Admin panel content-manager: filter related records offered for type Relation based on user Role

System Information
  • Strapi 4.20.1:
  • Windows
  • MySQL
  • Node 20 LTS


I have a Strapi admin panel with custom user roles. I have a collection type MedicalArticle that is related to another collection type Organization using the Relation collection type. Each Organization has their own role.

When I want to create a MediaArticle with the Content Manager, the Relation field offers a dropdown where you can select to which Organization the MediaArticle should be linked to. This dropdown now shows all Organizations.

I want to filter this dropdown and only show specific organizations based on the admin role of the logged in Strapi Dashboard user. I notice this dropdown makes the following API call to fetch the contents of that relation dropdown: http://localhost:1337/content-manager/relations/api::medical-article.medical-article/organizationId?pageSize=10&_q=&_filter=$containsi&page=1

Even so, if I achieve filtering out certain Organizations from this dropdown based on role of logged in user, how do I make sure it is secure so that on create and on edit of a MedicalArticle, the back-end also properly blocks the right OrganizationIds based on the role of the logged in user?

Basically I want to inject custom code for the fetch of that Relation dropdown, as well as some additional checks before an Article is created or updated.

  1. Do I need to make a ./src/extensions/content-manager/strapi-server.js file?
  2. Do I need to use Role-Based Access Control (RBAC) Create new Role-Based Access Control (RBAC) conditions | Strapi Documentation?
  3. Another way?

I want to emphasize that this is not about app users, api users; these are strictly Strapi dashboard admin users with custom roles.

Thanks in advance.