Expose overrideAccess to collection/fields hooks

[Fitch24]

Sometimes is not possible to configure access for the field, so we need to protect (hide/remove) this fields in collection hooks (afterRead/beforeChange). For example, we can't configure access to timestamp fields (to hide or protect from editing by non-admins), or email field in auth collections (if need to hide user email from other users). So access for this fields can be handled in collection hooks, but this hooks will be invoked in local API and we can't skip this hooks by passing overrideAccess: true. Exposing overrideAcces to hooks can solve this problem by adding a check in hook code to do nothing if overrideAccess is true.

Example of possible use:

const Users = {
    slug: 'users',
    auth: true,
    access: {
        // logged in users can read other users
        read: ({ req }) => !!req.user,
        // admins can create new users or not logged in users can register self
        create: ({ req }) => req.user?.isAdmin || !req.user,
        // admins can update any user, other users can update only self
        update: ({ req }) => req.user?.isAdmin || (!!req.user && {
            id: {
                equals: req.user.id
            }
        }),
        // only admins can delete users
        delete: ({ req }) => !!req.user?.isAdmin
    },
    fields: [
        {
            name: 'isAdmin',
            type: 'checkbox',
            required: true,
            default: () => false,
            access: {
                read: ({ req }) => !!req.user?.isAdmin,
                update: ({ req }) => !!req.user?.isAdmin,
                create: ({ req }) => !!req.user?.isAdmin,
            }
        }
    ],
    hooks: {
        afterRead: [
            ({ req, doc, overrideAccess }) => {
                // skip hook if overrideAccess is true
                if (!overrideAccess && !req.user?.isAdmin) {
                    // hide timestamps from non admins
                    delete doc.createdAt
                    delete doc.updatedAt

                    // hide email from other users
                    if (doc.id !== req.user?.id) {
                        delete doc.email
                    }
                }
                return doc
            }
        ]
    }
}

For now, I use request context to skip this hooks, but it's require to pass overrideAccess twice:

payload.find({
    collection: 'users',
    where: {
        isAdmin: {
            equals: true
        }
    },
    overrideAccess: true,
    context: {
        overrideAccess: true
    }
})

It can produce errors, if I forgot to add overrideAccess to context

[DanRibbens]

@Fitch24 let me make your life easier!

The fields that Payload adds for you are configurable. When adding your own with the same name as a builtin field, Payload will use your field instead of adding another with the same name. This works for createdAt, updatedAt and email for auth collections.

This should be in the docs somewhere if it isn't already.

Let me know how it goes.

[Fitch24]

Let me know how it goes.

Awesome, it's working. Suggested feature is not need anymore and discussion can be closed. Or you can comment strange behavior that I found while testing built-in fields override and playing with field access (payload 2.30.3):

1. default (wasn't overridden) email field is casts to lowercase in create and login operations. But after editing email field in admin UI with uppercase symbols (update operation) value is not casts to lowercase and any login attempts after that was failed (because in login operation, provided email value is casts to lowercase and not equals to value in db). Look like a bug, is it? I fixed this in overridden field definition by casting email's value to lowercase in beforeValidate field's hook.
2. When I restricted read access to fields of blocks/array type, I expected to fully omit this fields from API response, but API just returns empty arrays instead. It's protect field value from unauthorized access but not hide shape/archetype of data, field name and field type (array) is still visible.