Reputation: 779
Strapi backend and query restrictions
I'm currently using Strapi as backend for online shop, and faced with such problems: by default Strapi return all data in GET queries, for example http://host.com/users will return all users' fields including privateMessages, orders, favoritedProducts, but this data should be private. How do I restrict this, so every user can get only own private data?
Also Strapi has strange permission settings, if I allow to update User model, that basically means, the other users can perform PUT queries and edit other users' data, but if I restrict updating User model, then user can't update own data
Upvotes: 0
Views: 849
Answers (1)
Reputation: 4118
To did it you will have to add custom logic based on info you have in ctx.state.user
documentation here https://strapi.io/documentation/3.x.x/guides/authentication.html#user-object-in-strapi-context
You can create a policy and apply it yo the route you want or update your controller code to restrict the access.
Upvotes: 0
Related Questions
- Strapi V4 filter where relation does not exist
- How to hide or exclude fields in strapi query?
- disable graphql queries other than crud in strapi v4
- How to filter dynamically in strapi
- fetch data using some condition in strapi
- Can you restrict access to parts of strapi admin?
- strapi - restrict user to fetch only data related to him
- How do I add custom queries in GraphQL using Strapi?
- How to query a Strapi backend using GraphQL as an authenticated user?
- Strapi $AND query filter returns values filtered with $OR