Skip to content

Commit f7e1680

Browse files
committed
fix(cms): enforce access control in generateThumbnail local API calls
Pass overrideAccess:false to the payload.create('images') and payload.update('articles') calls so the thumbnail endpoint enforces each collection's access control instead of bypassing it with the default overrideAccess:true. Both call paths guarantee an authenticated user (REST returns 401 without one, MCP resolves it from the API key).
1 parent c7f3508 commit f7e1680

1 file changed

Lines changed: 2 additions & 0 deletions

File tree

cms/src/endpoints/generateThumbnail.ts

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -334,6 +334,7 @@ export async function generateThumbnailCore(
334334
name: filename,
335335
size: buffer.length,
336336
},
337+
overrideAccess: false,
337338
req,
338339
})
339340

@@ -346,6 +347,7 @@ export async function generateThumbnailCore(
346347
data: { image: image.id },
347348
draft: articleStatus === 'draft',
348349
id: input.articleId,
350+
overrideAccess: false,
349351
req,
350352
})
351353
} catch (error) {

0 commit comments

Comments
 (0)