System Information
- Strapi 4.20.1:
- Windows
- MySQL
- Node 20 LTS
Hello,
I have a Strapi admin panel with custom user roles. I have a collection type MedicalArticle that is related to another collection type Organization using the Relation collection type. Each Organization has their own role.
When I want to create a MediaArticle with the Content Manager, the Relation field offers a dropdown where you can select to which Organization the MediaArticle should be linked to. This dropdown now shows all Organizations.
I want to filter this dropdown and only show specific organizations based on the admin role of the logged in Strapi Dashboard user. I notice this dropdown makes the following API call to fetch the contents of that relation dropdown: http://localhost:1337/content-manager/relations/api::medical-article.medical-article/organizationId?pageSize=10&_q=&_filter=$containsi&page=1
Even so, if I achieve filtering out certain Organizations from this dropdown based on role of logged in user, how do I make sure it is secure so that on create and on edit of a MedicalArticle, the back-end also properly blocks the right OrganizationIds based on the role of the logged in user?
Basically I want to inject custom code for the fetch of that Relation dropdown, as well as some additional checks before an Article is created or updated.
- Do I need to make a
./src/extensions/content-manager/strapi-server.jsfile? - Do I need to use Role-Based Access Control (RBAC) Create new Role-Based Access Control (RBAC) conditions | Strapi Documentation?
- Another way?
I want to emphasize that this is not about app users, api users; these are strictly Strapi dashboard admin users with custom roles.
Thanks in advance.