fix: publish button incorrectly shown after saving draft when access denied (#15319)

PatrikKozak · web-flow · commit e833fe698ef5 · 2026-01-26T05:58:52.000-08:00
### What Fixes publish and unpublish buttons incorrectly appearing for users without publish permissions after saving a draft. ### Why The document access endpoints weren't passing request body data to the permission operations. This caused the simulated `_status` field (used to check "can this user publish?") to be ignored. The frontend simulates `_status: 'published'` to determine if the publish button should be shown, but the backend would check permissions against the actual draft document instead, incorrectly returning `true`. This made the publish button visible even though clicking it would still fail with an access error. Additionally, the unpublish button didn't check for publish permissions at all - if a user can't publish, they shouldn't be able to unpublish either. ### How - Pass `data: req.data` in collection and global `docAccess` endpoint handlers so simulated status is used for permission checks - Update `useGetDocPermissions` to extract actual document from API response (`data?.doc || data || {}`) before sending to backend, ensuring field permissions receive complete document structure - Add `hasPublishPermission` check to `UnpublishButton` component Fixes #15312
diff --git a/packages/payload/src/collections/endpoints/docAccess.ts b/packages/payload/src/collections/endpoints/docAccess.ts
@@ -12,6 +12,7 @@ export const docAccessHandler: PayloadHandler = async (req) => {
   const result = await docAccessOperation({
     id,
     collection,
+    data: req.data,
     req,
   })
 
diff --git a/packages/payload/src/globals/endpoints/docAccess.ts b/packages/payload/src/globals/endpoints/docAccess.ts
@@ -9,6 +9,7 @@ import { docAccessOperation } from '../operations/docAccess.js'
 export const docAccessHandler: PayloadHandler = async (req) => {
   const globalConfig = getRequestGlobal(req)
   const result = await docAccessOperation({
+    data: req.data,
     globalConfig,
     req,
   })
diff --git a/packages/ui/src/elements/UnpublishButton/index.tsx b/packages/ui/src/elements/UnpublishButton/index.tsx
@@ -23,6 +23,7 @@ export function UnpublishButton() {
     data: dataFromProps,
     globalSlug,
     hasPublishedDoc,
+    hasPublishPermission,
     incrementVersionCount,
     isTrashed,
     setHasPublishedDoc,
@@ -57,7 +58,7 @@ export function UnpublishButton() {
 
   const unpublish = useCallback(
     (unpublishAll?: boolean) => {
-      ; (async () => {
+      ;(async () => {
         let url
         let method
 
@@ -147,7 +148,7 @@ export function UnpublishButton() {
     setHasLocalizedFields(hasLocalizedField)
   }, [entityConfig?.fields])
 
-  const canUnpublish = hasPublishedDoc && !isTrashed
+  const canUnpublish = hasPublishPermission && hasPublishedDoc && !isTrashed
   const canUnpublishCurrentLocale = hasLocalizedFields && canUnpublish
 
   return (
@@ -166,21 +167,21 @@ export function UnpublishButton() {
             SubMenuPopupContent={
               canUnpublishCurrentLocale
                 ? ({ close }) => {
-                  return (
-                    <PopupList.ButtonGroup>
-                      <PopupList.Button
-                        id="action-unpublish-locale"
-                        onClick={() => {
-                          setUnpublishAll(false)
-                          toggleModal(unPublishModalSlug)
-                          close()
-                        }}
-                      >
-                        {t('version:unpublishIn', { locale: getTranslation(localeLabel, i18n) })}
-                      </PopupList.Button>
-                    </PopupList.ButtonGroup>
-                  )
-                }
+                    return (
+                      <PopupList.ButtonGroup>
+                        <PopupList.Button
+                          id="action-unpublish-locale"
+                          onClick={() => {
+                            setUnpublishAll(false)
+                            toggleModal(unPublishModalSlug)
+                            close()
+                          }}
+                        >
+                          {t('version:unpublishIn', { locale: getTranslation(localeLabel, i18n) })}
+                        </PopupList.Button>
+                      </PopupList.ButtonGroup>
+                    )
+                  }
                 : undefined
             }
             type="button"
diff --git a/packages/ui/src/providers/DocumentInfo/useGetDocPermissions.tsx b/packages/ui/src/providers/DocumentInfo/useGetDocPermissions.tsx
@@ -56,7 +56,7 @@ export const useGetDocPermissions = ({
             }),
             {
               body: JSON.stringify({
-                ...(data || {}),
+                ...(data?.doc || data || {}),
                 _status: 'draft',
               }),
               credentials: 'include',
@@ -77,7 +77,7 @@ export const useGetDocPermissions = ({
             }),
             {
               body: JSON.stringify({
-                ...(data || {}),
+                ...(data?.doc || data || {}),
                 _status: 'published',
               }),
               credentials: 'include',
diff --git a/test/versions/e2e.spec.ts b/test/versions/e2e.spec.ts
@@ -748,6 +748,43 @@ describe('Versions', () => {
       await expect(page.locator('#action-save')).not.toBeAttached()
     })
 
+    test('collections — should keep publish button hidden after saving draft when access control prevents update', async () => {
+      const draftDoc = await payload.create({
+        collection: disablePublishSlug,
+        data: {
+          _status: 'draft',
+          title: 'draft title',
+        },
+      })
+
+      await page.goto(disablePublishURL.edit(String(draftDoc.id)))
+
+      // Verify publish button is hidden on initial load
+      await expect(page.locator('#action-save')).not.toBeAttached()
+
+      await page.locator('#field-title').fill('updated title')
+      await saveDocAndAssert(page, '#action-save-draft')
+
+      // Verify publish button is still hidden after saving as draft
+      await expect(page.locator('#action-save')).not.toBeAttached()
+    })
+
+    test('collections — should hide unpublish button when access control prevents update', async () => {
+      const publishedDoc = await payload.create({
+        collection: disablePublishSlug,
+        data: {
+          _status: 'published',
+          title: 'title',
+        },
+        overrideAccess: true,
+      })
+
+      await page.goto(disablePublishURL.edit(String(publishedDoc.id)))
+
+      // Verify unpublish button is hidden when user doesn't have publish permission
+      await expect(page.locator('#action-unpublish')).not.toBeAttached()
+    })
+
     test('collections — should show custom error message when unpublishing fails', async () => {
       const publishedDoc = await payload.create({
         collection: errorOnUnpublishSlug,
@@ -1102,6 +1139,40 @@ describe('Versions', () => {
       await expect(page.locator('#action-save')).not.toBeAttached()
     })
 
+    test('globals — should keep publish button hidden after saving draft when access control prevents update', async () => {
+      const url = new AdminUrlUtil(serverURL, disablePublishGlobalSlug)
+      await page.goto(url.global(disablePublishGlobalSlug))
+
+      // Verify publish button is hidden on initial load
+      await expect(page.locator('#action-save')).not.toBeAttached()
+
+      // Update the title and save as draft
+      await page.locator('#field-title').fill('updated global title')
+      await saveDocAndAssert(page, '#action-save-draft')
+
+      // Verify publish button is still hidden after saving as draft
+      // This is the key regression test - before the fix, the button would appear after save
+      await expect(page.locator('#action-save')).not.toBeAttached()
+    })
+
+    test('globals — should hide unpublish button when access control prevents update', async () => {
+      // Then publish it with override access to create a published version
+      await payload.updateGlobal({
+        slug: disablePublishGlobalSlug,
+        data: {
+          _status: 'published',
+          title: 'published global',
+        },
+        overrideAccess: true,
+      })
+
+      const url = new AdminUrlUtil(serverURL, disablePublishGlobalSlug)
+      await page.goto(url.global(disablePublishGlobalSlug))
+
+      // Verify unpublish button is hidden when user doesn't have publish permission
+      await expect(page.locator('#action-unpublish')).not.toBeAttached()
+    })
+
     test('global — should show versions drawer when SelectComparison more option is clicked', async () => {
       await payload.updateGlobal({
         slug: draftGlobalSlug,
