Best way to create a permission system

Hello Strapi Community,

I need to create a permission system which allow me to define actions and to allow or disallow Roles to perform those actions.
For instance I don’t want my front end to display the “restaurants” that have a 5 stars rate when the user connected is a Technician (his role :grin:). This would be an action named “view 5 stars restaurants”.

I have the insight to create a route leading to a function in my restaurant controller and in that function :

  • Check the user role based on the JWT Token
  • Check if the role has the permission to proceed “view 5 stars restaurants”
  • If he has not, strapi.query restaurants that has less than 4 stars and return it
  • If he has return all restaurants

The tools I am coding will implement a lot of such actions and a various number of roles depending on the needs of the client using the tool.

Here are my questions :

Should I create a collection to store the permissions for a given role ?
Should I modify the roles and permissions plugin that Strapi provide ?
Is creating various routes and controllers functions a good way of doing what I want ?

I want to code smart and clean and am open to any kind of suggestions or remarks :slight_smile:

Thanks for reading

Any suggestion?

Best option would be policies: Backend customization - Strapi Developer Documentation