I am bit stuck - some advice most welcome. I have managed to introduce api policies to filter queries based on request parameters. Its a bit based on the mulit-tenant approach: Using Strapi as a multi-tenant - #2 by Richard_Nsama. My content-types belong to an organization identified by uuid. So far so good. Now i want to limit the access of my content editors in admin panel. I found no way to add custom fields to the admin user model. I would want to tell an editor that he belongs to an organization and allow visibility only to content of this organization. How can i do it - The RBAC approach with custom handler was my first thought but i think it works more on view level. i would need a hook for the queries that show the content of a content type and just filter out what is not part of the org is the user is from. I tried policies but they dont trigger for admin panel queries?
I think your on a good track with the RBAC approach. I have a simular situation, where we build the cms for our customer but the customer has also some accounts to manage content themselves. Creating a custom condition, which ensure the user accessing a specific content-type in the content-manager have the permission to see and edit it.
The developers of Strapi already made a similar condition by default:
You can create your own conditions in /src/index.js and register it as descript in the first link above.
P.s. Working on my condition i found a bug trying to filter the user listing by email. see this issue on github
Awesome. i went down this road but was not sure. How can you distinguish which query is manipulated in the handler? this is where i got stuck. Like i would need to have custom query filter per custom type? I could look up the url params?