Access Control

Define access rules in src/cms/access.ts. Rules are pure functions evaluated before every API operation.

import { defineAccess } from "./core/define";

const isAdmin = ({ user }) => user?.role === "admin";
const isEditor = ({ user }) => user?.role === "admin" || user?.role === "editor";

export default defineAccess({
  posts: {
    read: () => true,
    create: isEditor,
    update: isEditor,
    delete: isAdmin,
    publish: isEditor,
  },
  users: {
    read: isAdmin,
    create: isAdmin,
    update: isAdmin,
    delete: isAdmin,
  },
});

Operations

Operation	When checked
`read`	`find`, `findOne`, `findById`
`create`	`create`
`update`	`update`
`delete`	`delete`
`publish`	`publish`, `unpublish`
`schedule`	`schedule` (falls back to `publish` rule)

Context

({ user, doc, operation, collection }) => boolean;

user — current session user ({ id, role, email } or null)
doc — existing document (for update/delete/publish)
operation — operation name
collection — collection slug

Field-Level Access

See Fields — restrict which fields specific roles can update.