missing document context. By ensuring the document ID is available during access control checks, this patch helps maintain the integrity of your content security model.

Performance Improvements

No specific performance improvements were included in this release.

Impact Summary

This release focuses on a single but important bug fix related to field-level access control during document updates. The impact is primarily on the security and reliability of access control implementations.

By ensuring that document IDs are properly passed to field access control functions during updates, Payload now enables more accurate permission checks based on document context. This is particularly important for applications that implement sophisticated access control rules where permissions depend on the specific document being edited.

While this change is technically small (10 additions, 1 deletion across 3 files), it addresses a fundamental aspect of Payload's security model and ensures that access control behaves consistently across all operations.

Full Release Notes