payload-rbac-plugin 0.0.1

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Mahmoud Hassan
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,177 @@
+# Payload CMS Dynamic RBAC Plugin
+
+[![NPM Version](https://img.shields.io/npm/v/payload-rbac-plugin.svg?style=flat-square)](https://www.npmjs.com/package/payload-rbac-plugin)
+[![NPM Downloads](https://img.shields.io/npm/dm/payload-rbac-plugin.svg?style=flat-square)](https://www.npmjs.com/package/payload-rbac-plugin)
+[![License](https://img.shields.io/npm/l/payload-rbac-plugin.svg?style=flat-square)](https://github.com/Mhmod-Hsn/Payload-RBAC-Plugin/blob/main/LICENSE)
+[![CI Status](https://img.shields.io/github/actions/workflow/status/Mhmod-Hsn/Payload-RBAC-Plugin/ci.yml?branch=main&style=flat-square)](https://github.com/Mhmod-Hsn/Payload-RBAC-Plugin/actions)
+
+A professional, database-backed Role-Based Access Control (RBAC) system for [Payload CMS](https://payloadcms.com) (v3). 
+
+This plugin emphasizes checking **permissions instead of roles** to avoid hard-coded authorization logic in your source code, making your access control highly scalable, modular, and dynamic.
+
+---
+
+## Features
+
+- **Dynamic Collections**: Automatically injects database-backed `Roles` and `Permissions` collections.
+- **Auth Collection Extension**: Injects a `roles` relationship field into your target auth collection (e.g., `users`) with `saveToJWT: true` for zero-cost runtime checks.
+- **Bulk Permission Generator**: In the Admin UI, easily switch between creating a single permission or using the Bulk CRUD Generator to automatically generate separate permissions (e.g., `posts:create`, `posts:read`, `posts:update`, `posts:delete`) at once. 
+- **UI-Only Helpers**: Bulk generator fields (`type`, `collectionName`, CRUD checkboxes) are purely for the UI and are never saved to your database, keeping your collections clean.
+- **Customizable Schemas**: Allow developers to inject additional custom fields into both `Roles` and `Permissions` schemas.
+- **Granular Control**: Set visibility permissions (`hideRoles`, `hidePermissions`) dynamically or statically for the RBAC admin interface.
+- **Helper Utilities**: Simple and robust functions to check permissions (`hasPermission`) and access control wrappers (`checkPermission`).
+- **Fully Tested**: Powered by a robust integration and unit test suite built with Vitest.
+
+## Screenshots
+
+### 1. Permissions List View
+Shows flat generated permissions (e.g. `posts:create`, `posts:read`) and legacy system permissions.
+![Permissions List View](images/permissions_list.png)
+
+### 2. Single Permission Form
+Create individual custom permissions.
+![Single Permission Form](images/permissions_single.png)
+
+### 3. Bulk CRUD Generator Form
+Select a collection and check CRUD actions to instantly generate multiple permissions.
+![Bulk CRUD Generator Form](images/permissions_bulk.png)
+
+### 4. Roles List View
+Displays roles and all permissions associated with them.
+![Roles List View](images/roles_list.png)
+
+### 5. Role Configuration Form
+Assign permissions directly to roles in the admin UI.
+![Role Configuration Form](images/role_edit.png)
+
+---
+
+## Installation
+
+Add the plugin to your project:
+
+```bash
+pnpm add payload-rbac-plugin
+# or
+npm install payload-rbac-plugin
+# or
+yarn add payload-rbac-plugin
+```
+
+---
+
+## Setup & Configuration
+
+Import and configure the plugin in your `payload.config.ts`:
+
+```typescript
+import { buildConfig } from 'payload'
+import { rbac, hasPermission } from 'payload-rbac-plugin'
+
+export default buildConfig({
+  collections: [
+    {
+      slug: 'posts',
+      fields: [],
+    },
+  ],
+  plugins: [
+    rbac({
+      enabled: true,
+      // Optional configurations:
+      authCollectionSlug: 'users',        // Default: 'users'
+      rolesCollectionSlug: 'roles',        // Default: 'roles'
+      permissionsCollectionSlug: 'permissions', // Default: 'permissions'
+      
+      // Control access/visibility of the RBAC panel:
+      hidePermissions: ({ user }) => !hasPermission(user, 'access:permissions'),
+      hideRoles: ({ user }) => !hasPermission(user, 'access:roles'),
+    }),
+  ],
+})
+```
+
+### Configuration Options
+
+| Option | Type | Default | Description |
+| :--- | :--- | :--- | :--- |
+| `enabled` | `boolean` | `true` | Enable or disable the plugin. |
+| `authCollectionSlug` | `string` | `'users'` | The collection slug representing the users collection. |
+| `rolesCollectionSlug` | `string` | `'roles'` | The slug for the automatically injected Roles collection. |
+| `permissionsCollectionSlug` | `string` | `'permissions'` | The slug for the automatically injected Permissions collection. |
+| `rolesFields` | `Field[]` | `[]` | Extra custom fields to inject into the Roles collection. |
+| `permissionsFields` | `Field[]` | `[]` | Extra custom fields to inject into the Permissions collection. |
+| `hideRoles` | `boolean \| ((args: { user: any }) => boolean)` | `false` | Hide the Roles collection from the sidebar navigation. |
+| `hidePermissions` | `boolean \| ((args: { user: any }) => boolean)` | `false` | Hide the Permissions collection from the sidebar navigation. |
+
+---
+
+## Usage
+
+### 1. Protecting Collections (Access Control)
+
+You can protect collections using the `checkPermission` Higher-Order Function. It returns a standard Payload `Access` control resolver.
+
+```typescript
+import { checkPermission } from 'payload-rbac-plugin'
+
+export const PostsCollection = {
+  slug: 'posts',
+  access: {
+    create: checkPermission('posts:create'),
+    read: checkPermission('posts:read'),
+    update: checkPermission('posts:update'),
+    delete: checkPermission('posts:delete'),
+  },
+  fields: [],
+}
+```
+
+### 2. Manual Permission Verification (`hasPermission`)
+
+For custom endpoints, hooks, or conditionally rendering logic, use the `hasPermission` utility:
+
+```typescript
+import { hasPermission } from 'payload-rbac-plugin'
+
+const myCustomEndpoint = (req, res) => {
+  const user = req.user
+  
+  if (hasPermission(user, 'export:reports')) {
+    // allow operation
+  } else {
+    res.status(403).send('Forbidden')
+  }
+}
+```
+
+---
+
+## Bulk Permission Generator UI
+
+When navigating to the **Permissions** collection in your Payload Admin panel:
+1. Select **Bulk CRUD Generator** in the `Type` select box (visible only during document creation).
+2. Enter the target collection slug (e.g. `posts`) in the `Collection Name` field.
+3. Check the CRUD operations you wish to generate (e.g., `create`, `read`).
+4. Save the document.
+5. The plugin runs a `beforeChange` hook that creates individual flat records (`posts:create`, `posts:read`) in the database, and avoids saving any temporary helper fields to the database.
+
+---
+
+## Development & Testing
+
+If you are developing this plugin locally, you can run the test suite:
+
+```bash
+# Run unit and integration tests
+pnpm test:int
+
+# Run tests in watch mode
+pnpm test:int --watch
+```
+
+---
+
+## License
+
+MIT

package/dist/collections/Permissions.d.ts

@@ -0,0 +1,3 @@
+import type { CollectionConfig } from 'payload';
+import type { PluginOptions } from '../types';
+export declare const createPermissionsCollection: (options: PluginOptions) => CollectionConfig;

package/dist/collections/Permissions.js

@@ -0,0 +1,121 @@
+import { createBeforePermissionChangeHook } from '../hooks/beforePermissionChange';
+export const createPermissionsCollection = (options)=>{
+    const slug = options.permissionsCollectionSlug || 'permissions';
+    const customFields = options.permissionsFields || [];
+    return {
+        slug,
+        access: {
+            read: ()=>true
+        },
+        admin: {
+            group: 'Access Control',
+            hidden: options.hidePermissions ?? false,
+            useAsTitle: 'name'
+        },
+        fields: [
+            {
+                name: 'type',
+                type: 'select',
+                admin: {
+                    condition: (data)=>!data?.id && !data?._id && !data?.createdAt,
+                    description: 'Choose whether to create a single custom permission or generate multiple CRUD permissions at once.',
+                    disableListColumn: true,
+                    disableListFilter: true
+                },
+                defaultValue: 'single',
+                options: [
+                    {
+                        label: 'Single Permission',
+                        value: 'single'
+                    },
+                    {
+                        label: 'Bulk CRUD Generator',
+                        value: 'bulk'
+                    }
+                ]
+            },
+            {
+                name: 'name',
+                type: 'text',
+                admin: {
+                    condition: (data)=>data?.type === 'single',
+                    description: 'The unique name of the permission (e.g., "access:admin", "posts:create").'
+                },
+                unique: true,
+                validate: (value, { data })=>{
+                    if (data?.type === 'single' && !value) {
+                        return 'Name is required for single permissions.';
+                    }
+                    return true;
+                }
+            },
+            {
+                name: 'collectionName',
+                type: 'text',
+                admin: {
+                    condition: (data)=>data?.type === 'bulk',
+                    description: 'Enter a collection slug (e.g., "posts") to auto-generate permissions.',
+                    disableListColumn: true,
+                    disableListFilter: true
+                }
+            },
+            {
+                type: 'row',
+                fields: [
+                    {
+                        name: 'create',
+                        type: 'checkbox',
+                        admin: {
+                            condition: (data)=>data?.type === 'bulk',
+                            disableListColumn: true,
+                            disableListFilter: true,
+                            width: '25%'
+                        },
+                        defaultValue: false
+                    },
+                    {
+                        name: 'read',
+                        type: 'checkbox',
+                        admin: {
+                            condition: (data)=>data?.type === 'bulk',
+                            disableListColumn: true,
+                            disableListFilter: true,
+                            width: '25%'
+                        },
+                        defaultValue: false
+                    },
+                    {
+                        name: 'update',
+                        type: 'checkbox',
+                        admin: {
+                            condition: (data)=>data?.type === 'bulk',
+                            disableListColumn: true,
+                            disableListFilter: true,
+                            width: '25%'
+                        },
+                        defaultValue: false
+                    },
+                    {
+                        name: 'delete',
+                        type: 'checkbox',
+                        admin: {
+                            condition: (data)=>data?.type === 'bulk',
+                            disableListColumn: true,
+                            disableListFilter: true,
+                            width: '25%'
+                        },
+                        defaultValue: false
+                    }
+                ]
+            },
+            ...customFields
+        ],
+        hooks: {
+            beforeChange: [
+                createBeforePermissionChangeHook(slug)
+            ]
+        }
+    };
+};
+
+//# sourceMappingURL=Permissions.js.map

package/dist/collections/Permissions.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/collections/Permissions.ts"],"sourcesContent":["import type { CollectionConfig } from 'payload'\n\nimport type { PluginOptions } from '../types'\n\nimport { createBeforePermissionChangeHook } from '../hooks/beforePermissionChange'\n\nexport const createPermissionsCollection = (options: PluginOptions): CollectionConfig => {\n  const slug = options.permissionsCollectionSlug || 'permissions'\n  const customFields = options.permissionsFields || []\n\n  return {\n    slug,\n    access: {\n      read: () => true,\n    },\n    admin: {\n      group: 'Access Control',\n      hidden: options.hidePermissions ?? false,\n      useAsTitle: 'name',\n    },\n    fields: [\n      {\n        name: 'type',\n        type: 'select',\n        admin: {\n          condition: (data) => !data?.id && !data?._id && !data?.createdAt,\n          description:\n            'Choose whether to create a single custom permission or generate multiple CRUD permissions at once.',\n          disableListColumn: true,\n          disableListFilter: true,\n        },\n        defaultValue: 'single',\n        options: [\n          { label: 'Single Permission', value: 'single' },\n          { label: 'Bulk CRUD Generator', value: 'bulk' },\n        ],\n      },\n      {\n        name: 'name',\n        type: 'text',\n        admin: {\n          condition: (data) => data?.type === 'single',\n          description: 'The unique name of the permission (e.g., \"access:admin\", \"posts:create\").',\n        },\n        unique: true,\n        validate: (value: null | string | undefined, { data }: { data?: any }) => {\n          if (data?.type === 'single' && !value) {\n            return 'Name is required for single permissions.'\n          }\n          return true\n        },\n      },\n      {\n        name: 'collectionName',\n        type: 'text',\n        admin: {\n          condition: (data) => data?.type === 'bulk',\n          description: 'Enter a collection slug (e.g., \"posts\") to auto-generate permissions.',\n          disableListColumn: true,\n          disableListFilter: true,\n        },\n      },\n      {\n        type: 'row',\n        fields: [\n          {\n            name: 'create',\n            type: 'checkbox',\n            admin: {\n              condition: (data) => data?.type === 'bulk',\n              disableListColumn: true,\n              disableListFilter: true,\n              width: '25%',\n            },\n            defaultValue: false,\n          },\n          {\n            name: 'read',\n            type: 'checkbox',\n            admin: {\n              condition: (data) => data?.type === 'bulk',\n              disableListColumn: true,\n              disableListFilter: true,\n              width: '25%',\n            },\n            defaultValue: false,\n          },\n          {\n            name: 'update',\n            type: 'checkbox',\n            admin: {\n              condition: (data) => data?.type === 'bulk',\n              disableListColumn: true,\n              disableListFilter: true,\n              width: '25%',\n            },\n            defaultValue: false,\n          },\n          {\n            name: 'delete',\n            type: 'checkbox',\n            admin: {\n              condition: (data) => data?.type === 'bulk',\n              disableListColumn: true,\n              disableListFilter: true,\n              width: '25%',\n            },\n            defaultValue: false,\n          },\n        ],\n      },\n      ...customFields,\n    ],\n    hooks: {\n      beforeChange: [createBeforePermissionChangeHook(slug)],\n    },\n  }\n}\n"],"names":["createBeforePermissionChangeHook","createPermissionsCollection","options","slug","permissionsCollectionSlug","customFields","permissionsFields","access","read","admin","group","hidden","hidePermissions","useAsTitle","fields","name","type","condition","data","id","_id","createdAt","description","disableListColumn","disableListFilter","defaultValue","label","value","unique","validate","width","hooks","beforeChange"],"mappings":"AAIA,SAASA,gCAAgC,QAAQ,kCAAiC;AAElF,OAAO,MAAMC,8BAA8B,CAACC;IAC1C,MAAMC,OAAOD,QAAQE,yBAAyB,IAAI;IAClD,MAAMC,eAAeH,QAAQI,iBAAiB,IAAI,EAAE;IAEpD,OAAO;QACLH;QACAI,QAAQ;YACNC,MAAM,IAAM;QACd;QACAC,OAAO;YACLC,OAAO;YACPC,QAAQT,QAAQU,eAAe,IAAI;YACnCC,YAAY;QACd;QACAC,QAAQ;YACN;gBACEC,MAAM;gBACNC,MAAM;gBACNP,OAAO;oBACLQ,WAAW,CAACC,OAAS,CAACA,MAAMC,MAAM,CAACD,MAAME,OAAO,CAACF,MAAMG;oBACvDC,aACE;oBACFC,mBAAmB;oBACnBC,mBAAmB;gBACrB;gBACAC,cAAc;gBACdvB,SAAS;oBACP;wBAAEwB,OAAO;wBAAqBC,OAAO;oBAAS;oBAC9C;wBAAED,OAAO;wBAAuBC,OAAO;oBAAO;iBAC/C;YACH;YACA;gBACEZ,MAAM;gBACNC,MAAM;gBACNP,OAAO;oBACLQ,WAAW,CAACC,OAASA,MAAMF,SAAS;oBACpCM,aAAa;gBACf;gBACAM,QAAQ;gBACRC,UAAU,CAACF,OAAkC,EAAET,IAAI,EAAkB;oBACnE,IAAIA,MAAMF,SAAS,YAAY,CAACW,OAAO;wBACrC,OAAO;oBACT;oBACA,OAAO;gBACT;YACF;YACA;gBACEZ,MAAM;gBACNC,MAAM;gBACNP,OAAO;oBACLQ,WAAW,CAACC,OAASA,MAAMF,SAAS;oBACpCM,aAAa;oBACbC,mBAAmB;oBACnBC,mBAAmB;gBACrB;YACF;YACA;gBACER,MAAM;gBACNF,QAAQ;oBACN;wBACEC,MAAM;wBACNC,MAAM;wBACNP,OAAO;4BACLQ,WAAW,CAACC,OAASA,MAAMF,SAAS;4BACpCO,mBAAmB;4BACnBC,mBAAmB;4BACnBM,OAAO;wBACT;wBACAL,cAAc;oBAChB;oBACA;wBACEV,MAAM;wBACNC,MAAM;wBACNP,OAAO;4BACLQ,WAAW,CAACC,OAASA,MAAMF,SAAS;4BACpCO,mBAAmB;4BACnBC,mBAAmB;4BACnBM,OAAO;wBACT;wBACAL,cAAc;oBAChB;oBACA;wBACEV,MAAM;wBACNC,MAAM;wBACNP,OAAO;4BACLQ,WAAW,CAACC,OAASA,MAAMF,SAAS;4BACpCO,mBAAmB;4BACnBC,mBAAmB;4BACnBM,OAAO;wBACT;wBACAL,cAAc;oBAChB;oBACA;wBACEV,MAAM;wBACNC,MAAM;wBACNP,OAAO;4BACLQ,WAAW,CAACC,OAASA,MAAMF,SAAS;4BACpCO,mBAAmB;4BACnBC,mBAAmB;4BACnBM,OAAO;wBACT;wBACAL,cAAc;oBAChB;iBACD;YACH;eACGpB;SACJ;QACD0B,OAAO;YACLC,cAAc;gBAAChC,iCAAiCG;aAAM;QACxD;IACF;AACF,EAAC"}

package/dist/collections/Roles.d.ts

@@ -0,0 +1,3 @@
+import type { CollectionConfig } from 'payload';
+import type { PluginOptions } from '../types';
+export declare const createRolesCollection: (options: PluginOptions) => CollectionConfig;

package/dist/collections/Roles.js

@@ -0,0 +1,39 @@
+export const createRolesCollection = (options)=>{
+    const slug = options.rolesCollectionSlug || 'roles';
+    const permissionsSlug = options.permissionsCollectionSlug || 'permissions';
+    const customFields = options.rolesFields || [];
+    return {
+        slug,
+        admin: {
+            useAsTitle: 'name',
+            group: 'Access Control',
+            hidden: options.hideRoles ?? false
+        },
+        access: {
+            read: ()=>true
+        },
+        fields: [
+            {
+                name: 'name',
+                type: 'text',
+                required: true,
+                unique: true,
+                admin: {
+                    description: 'The unique name of the role (e.g., "admin", "editor").'
+                }
+            },
+            {
+                name: 'permissions',
+                type: 'relationship',
+                relationTo: permissionsSlug,
+                hasMany: true,
+                admin: {
+                    description: 'The permissions assigned to this role.'
+                }
+            },
+            ...customFields
+        ]
+    };
+};
+
+//# sourceMappingURL=Roles.js.map

package/dist/collections/Roles.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/collections/Roles.ts"],"sourcesContent":["import type { CollectionConfig } from 'payload';\nimport type { PluginOptions } from '../types';\n\nexport const createRolesCollection = (options: PluginOptions): CollectionConfig => {\n  const slug = options.rolesCollectionSlug || 'roles'\n  const permissionsSlug = options.permissionsCollectionSlug || 'permissions'\n  const customFields = options.rolesFields || []\n\n  return {\n    slug,\n    admin: {\n      useAsTitle: 'name',\n      group: 'Access Control',\n      hidden: options.hideRoles ?? false,\n    },\n    access: {\n      read: () => true,\n    },\n    fields: [\n      {\n        name: 'name',\n        type: 'text',\n        required: true,\n        unique: true,\n        admin: {\n          description: 'The unique name of the role (e.g., \"admin\", \"editor\").',\n        },\n      },\n      {\n        name: 'permissions',\n        type: 'relationship',\n        relationTo: permissionsSlug,\n        hasMany: true,\n        admin: {\n          description: 'The permissions assigned to this role.',\n        },\n      },\n      ...customFields,\n    ],\n  }\n}\n"],"names":["createRolesCollection","options","slug","rolesCollectionSlug","permissionsSlug","permissionsCollectionSlug","customFields","rolesFields","admin","useAsTitle","group","hidden","hideRoles","access","read","fields","name","type","required","unique","description","relationTo","hasMany"],"mappings":"AAGA,OAAO,MAAMA,wBAAwB,CAACC;IACpC,MAAMC,OAAOD,QAAQE,mBAAmB,IAAI;IAC5C,MAAMC,kBAAkBH,QAAQI,yBAAyB,IAAI;IAC7D,MAAMC,eAAeL,QAAQM,WAAW,IAAI,EAAE;IAE9C,OAAO;QACLL;QACAM,OAAO;YACLC,YAAY;YACZC,OAAO;YACPC,QAAQV,QAAQW,SAAS,IAAI;QAC/B;QACAC,QAAQ;YACNC,MAAM,IAAM;QACd;QACAC,QAAQ;YACN;gBACEC,MAAM;gBACNC,MAAM;gBACNC,UAAU;gBACVC,QAAQ;gBACRX,OAAO;oBACLY,aAAa;gBACf;YACF;YACA;gBACEJ,MAAM;gBACNC,MAAM;gBACNI,YAAYjB;gBACZkB,SAAS;gBACTd,OAAO;oBACLY,aAAa;gBACf;YACF;eACGd;SACJ;IACH;AACF,EAAC"}

package/dist/components/BeforeDashboardClient.d.ts

@@ -0,0 +1 @@
+export declare const BeforeDashboardClient: () => import("react/jsx-runtime").JSX.Element;

package/dist/components/BeforeDashboardClient.js

@@ -0,0 +1,40 @@
+'use client';
+import { jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
+import { useConfig } from '@payloadcms/ui';
+import { formatAdminURL } from 'payload/shared';
+import { useEffect, useState } from 'react';
+export const BeforeDashboardClient = ()=>{
+    const { config } = useConfig();
+    const [message, setMessage] = useState('');
+    useEffect(()=>{
+        const fetchMessage = async ()=>{
+            const response = await fetch(formatAdminURL({
+                apiRoute: config.routes.api,
+                path: '/my-plugin-endpoint'
+            }));
+            const result = await response.json();
+            setMessage(result.message);
+        };
+        void fetchMessage();
+    }, [
+        config.serverURL,
+        config.routes.api
+    ]);
+    return /*#__PURE__*/ _jsxs("div", {
+        children: [
+            /*#__PURE__*/ _jsx("h1", {
+                children: "Added by the plugin: Before Dashboard Client"
+            }),
+            /*#__PURE__*/ _jsxs("div", {
+                children: [
+                    "Message from the endpoint:",
+                    /*#__PURE__*/ _jsx("div", {
+                        children: message || 'Loading...'
+                    })
+                ]
+            })
+        ]
+    });
+};
+
+//# sourceMappingURL=BeforeDashboardClient.js.map

package/dist/components/BeforeDashboardClient.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/components/BeforeDashboardClient.tsx"],"sourcesContent":["'use client'\nimport { useConfig } from '@payloadcms/ui'\nimport { formatAdminURL } from 'payload/shared'\nimport { useEffect, useState } from 'react'\n\nexport const BeforeDashboardClient = () => {\n  const { config } = useConfig()\n\n  const [message, setMessage] = useState('')\n\n  useEffect(() => {\n    const fetchMessage = async () => {\n      const response = await fetch(\n        formatAdminURL({\n          apiRoute: config.routes.api,\n          path: '/my-plugin-endpoint',\n        }),\n      )\n      const result = await response.json()\n      setMessage(result.message)\n    }\n\n    void fetchMessage()\n  }, [config.serverURL, config.routes.api])\n\n  return (\n    <div>\n      <h1>Added by the plugin: Before Dashboard Client</h1>\n      <div>\n        Message from the endpoint:\n        <div>{message || 'Loading...'}</div>\n      </div>\n    </div>\n  )\n}\n"],"names":["useConfig","formatAdminURL","useEffect","useState","BeforeDashboardClient","config","message","setMessage","fetchMessage","response","fetch","apiRoute","routes","api","path","result","json","serverURL","div","h1"],"mappings":"AAAA;;AACA,SAASA,SAAS,QAAQ,iBAAgB;AAC1C,SAASC,cAAc,QAAQ,iBAAgB;AAC/C,SAASC,SAAS,EAAEC,QAAQ,QAAQ,QAAO;AAE3C,OAAO,MAAMC,wBAAwB;IACnC,MAAM,EAAEC,MAAM,EAAE,GAAGL;IAEnB,MAAM,CAACM,SAASC,WAAW,GAAGJ,SAAS;IAEvCD,UAAU;QACR,MAAMM,eAAe;YACnB,MAAMC,WAAW,MAAMC,MACrBT,eAAe;gBACbU,UAAUN,OAAOO,MAAM,CAACC,GAAG;gBAC3BC,MAAM;YACR;YAEF,MAAMC,SAAS,MAAMN,SAASO,IAAI;YAClCT,WAAWQ,OAAOT,OAAO;QAC3B;QAEA,KAAKE;IACP,GAAG;QAACH,OAAOY,SAAS;QAAEZ,OAAOO,MAAM,CAACC,GAAG;KAAC;IAExC,qBACE,MAACK;;0BACC,KAACC;0BAAG;;0BACJ,MAACD;;oBAAI;kCAEH,KAACA;kCAAKZ,WAAW;;;;;;AAIzB,EAAC"}

package/dist/components/BeforeDashboardServer.d.ts

@@ -0,0 +1,2 @@
+import type { ServerComponentProps } from 'payload';
+export declare const BeforeDashboardServer: (props: ServerComponentProps) => Promise<import("react/jsx-runtime").JSX.Element>;

package/dist/components/BeforeDashboardServer.js

@@ -0,0 +1,22 @@
+import { jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
+import styles from './BeforeDashboardServer.module.css';
+export const BeforeDashboardServer = async (props)=>{
+    const { payload } = props;
+    const { docs } = await payload.find({
+        collection: 'plugin-collection'
+    });
+    return /*#__PURE__*/ _jsxs("div", {
+        className: styles.wrapper,
+        children: [
+            /*#__PURE__*/ _jsx("h1", {
+                children: "Added by the plugin: Before Dashboard Server"
+            }),
+            "Docs from Local API:",
+            docs.map((doc)=>/*#__PURE__*/ _jsx("div", {
+                    children: doc.id
+                }, doc.id))
+        ]
+    });
+};
+
+//# sourceMappingURL=BeforeDashboardServer.js.map

package/dist/components/BeforeDashboardServer.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/components/BeforeDashboardServer.tsx"],"sourcesContent":["import type { ServerComponentProps } from 'payload'\n\nimport styles from './BeforeDashboardServer.module.css'\n\nexport const BeforeDashboardServer = async (props: ServerComponentProps) => {\n  const { payload } = props\n\n  const { docs } = await payload.find({ collection: 'plugin-collection' })\n\n  return (\n    <div className={styles.wrapper}>\n      <h1>Added by the plugin: Before Dashboard Server</h1>\n      Docs from Local API:\n      {docs.map((doc) => (\n        <div key={doc.id}>{doc.id}</div>\n      ))}\n    </div>\n  )\n}\n"],"names":["styles","BeforeDashboardServer","props","payload","docs","find","collection","div","className","wrapper","h1","map","doc","id"],"mappings":";AAEA,OAAOA,YAAY,qCAAoC;AAEvD,OAAO,MAAMC,wBAAwB,OAAOC;IAC1C,MAAM,EAAEC,OAAO,EAAE,GAAGD;IAEpB,MAAM,EAAEE,IAAI,EAAE,GAAG,MAAMD,QAAQE,IAAI,CAAC;QAAEC,YAAY;IAAoB;IAEtE,qBACE,MAACC;QAAIC,WAAWR,OAAOS,OAAO;;0BAC5B,KAACC;0BAAG;;YAAiD;YAEpDN,KAAKO,GAAG,CAAC,CAACC,oBACT,KAACL;8BAAkBK,IAAIC,EAAE;mBAAfD,IAAIC,EAAE;;;AAIxB,EAAC"}

package/dist/components/BeforeDashboardServer.module.css

@@ -0,0 +1,5 @@
+.wrapper {
+  display: flex;
+  gap: 5px;
+  flex-direction: column;
+}

package/dist/endpoints/customEndpointHandler.d.ts

@@ -0,0 +1,2 @@
+import type { PayloadHandler } from 'payload';
+export declare const customEndpointHandler: PayloadHandler;

package/dist/endpoints/customEndpointHandler.js

@@ -0,0 +1,7 @@
+export const customEndpointHandler = ()=>{
+    return Response.json({
+        message: 'Hello from custom endpoint'
+    });
+};
+
+//# sourceMappingURL=customEndpointHandler.js.map

package/dist/endpoints/customEndpointHandler.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/endpoints/customEndpointHandler.ts"],"sourcesContent":["import type { PayloadHandler } from 'payload'\n\nexport const customEndpointHandler: PayloadHandler = () => {\n  return Response.json({ message: 'Hello from custom endpoint' })\n}\n"],"names":["customEndpointHandler","Response","json","message"],"mappings":"AAEA,OAAO,MAAMA,wBAAwC;IACnD,OAAOC,SAASC,IAAI,CAAC;QAAEC,SAAS;IAA6B;AAC/D,EAAC"}

package/dist/exports/client.d.ts

@@ -0,0 +1 @@
+export { BeforeDashboardClient } from '../components/BeforeDashboardClient';

package/dist/exports/client.js

@@ -0,0 +1,3 @@
+export { BeforeDashboardClient } from '../components/BeforeDashboardClient';
+
+//# sourceMappingURL=client.js.map

package/dist/exports/client.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/exports/client.ts"],"sourcesContent":["export { BeforeDashboardClient } from '../components/BeforeDashboardClient';\n\n"],"names":["BeforeDashboardClient"],"mappings":"AAAA,SAASA,qBAAqB,QAAQ,sCAAsC"}

package/dist/exports/rsc.d.ts

@@ -0,0 +1 @@
+export { BeforeDashboardServer } from '../components/BeforeDashboardServer';

package/dist/exports/rsc.js

@@ -0,0 +1,3 @@
+export { BeforeDashboardServer } from '../components/BeforeDashboardServer';
+
+//# sourceMappingURL=rsc.js.map

package/dist/exports/rsc.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/exports/rsc.ts"],"sourcesContent":["export { BeforeDashboardServer } from '../components/BeforeDashboardServer';\n\n"],"names":["BeforeDashboardServer"],"mappings":"AAAA,SAASA,qBAAqB,QAAQ,sCAAsC"}

package/dist/hooks/beforePermissionChange.d.ts

@@ -0,0 +1,2 @@
+import type { CollectionBeforeChangeHook } from 'payload';
+export declare const createBeforePermissionChangeHook: (slug: string) => CollectionBeforeChangeHook;

package/dist/hooks/beforePermissionChange.js

@@ -0,0 +1,58 @@
+export const createBeforePermissionChangeHook = (slug)=>{
+    return async ({ data, req })=>{
+        // Only run generator logic on create/update if type is bulk
+        if (data.type === 'bulk' && data.collectionName) {
+            const actions = [
+                'create',
+                'read',
+                'update',
+                'delete'
+            ].filter((action)=>data[action] === true);
+            if (actions.length === 0) {
+                throw new Error('You must select at least one CRUD operation when using the Bulk Generator.');
+            }
+            // e.g. ["posts:create", "posts:read"]
+            const generatedNames = actions.map((action)=>`${data.collectionName}:${action}`);
+            // Filter out names that already exist
+            const uniqueNames = [];
+            for (const name of generatedNames){
+                const existing = await req.payload.find({
+                    collection: slug,
+                    where: {
+                        name: {
+                            equals: name
+                        }
+                    }
+                });
+                if (existing.docs.length === 0) {
+                    uniqueNames.push(name);
+                }
+            }
+            if (uniqueNames.length === 0) {
+                throw new Error('All selected CRUD permissions already exist.');
+            }
+            // Mutate current document to save the first unique generated name
+            data.name = uniqueNames[0];
+            // Create the remaining unique permissions in the background
+            const remainingNames = uniqueNames.slice(1);
+            for (const name of remainingNames){
+                await req.payload.create({
+                    collection: slug,
+                    data: {
+                        name
+                    }
+                });
+            }
+        }
+        // Ensure UI-only fields are never saved to the database
+        delete data.type;
+        delete data.collectionName;
+        delete data.create;
+        delete data.read;
+        delete data.update;
+        delete data.delete;
+        return data;
+    };
+};
+
+//# sourceMappingURL=beforePermissionChange.js.map

package/dist/hooks/beforePermissionChange.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/hooks/beforePermissionChange.ts"],"sourcesContent":["import type { CollectionBeforeChangeHook } from 'payload'\n\nexport const createBeforePermissionChangeHook = (slug: string): CollectionBeforeChangeHook => {\n  return async ({ data, req }) => {\n    // Only run generator logic on create/update if type is bulk\n    if (data.type === 'bulk' && data.collectionName) {\n      const actions = ['create', 'read', 'update', 'delete'].filter(\n        (action) => data[action] === true,\n      )\n\n      if (actions.length === 0) {\n        throw new Error('You must select at least one CRUD operation when using the Bulk Generator.')\n      }\n\n      // e.g. [\"posts:create\", \"posts:read\"]\n      const generatedNames = actions.map((action) => `${data.collectionName}:${action}`)\n\n      // Filter out names that already exist\n      const uniqueNames: string[] = []\n      for (const name of generatedNames) {\n        const existing = await req.payload.find({\n          collection: slug,\n          where: {\n            name: { equals: name },\n          },\n        })\n        if (existing.docs.length === 0) {\n          uniqueNames.push(name)\n        }\n      }\n\n      if (uniqueNames.length === 0) {\n        throw new Error('All selected CRUD permissions already exist.')\n      }\n\n      // Mutate current document to save the first unique generated name\n      data.name = uniqueNames[0]\n\n      // Create the remaining unique permissions in the background\n      const remainingNames = uniqueNames.slice(1)\n      for (const name of remainingNames) {\n        await req.payload.create({\n          collection: slug,\n          data: {\n            name,\n          },\n        })\n      }\n    }\n\n    // Ensure UI-only fields are never saved to the database\n    delete data.type\n    delete data.collectionName\n    delete data.create\n    delete data.read\n    delete data.update\n    delete data.delete\n\n    return data\n  }\n}\n"],"names":["createBeforePermissionChangeHook","slug","data","req","type","collectionName","actions","filter","action","length","Error","generatedNames","map","uniqueNames","name","existing","payload","find","collection","where","equals","docs","push","remainingNames","slice","create","read","update","delete"],"mappings":"AAEA,OAAO,MAAMA,mCAAmC,CAACC;IAC/C,OAAO,OAAO,EAAEC,IAAI,EAAEC,GAAG,EAAE;QACzB,4DAA4D;QAC5D,IAAID,KAAKE,IAAI,KAAK,UAAUF,KAAKG,cAAc,EAAE;YAC/C,MAAMC,UAAU;gBAAC;gBAAU;gBAAQ;gBAAU;aAAS,CAACC,MAAM,CAC3D,CAACC,SAAWN,IAAI,CAACM,OAAO,KAAK;YAG/B,IAAIF,QAAQG,MAAM,KAAK,GAAG;gBACxB,MAAM,IAAIC,MAAM;YAClB;YAEA,sCAAsC;YACtC,MAAMC,iBAAiBL,QAAQM,GAAG,CAAC,CAACJ,SAAW,GAAGN,KAAKG,cAAc,CAAC,CAAC,EAAEG,QAAQ;YAEjF,sCAAsC;YACtC,MAAMK,cAAwB,EAAE;YAChC,KAAK,MAAMC,QAAQH,eAAgB;gBACjC,MAAMI,WAAW,MAAMZ,IAAIa,OAAO,CAACC,IAAI,CAAC;oBACtCC,YAAYjB;oBACZkB,OAAO;wBACLL,MAAM;4BAAEM,QAAQN;wBAAK;oBACvB;gBACF;gBACA,IAAIC,SAASM,IAAI,CAACZ,MAAM,KAAK,GAAG;oBAC9BI,YAAYS,IAAI,CAACR;gBACnB;YACF;YAEA,IAAID,YAAYJ,MAAM,KAAK,GAAG;gBAC5B,MAAM,IAAIC,MAAM;YAClB;YAEA,kEAAkE;YAClER,KAAKY,IAAI,GAAGD,WAAW,CAAC,EAAE;YAE1B,4DAA4D;YAC5D,MAAMU,iBAAiBV,YAAYW,KAAK,CAAC;YACzC,KAAK,MAAMV,QAAQS,eAAgB;gBACjC,MAAMpB,IAAIa,OAAO,CAACS,MAAM,CAAC;oBACvBP,YAAYjB;oBACZC,MAAM;wBACJY;oBACF;gBACF;YACF;QACF;QAEA,wDAAwD;QACxD,OAAOZ,KAAKE,IAAI;QAChB,OAAOF,KAAKG,cAAc;QAC1B,OAAOH,KAAKuB,MAAM;QAClB,OAAOvB,KAAKwB,IAAI;QAChB,OAAOxB,KAAKyB,MAAM;QAClB,OAAOzB,KAAK0B,MAAM;QAElB,OAAO1B;IACT;AACF,EAAC"}

package/dist/index.d.ts

@@ -0,0 +1,5 @@
+import type { Config } from 'payload';
+import type { PluginOptions } from './types';
+export declare const rbac: (pluginOptions?: PluginOptions) => (config: Config) => Config;
+export * from './types';
+export * from './utilities/index';

package/dist/index.js

@@ -0,0 +1,38 @@
+import { createPermissionsCollection } from './collections/Permissions';
+import { createRolesCollection } from './collections/Roles';
+export const rbac = (pluginOptions)=>(config)=>{
+        const options = pluginOptions || {};
+        if (options.enabled === false) {
+            return config;
+        }
+        if (!config.collections) {
+            config.collections = [];
+        }
+        // Add Roles and Permissions collections
+        config.collections.push(createPermissionsCollection(options));
+        config.collections.push(createRolesCollection(options));
+        // Extend the target auth collection
+        const authSlug = options.authCollectionSlug || 'users';
+        const rolesSlug = options.rolesCollectionSlug || 'roles';
+        const authCollection = config.collections.find((collection)=>collection.slug === authSlug);
+        if (authCollection) {
+            authCollection.fields.push({
+                name: 'roles',
+                type: 'relationship',
+                relationTo: rolesSlug,
+                hasMany: true,
+                saveToJWT: true,
+                admin: {
+                    description: 'Roles assigned to this user.'
+                }
+            });
+        } else {
+            console.warn(`[rbac-plugin] Auth collection '${authSlug}' not found. Cannot inject roles field.`);
+        }
+        return config;
+    };
+// Export utilities and types for consumers
+export * from './types';
+export * from './utilities/index';
+
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/index.ts"],"sourcesContent":["import type { Config } from 'payload';\nimport type { PluginOptions } from './types';\n\nimport { createPermissionsCollection } from './collections/Permissions';\nimport { createRolesCollection } from './collections/Roles';\n\nexport const rbac =\n  (pluginOptions?: PluginOptions) =>\n  (config: Config): Config => {\n    const options = pluginOptions || {}\n    \n    if (options.enabled === false) {\n      return config\n    }\n\n    if (!config.collections) {\n      config.collections = []\n    }\n\n    // Add Roles and Permissions collections\n    config.collections.push(createPermissionsCollection(options))\n    config.collections.push(createRolesCollection(options))\n\n    // Extend the target auth collection\n    const authSlug = options.authCollectionSlug || 'users'\n    const rolesSlug = options.rolesCollectionSlug || 'roles'\n\n    const authCollection = config.collections.find(\n      (collection) => collection.slug === authSlug,\n    )\n\n    if (authCollection) {\n      authCollection.fields.push({\n        name: 'roles',\n        type: 'relationship',\n        relationTo: rolesSlug,\n        hasMany: true,\n        saveToJWT: true,\n        admin: {\n          description: 'Roles assigned to this user.',\n        },\n      })\n    } else {\n      console.warn(`[rbac-plugin] Auth collection '${authSlug}' not found. Cannot inject roles field.`)\n    }\n\n    return config\n  }\n\n// Export utilities and types for consumers\nexport * from './types';\nexport * from './utilities/index';\n\n"],"names":["createPermissionsCollection","createRolesCollection","rbac","pluginOptions","config","options","enabled","collections","push","authSlug","authCollectionSlug","rolesSlug","rolesCollectionSlug","authCollection","find","collection","slug","fields","name","type","relationTo","hasMany","saveToJWT","admin","description","console","warn"],"mappings":"AAGA,SAASA,2BAA2B,QAAQ,4BAA4B;AACxE,SAASC,qBAAqB,QAAQ,sBAAsB;AAE5D,OAAO,MAAMC,OACX,CAACC,gBACD,CAACC;QACC,MAAMC,UAAUF,iBAAiB,CAAC;QAElC,IAAIE,QAAQC,OAAO,KAAK,OAAO;YAC7B,OAAOF;QACT;QAEA,IAAI,CAACA,OAAOG,WAAW,EAAE;YACvBH,OAAOG,WAAW,GAAG,EAAE;QACzB;QAEA,wCAAwC;QACxCH,OAAOG,WAAW,CAACC,IAAI,CAACR,4BAA4BK;QACpDD,OAAOG,WAAW,CAACC,IAAI,CAACP,sBAAsBI;QAE9C,oCAAoC;QACpC,MAAMI,WAAWJ,QAAQK,kBAAkB,IAAI;QAC/C,MAAMC,YAAYN,QAAQO,mBAAmB,IAAI;QAEjD,MAAMC,iBAAiBT,OAAOG,WAAW,CAACO,IAAI,CAC5C,CAACC,aAAeA,WAAWC,IAAI,KAAKP;QAGtC,IAAII,gBAAgB;YAClBA,eAAeI,MAAM,CAACT,IAAI,CAAC;gBACzBU,MAAM;gBACNC,MAAM;gBACNC,YAAYT;gBACZU,SAAS;gBACTC,WAAW;gBACXC,OAAO;oBACLC,aAAa;gBACf;YACF;QACF,OAAO;YACLC,QAAQC,IAAI,CAAC,CAAC,+BAA+B,EAAEjB,SAAS,uCAAuC,CAAC;QAClG;QAEA,OAAOL;IACT,EAAC;AAEH,2CAA2C;AAC3C,cAAc,UAAU;AACxB,cAAc,oBAAoB"}

package/dist/types.d.ts

@@ -0,0 +1,47 @@
+import type { Field } from 'payload';
+export interface PluginOptions {
+    /**
+     * Enable or disable plugin
+     * @default false
+     */
+    enabled?: boolean;
+    /**
+     * Override the default collection slug for Roles
+     * @default 'roles'
+     */
+    rolesCollectionSlug?: string;
+    /**
+     * Override the default collection slug for Permissions
+     * @default 'permissions'
+     */
+    permissionsCollectionSlug?: string;
+    /**
+     * The collection slug for the authentication collection (typically 'users')
+     * @default 'users'
+     */
+    authCollectionSlug?: string;
+    /**
+     * Inject additional custom fields into the generated Roles collection
+     */
+    rolesFields?: Field[];
+    /**
+     * Inject additional custom fields into the generated Permissions collection
+     */
+    permissionsFields?: Field[];
+    /**
+     * Hide the Roles collection from the Admin panel sidebar/dashboard
+     * Can be a boolean or a function based on the logged-in user
+     * @default false
+     */
+    hideRoles?: boolean | ((args: {
+        user: any;
+    }) => boolean);
+    /**
+     * Hide the Permissions collection from the Admin panel sidebar/dashboard
+     * Can be a boolean or a function based on the logged-in user
+     * @default false
+     */
+    hidePermissions?: boolean | ((args: {
+        user: any;
+    }) => boolean);
+}

package/dist/types.js

@@ -0,0 +1,3 @@
+export { };
+
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/types.ts"],"sourcesContent":["import type { Field } from 'payload'\n\nexport interface PluginOptions {\n  /**\n   * Enable or disable plugin\n   * @default false\n   */\n  enabled?: boolean\n\n  /**\n   * Override the default collection slug for Roles\n   * @default 'roles'\n   */\n  rolesCollectionSlug?: string\n\n  /**\n   * Override the default collection slug for Permissions\n   * @default 'permissions'\n   */\n  permissionsCollectionSlug?: string\n\n  /**\n   * The collection slug for the authentication collection (typically 'users')\n   * @default 'users'\n   */\n  authCollectionSlug?: string\n\n  /**\n   * Inject additional custom fields into the generated Roles collection\n   */\n  rolesFields?: Field[]\n\n  /**\n   * Inject additional custom fields into the generated Permissions collection\n   */\n  permissionsFields?: Field[]\n\n  /**\n   * Hide the Roles collection from the Admin panel sidebar/dashboard\n   * Can be a boolean or a function based on the logged-in user\n   * @default false\n   */\n  hideRoles?: boolean | ((args: { user: any }) => boolean)\n\n  /**\n   * Hide the Permissions collection from the Admin panel sidebar/dashboard\n   * Can be a boolean or a function based on the logged-in user\n   * @default false\n   */\n  hidePermissions?: boolean | ((args: { user: any }) => boolean)\n}\n"],"names":[],"mappings":"AAEA,WAgDC"}

package/dist/utilities/checkPermission.d.ts

@@ -0,0 +1,8 @@
+import type { Access } from 'payload';
+/**
+ * A Higher-Order Function to drop into Payload Collection access control fields.
+ *
+ * @param permissionName - The required permission name
+ * @returns Access function
+ */
+export declare const checkPermission: (permissionName: string) => Access;

package/dist/utilities/checkPermission.js

@@ -0,0 +1,16 @@
+import { hasPermission } from './hasPermission';
+/**
+ * A Higher-Order Function to drop into Payload Collection access control fields.
+ * 
+ * @param permissionName - The required permission name
+ * @returns Access function
+ */ export const checkPermission = (permissionName)=>{
+    return ({ req: { user } })=>{
+        // We can just rely on the synchronous hasPermission check.
+        // If relations are unpopulated, it will return false. Ensure your auth
+        // collection is configured with adequate depth for saveToJWT or default depth.
+        return hasPermission(user, permissionName);
+    };
+};
+
+//# sourceMappingURL=checkPermission.js.map

package/dist/utilities/checkPermission.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/utilities/checkPermission.ts"],"sourcesContent":["import type { Access } from 'payload';\nimport { hasPermission } from './hasPermission';\n\n/**\n * A Higher-Order Function to drop into Payload Collection access control fields.\n * \n * @param permissionName - The required permission name\n * @returns Access function\n */\nexport const checkPermission = (permissionName: string): Access => {\n  return ({ req: { user } }) => {\n    // We can just rely on the synchronous hasPermission check.\n    // If relations are unpopulated, it will return false. Ensure your auth\n    // collection is configured with adequate depth for saveToJWT or default depth.\n    return hasPermission(user, permissionName)\n  }\n}\n"],"names":["hasPermission","checkPermission","permissionName","req","user"],"mappings":"AACA,SAASA,aAAa,QAAQ,kBAAkB;AAEhD;;;;;CAKC,GACD,OAAO,MAAMC,kBAAkB,CAACC;IAC9B,OAAO,CAAC,EAAEC,KAAK,EAAEC,IAAI,EAAE,EAAE;QACvB,2DAA2D;QAC3D,uEAAuE;QACvE,+EAA+E;QAC/E,OAAOJ,cAAcI,MAAMF;IAC7B;AACF,EAAC"}

package/dist/utilities/hasPermission.d.ts

@@ -0,0 +1,10 @@
+import type { PayloadRequest } from 'payload';
+/**
+ * Checks if a user has a specific permission.
+ * Gracefully handles populated and unpopulated relationship states as far as possible synchronously.
+ *
+ * @param user - The Payload user object from req.user
+ * @param requiredPermission - The name of the permission to check for
+ * @returns boolean
+ */
+export declare const hasPermission: (user: PayloadRequest["user"] | null | undefined, requiredPermission: string) => boolean;

package/dist/utilities/hasPermission.js

@@ -0,0 +1,32 @@
+/**
+ * Checks if a user has a specific permission.
+ * Gracefully handles populated and unpopulated relationship states as far as possible synchronously.
+ * 
+ * @param user - The Payload user object from req.user
+ * @param requiredPermission - The name of the permission to check for
+ * @returns boolean
+ */ export const hasPermission = (user, requiredPermission)=>{
+    if (!user || !user.roles || !Array.isArray(user.roles)) {
+        return false;
+    }
+    for (const role of user.roles){
+        // If role is just an ID (unpopulated), we can't check its permissions synchronously
+        if (typeof role !== 'object' || role === null) {
+            continue;
+        }
+        const permissions = role.permissions;
+        if (!permissions || !Array.isArray(permissions)) {
+            continue;
+        }
+        for (const permission of permissions){
+            if (typeof permission === 'object' && permission !== null) {
+                if ('name' in permission && permission.name === requiredPermission) {
+                    return true;
+                }
+            }
+        }
+    }
+    return false;
+};
+
+//# sourceMappingURL=hasPermission.js.map

package/dist/utilities/hasPermission.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/utilities/hasPermission.ts"],"sourcesContent":["import type { PayloadRequest } from 'payload'\n\n/**\n * Checks if a user has a specific permission.\n * Gracefully handles populated and unpopulated relationship states as far as possible synchronously.\n * \n * @param user - The Payload user object from req.user\n * @param requiredPermission - The name of the permission to check for\n * @returns boolean\n */\nexport const hasPermission = (\n  user: PayloadRequest['user'] | null | undefined,\n  requiredPermission: string,\n): boolean => {\n  if (!user || !user.roles || !Array.isArray(user.roles)) {\n    return false\n  }\n\n  for (const role of user.roles) {\n    // If role is just an ID (unpopulated), we can't check its permissions synchronously\n    if (typeof role !== 'object' || role === null) {\n      continue\n    }\n\n    const permissions = role.permissions\n    if (!permissions || !Array.isArray(permissions)) {\n      continue\n    }\n\n    for (const permission of permissions) {\n      if (typeof permission === 'object' && permission !== null) {\n        if ('name' in permission && permission.name === requiredPermission) {\n          return true\n        }\n      } \n    }\n  }\n\n  return false\n}\n"],"names":["hasPermission","user","requiredPermission","roles","Array","isArray","role","permissions","permission","name"],"mappings":"AAEA;;;;;;;CAOC,GACD,OAAO,MAAMA,gBAAgB,CAC3BC,MACAC;IAEA,IAAI,CAACD,QAAQ,CAACA,KAAKE,KAAK,IAAI,CAACC,MAAMC,OAAO,CAACJ,KAAKE,KAAK,GAAG;QACtD,OAAO;IACT;IAEA,KAAK,MAAMG,QAAQL,KAAKE,KAAK,CAAE;QAC7B,oFAAoF;QACpF,IAAI,OAAOG,SAAS,YAAYA,SAAS,MAAM;YAC7C;QACF;QAEA,MAAMC,cAAcD,KAAKC,WAAW;QACpC,IAAI,CAACA,eAAe,CAACH,MAAMC,OAAO,CAACE,cAAc;YAC/C;QACF;QAEA,KAAK,MAAMC,cAAcD,YAAa;YACpC,IAAI,OAAOC,eAAe,YAAYA,eAAe,MAAM;gBACzD,IAAI,UAAUA,cAAcA,WAAWC,IAAI,KAAKP,oBAAoB;oBAClE,OAAO;gBACT;YACF;QACF;IACF;IAEA,OAAO;AACT,EAAC"}

package/dist/utilities/hasPermission.spec.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/utilities/hasPermission.spec.js

@@ -0,0 +1,122 @@
+import { describe, expect, it } from 'vitest';
+import { hasPermission } from './hasPermission';
+describe('hasPermission', ()=>{
+    it('should return false if user is null', ()=>{
+        expect(hasPermission(null, 'read:posts')).toBe(false);
+    });
+    it('should return false if user has no roles array', ()=>{
+        const user = {
+            id: '1'
+        };
+        expect(hasPermission(user, 'read:posts')).toBe(false);
+    });
+    it('should return false if user roles is unpopulated (array of strings)', ()=>{
+        const user = {
+            id: '1',
+            roles: [
+                'role-id-1'
+            ]
+        };
+        expect(hasPermission(user, 'read:posts')).toBe(false);
+    });
+    it('should return false if role has no permissions', ()=>{
+        const user = {
+            id: '1',
+            roles: [
+                {
+                    id: 'role-1',
+                    name: 'admin'
+                }
+            ]
+        };
+        expect(hasPermission(user, 'read:posts')).toBe(false);
+    });
+    it('should return false if role permissions are unpopulated (array of strings)', ()=>{
+        const user = {
+            id: '1',
+            roles: [
+                {
+                    id: 'role-1',
+                    name: 'admin',
+                    permissions: [
+                        'perm-id-1'
+                    ]
+                }
+            ]
+        };
+        expect(hasPermission(user, 'read:posts')).toBe(false);
+    });
+    it('should return true if permission is found in populated roles', ()=>{
+        const user = {
+            id: '1',
+            roles: [
+                {
+                    id: 'role-1',
+                    name: 'admin',
+                    permissions: [
+                        {
+                            id: 'perm-1',
+                            name: 'read:posts'
+                        },
+                        {
+                            id: 'perm-2',
+                            name: 'write:posts'
+                        }
+                    ]
+                }
+            ]
+        };
+        expect(hasPermission(user, 'write:posts')).toBe(true);
+    });
+    it('should return false if permission is not found in populated roles', ()=>{
+        const user = {
+            id: '1',
+            roles: [
+                {
+                    id: 'role-1',
+                    name: 'editor',
+                    permissions: [
+                        {
+                            id: 'perm-1',
+                            name: 'read:posts'
+                        }
+                    ]
+                }
+            ]
+        };
+        expect(hasPermission(user, 'delete:posts')).toBe(false);
+    });
+    it('should correctly search through multiple roles', ()=>{
+        const user = {
+            id: '1',
+            roles: [
+                {
+                    id: 'role-1',
+                    name: 'editor',
+                    permissions: [
+                        {
+                            id: 'perm-1',
+                            name: 'read:posts'
+                        }
+                    ]
+                },
+                {
+                    id: 'role-2',
+                    name: 'manager',
+                    permissions: [
+                        {
+                            id: 'perm-2',
+                            name: 'delete:posts'
+                        }
+                    ]
+                }
+            ]
+        };
+        expect(hasPermission(user, 'delete:posts')).toBe(true);
+        expect(hasPermission(user, 'delete:posts')).toBe(true);
+        expect(hasPermission(user, 'read:posts')).toBe(true);
+        expect(hasPermission(user, 'create:users')).toBe(false);
+    });
+});
+
+//# sourceMappingURL=hasPermission.spec.js.map

package/dist/utilities/hasPermission.spec.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/utilities/hasPermission.spec.ts"],"sourcesContent":["import type { PayloadRequest } from 'payload';\nimport { describe, expect, it } from 'vitest';\nimport { hasPermission } from './hasPermission';\n\ndescribe('hasPermission', () => {\n  it('should return false if user is null', () => {\n    expect(hasPermission(null, 'read:posts')).toBe(false)\n  })\n\n  it('should return false if user has no roles array', () => {\n    const user = { id: '1' } as PayloadRequest['user']\n    expect(hasPermission(user, 'read:posts')).toBe(false)\n  })\n\n  it('should return false if user roles is unpopulated (array of strings)', () => {\n    const user = {\n      id: '1',\n      roles: ['role-id-1'],\n    } as unknown as PayloadRequest['user']\n    expect(hasPermission(user, 'read:posts')).toBe(false)\n  })\n\n  it('should return false if role has no permissions', () => {\n    const user = {\n      id: '1',\n      roles: [{ id: 'role-1', name: 'admin' }],\n    } as unknown as PayloadRequest['user']\n    expect(hasPermission(user, 'read:posts')).toBe(false)\n  })\n\n  it('should return false if role permissions are unpopulated (array of strings)', () => {\n    const user = {\n      id: '1',\n      roles: [{ id: 'role-1', name: 'admin', permissions: ['perm-id-1'] }],\n    } as unknown as PayloadRequest['user']\n    expect(hasPermission(user, 'read:posts')).toBe(false)\n  })\n\n  it('should return true if permission is found in populated roles', () => {\n    const user = {\n      id: '1',\n      roles: [\n        {\n          id: 'role-1',\n          name: 'admin',\n          permissions: [\n            { id: 'perm-1', name: 'read:posts' },\n            { id: 'perm-2', name: 'write:posts' },\n          ],\n        },\n      ],\n    } as unknown as PayloadRequest['user']\n    expect(hasPermission(user, 'write:posts')).toBe(true)\n  })\n\n  it('should return false if permission is not found in populated roles', () => {\n    const user = {\n      id: '1',\n      roles: [\n        {\n          id: 'role-1',\n          name: 'editor',\n          permissions: [{ id: 'perm-1', name: 'read:posts' }],\n        },\n      ],\n    } as unknown as PayloadRequest['user']\n    expect(hasPermission(user, 'delete:posts')).toBe(false)\n  })\n\n  it('should correctly search through multiple roles', () => {\n    const user = {\n      id: '1',\n      roles: [\n        {\n          id: 'role-1',\n          name: 'editor',\n          permissions: [{ id: 'perm-1', name: 'read:posts' }],\n        },\n        {\n          id: 'role-2',\n          name: 'manager',\n          permissions: [{ id: 'perm-2', name: 'delete:posts' }],\n        },\n      ],\n    } as unknown as PayloadRequest['user']\n    expect(hasPermission(user, 'delete:posts')).toBe(true)\n    expect(hasPermission(user, 'delete:posts')).toBe(true)\n    expect(hasPermission(user, 'read:posts')).toBe(true)\n    expect(hasPermission(user, 'create:users')).toBe(false)\n  })\n})\n"],"names":["describe","expect","it","hasPermission","toBe","user","id","roles","name","permissions"],"mappings":"AACA,SAASA,QAAQ,EAAEC,MAAM,EAAEC,EAAE,QAAQ,SAAS;AAC9C,SAASC,aAAa,QAAQ,kBAAkB;AAEhDH,SAAS,iBAAiB;IACxBE,GAAG,uCAAuC;QACxCD,OAAOE,cAAc,MAAM,eAAeC,IAAI,CAAC;IACjD;IAEAF,GAAG,kDAAkD;QACnD,MAAMG,OAAO;YAAEC,IAAI;QAAI;QACvBL,OAAOE,cAAcE,MAAM,eAAeD,IAAI,CAAC;IACjD;IAEAF,GAAG,uEAAuE;QACxE,MAAMG,OAAO;YACXC,IAAI;YACJC,OAAO;gBAAC;aAAY;QACtB;QACAN,OAAOE,cAAcE,MAAM,eAAeD,IAAI,CAAC;IACjD;IAEAF,GAAG,kDAAkD;QACnD,MAAMG,OAAO;YACXC,IAAI;YACJC,OAAO;gBAAC;oBAAED,IAAI;oBAAUE,MAAM;gBAAQ;aAAE;QAC1C;QACAP,OAAOE,cAAcE,MAAM,eAAeD,IAAI,CAAC;IACjD;IAEAF,GAAG,8EAA8E;QAC/E,MAAMG,OAAO;YACXC,IAAI;YACJC,OAAO;gBAAC;oBAAED,IAAI;oBAAUE,MAAM;oBAASC,aAAa;wBAAC;qBAAY;gBAAC;aAAE;QACtE;QACAR,OAAOE,cAAcE,MAAM,eAAeD,IAAI,CAAC;IACjD;IAEAF,GAAG,gEAAgE;QACjE,MAAMG,OAAO;YACXC,IAAI;YACJC,OAAO;gBACL;oBACED,IAAI;oBACJE,MAAM;oBACNC,aAAa;wBACX;4BAAEH,IAAI;4BAAUE,MAAM;wBAAa;wBACnC;4BAAEF,IAAI;4BAAUE,MAAM;wBAAc;qBACrC;gBACH;aACD;QACH;QACAP,OAAOE,cAAcE,MAAM,gBAAgBD,IAAI,CAAC;IAClD;IAEAF,GAAG,qEAAqE;QACtE,MAAMG,OAAO;YACXC,IAAI;YACJC,OAAO;gBACL;oBACED,IAAI;oBACJE,MAAM;oBACNC,aAAa;wBAAC;4BAAEH,IAAI;4BAAUE,MAAM;wBAAa;qBAAE;gBACrD;aACD;QACH;QACAP,OAAOE,cAAcE,MAAM,iBAAiBD,IAAI,CAAC;IACnD;IAEAF,GAAG,kDAAkD;QACnD,MAAMG,OAAO;YACXC,IAAI;YACJC,OAAO;gBACL;oBACED,IAAI;oBACJE,MAAM;oBACNC,aAAa;wBAAC;4BAAEH,IAAI;4BAAUE,MAAM;wBAAa;qBAAE;gBACrD;gBACA;oBACEF,IAAI;oBACJE,MAAM;oBACNC,aAAa;wBAAC;4BAAEH,IAAI;4BAAUE,MAAM;wBAAe;qBAAE;gBACvD;aACD;QACH;QACAP,OAAOE,cAAcE,MAAM,iBAAiBD,IAAI,CAAC;QACjDH,OAAOE,cAAcE,MAAM,iBAAiBD,IAAI,CAAC;QACjDH,OAAOE,cAAcE,MAAM,eAAeD,IAAI,CAAC;QAC/CH,OAAOE,cAAcE,MAAM,iBAAiBD,IAAI,CAAC;IACnD;AACF"}

package/dist/utilities/index.d.ts

@@ -0,0 +1,2 @@
+export { checkPermission } from './checkPermission';
+export { hasPermission } from './hasPermission';

package/dist/utilities/index.js

@@ -0,0 +1,4 @@
+export { checkPermission } from './checkPermission';
+export { hasPermission } from './hasPermission';
+
+//# sourceMappingURL=index.js.map

package/dist/utilities/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/utilities/index.ts"],"sourcesContent":["export { checkPermission } from './checkPermission';\nexport { hasPermission } from './hasPermission';\n\n"],"names":["checkPermission","hasPermission"],"mappings":"AAAA,SAASA,eAAe,QAAQ,oBAAoB;AACpD,SAASC,aAAa,QAAQ,kBAAkB"}

package/package.json

@@ -0,0 +1,142 @@
+{
+  "name": "payload-rbac-plugin",
+  "version": "0.0.1",
+  "description": "RBAC plugin for payloadcms",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/Mhmod-Hsn/Payload-RBAC-Plugin.git"
+  },
+  "bugs": {
+    "url": "https://github.com/Mhmod-Hsn/Payload-RBAC-Plugin/issues"
+  },
+  "homepage": "https://github.com/Mhmod-Hsn/Payload-RBAC-Plugin#readme",
+  "license": "MIT",
+  "author": "Mahmoud Hassan <hsn.mhmod.96@gmail.com> (https://github.com/Mhmod-Hsn)",
+  "keywords": [
+    "payload",
+    "payloadcms",
+    "payload-plugin",
+    "plugin",
+    "rbac",
+    "role-based-access-control",
+    "access-control",
+    "permissions",
+    "roles",
+    "security",
+    "authorization",
+    "auth",
+    "typescript"
+  ],
+  "type": "module",
+  "exports": {
+    ".": {
+      "import": "./src/index.ts",
+      "types": "./src/index.ts",
+      "default": "./src/index.ts"
+    },
+    "./client": {
+      "import": "./src/exports/client.ts",
+      "types": "./src/exports/client.ts",
+      "default": "./src/exports/client.ts"
+    },
+    "./rsc": {
+      "import": "./src/exports/rsc.ts",
+      "types": "./src/exports/rsc.ts",
+      "default": "./src/exports/rsc.ts"
+    }
+  },
+  "main": "./src/index.ts",
+  "types": "./src/index.ts",
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "build": "pnpm copyfiles && pnpm build:types && pnpm build:swc",
+    "build:swc": "swc ./src -d ./dist --config-file .swcrc --strip-leading-paths",
+    "build:types": "tsc --outDir dist --rootDir ./src",
+    "clean": "rimraf {dist,*.tsbuildinfo}",
+    "copyfiles": "copyfiles -u 1 \"src/**/*.{html,css,scss,ttf,woff,woff2,eot,svg,jpg,png,json}\" dist/",
+    "dev": "next dev dev --turbo",
+    "dev:generate-importmap": "pnpm dev:payload generate:importmap",
+    "dev:generate-types": "pnpm dev:payload generate:types",
+    "dev:payload": "cross-env PAYLOAD_CONFIG_PATH=./dev/payload.config.ts payload",
+    "generate:importmap": "pnpm dev:generate-importmap",
+    "generate:types": "pnpm dev:generate-types",
+    "lint": "eslint",
+    "lint:fix": "eslint ./src --fix",
+    "test": "pnpm test:int && pnpm test:e2e",
+    "test:e2e": "playwright test",
+    "test:int": "vitest"
+  },
+  "devDependencies": {
+    "@eslint/eslintrc": "^3.2.0",
+    "@payloadcms/db-mongodb": "3.84.1",
+    "@payloadcms/db-postgres": "3.84.1",
+    "@payloadcms/db-sqlite": "3.84.1",
+    "@payloadcms/eslint-config": "3.28.0",
+    "@payloadcms/next": "3.84.1",
+    "@payloadcms/richtext-lexical": "3.84.1",
+    "@payloadcms/ui": "3.84.1",
+    "@playwright/test": "1.58.2",
+    "@swc-node/register": "1.10.9",
+    "@swc/cli": "0.6.0",
+    "@types/node": "22.19.9",
+    "@types/react": "19.2.14",
+    "@types/react-dom": "19.2.3",
+    "copyfiles": "2.4.1",
+    "cross-env": "^7.0.3",
+    "eslint": "^9.23.0",
+    "eslint-config-next": "16.2.6",
+    "graphql": "^16.8.1",
+    "mongodb-memory-server": "10.1.4",
+    "next": "16.2.6",
+    "open": "^10.1.0",
+    "payload": "3.84.1",
+    "prettier": "^3.4.2",
+    "qs-esm": "8.0.1",
+    "react": "19.2.6",
+    "react-dom": "19.2.6",
+    "rimraf": "3.0.2",
+    "sharp": "0.34.2",
+    "sort-package-json": "^2.10.0",
+    "typescript": "5.7.3",
+    "vite-tsconfig-paths": "6.0.5",
+    "vitest": "^4.1.8"
+  },
+  "peerDependencies": {
+    "payload": "^3.84.1"
+  },
+  "engines": {
+    "node": "^18.20.2 || >=20.9.0",
+    "pnpm": "^9 || ^10"
+  },
+  "publishConfig": {
+    "exports": {
+      ".": {
+        "import": "./dist/index.js",
+        "types": "./dist/index.d.ts",
+        "default": "./dist/index.js"
+      },
+      "./client": {
+        "import": "./dist/exports/client.js",
+        "types": "./dist/exports/client.d.ts",
+        "default": "./dist/exports/client.js"
+      },
+      "./rsc": {
+        "import": "./dist/exports/rsc.js",
+        "types": "./dist/exports/rsc.d.ts",
+        "default": "./dist/exports/rsc.js"
+      }
+    },
+    "main": "./dist/index.js",
+    "types": "./dist/index.d.ts"
+  },
+  "pnpm": {
+    "onlyBuiltDependencies": [
+      "sharp",
+      "esbuild",
+      "unrs-resolver"
+    ]
+  },
+  "registry": "https://registry.npmjs.org/"
+}