API efficiency and Custom Conditions

Hi Strapi team,
I am starting using your software which looks having really promising features. Just a couple of questions:

  1. Are API queries efficient? What happens in a big data and traffic case? Do you have any benchmarks/tests? I ask especially because of the many nested relations you allow and you return them all in the API response…

  2. API: How many results are returned by default in the nested relations. For example 1000 posts with 10000 comments each. By default it would return 100 posts unless I limit it in the query. How many nested relationship results would return though? Is there a way to limit those? For example 10 posts with 5 comments… then i can retrieve the rest of the comments fo that post from the comments API… no need 10000 to be nested. Is that how it works?

  3. I see the roles/permissions section. It all looks cool, however I can see in the conditions you have 2 options available. When is the creator or when the role is equal to the creator… Is there any way to add more conditions? For example that he is connected to the creator… Has subscribed to the creator? Or other custom condition… For example a payments table that holds you have paid for an entry… profileId, paidForId so when you have paid for that reference ID you have access to it… Whether that’s a profile you have paid for or an asset or another XXX table entry…

Any suggestion?

I will be unfront and honest, currently no. We took way too many short cuts regarding efficiency; we have identified that pain point and have already dedicated almost an entire quarter of 2021 to making the needed changes to that (Q3 2021): Database layer (v4) - Roadmap | Product Roadmap

There was a recent bug report on GitHub about this to determine the expected logic, exploration is currently ongoing: graphql connection not returning correct results anymore · Issue #9146 · strapi/strapi · GitHub

The RBAC (Role-based access control) and it’s conditionals aren’t entirely customizable in the CE edition and many of these features require an enterprise license (even the bronze). We understand there might be some frustration regarding this and have opened a forum thread to gather feedback:

Thank you for the reply to all the above I just still have the question on the below

I am actually asking about limiting in the Rest API not the graphql…

The the following url as an example:

the above url will give me 1 post out of the 1000 in my DB and that’s great but underneath it (relationship) will give me all the comments… How can I limit the returned comments nested within the returned post as a relationship?

i don’t think the bug about the graphql is related to this… or is it?

They are similar yes, because GraphQL relies on the same controllers used by REST, functionally the logic is the same. (There is an abstraction layer for populating relations in GQL, but the limits applied are the same)

Currently there isn’t a method to directly filter relations unless you use GraphQL or you construct your own custom query: https://strapi.io/documentation/developer-docs/latest/concepts/queries.html#custom-queries

You can customize the existing controllers or build your own (you can skip the service and simply execute the service type code in the controller instead)

For clarification if you are unsure how the chaining works in Strapi:
User Request => U&P Plugin => Route => Handler (Controller) => Service => Query => Database (via the ORM)

Awesome thanks for the clarifications they helped a lot. I am new with strapi and to graphql so i wasn’t aware of the structure.

I tried graphql and works like a charm. Returns the data i want. The structure I want… so nice.

Just one question regarding graphql…

Take this example:
posts (limit: 10) {
comments (limit: 3) { … }

comments as you can imagine is a relationship
It doesn’t accept the “…”
How can i simply tell i need all data in it without specifying the columns to return? Is there any way or i need to be explicit?

That’s the downside to GraphQL, it requires you to be specific, there is no “everything” option.

No issue. Still querying great. One, hopefully last, question about Graphql…

When I query does it still follow same process? controller->service->query?

So if i have a custom controller that only returns results if the user is the owner of the entry will graphql respect the controller?

and further to it, when I am in a custom code controller can i add to the initial query extra parameters?

for example the initial query from the request is “where _id==XXXX” can i append “AND user==ctx.user.id” so i limit the entries to the authenticated user only???