npm - payload-plugin-newsletter - Versions diffs - 0.3.0 → 0.3.1 - Mend

payload-plugin-newsletter 0.3.0 → 0.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

package/CHANGELOG.md +18 -0
package/README.md +22 -0
package/dist/.tsbuildinfo +1 -1
package/dist/collections/NewsletterSettings.d.ts.map +1 -1
package/dist/collections/Subscribers.d.ts.map +1 -1
package/dist/src/collections/NewsletterSettings.js +4 -3
package/dist/src/collections/NewsletterSettings.js.map +1 -1
package/dist/src/collections/Subscribers.js +4 -39
package/dist/src/collections/Subscribers.js.map +1 -1
package/dist/src/types/index.js.map +1 -1
package/dist/src/utils/access.js +56 -0
package/dist/src/utils/access.js.map +1 -0
package/dist/types/index.d.ts +11 -0
package/dist/types/index.d.ts.map +1 -1
package/dist/utils/access.d.ts +15 -0
package/dist/utils/access.d.ts.map +1 -0
package/package.json +1 -1

package/CHANGELOG.md CHANGED Viewed

@@ -5,6 +5,23 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+## [0.3.1] - 2025-06-15
+### Security
+- **CRITICAL**: Fixed access control vulnerability where any authenticated user could read, update, or delete any subscriber
+- **CRITICAL**: Fixed access control vulnerability where any authenticated user could modify newsletter settings
+- Added proper admin role checking with support for multiple admin patterns
+- Added configurable admin check function for custom authentication setups
+### Added
+- New `access.isAdmin` configuration option for custom admin authentication
+- Flexible admin detection supporting common patterns (roles, isAdmin, role, admin)
+- Access control utility functions for consistent security
+### Changed
+- All collection access controls now properly validate admin status
+- Improved security documentation with custom admin configuration examples
 ## [0.3.0] - 2025-06-15
 ### Added
@@ -73,6 +90,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Domain restriction options
 - Input validation and sanitization
+[0.3.1]: https://github.com/aniketpanjwani/payload-plugin-email-newsletter/releases/tag/v0.3.1
 [0.3.0]: https://github.com/aniketpanjwani/payload-plugin-email-newsletter/releases/tag/v0.3.0
 [0.2.0]: https://github.com/aniketpanjwani/payload-plugin-email-newsletter/releases/tag/v0.2.0
 [0.1.1]: https://github.com/aniketpanjwani/payload-plugin-email-newsletter/releases/tag/v0.1.1

package/README.md CHANGED Viewed

@@ -424,6 +424,28 @@ Starting from v0.3.0, the plugin implements proper access control for all operat
 - **Newsletter settings**: Only admin users can modify email provider settings and configurations
 - **API endpoints**: All endpoints respect Payload's access control rules
+#### Custom Admin Check
+The plugin supports multiple admin authentication patterns out of the box:
+- `user.roles.includes('admin')` - Role-based
+- `user.isAdmin === true` - Boolean field
+- `user.role === 'admin'` - Single role field
+- `user.admin === true` - Admin boolean
+If your setup uses a different pattern, configure a custom admin check:
+```typescript
+newsletterPlugin({
+  access: {
+    isAdmin: (user) => {
+      // Your custom logic
+      return user.customAdminField === true
+    }
+  },
+  // ... other config
+})
+```
 ### Best Practices
 - Always use environment variables for sensitive data (API keys, JWT secrets)