Payload is the open-source, fullstack Next.js framework, giving you instant backend superpowers. Get a full TypeScript backend and admin panel instantly. Use Payload as a headless CMS or for building powerful applications.
fix: isolate payload-preferences by auth collection (#15425)
### What Fixes preferences being accessible across different auth collections in multi-auth setups. ### Why The `preferenceAccess` function only checked user ID without verifying which auth collection the user belonged to. In setups with multiple auth collections using sequential IDs, this could allow unintended access to preferences. ### How Updated `preferenceAccess` to check both user ID and auth collection, consistent with the existing operation handlers. Added tests to verify proper isolation.
P
Patrik committed
2dc2e7c07f24529a28326bd7f5a3fc3597245ebf
Parent: 99d61db
Committed by GitHub <noreply@github.com>
on 1/30/2026, 2:07:52 PM