Cannot populate content types from plugin with "Custom" API token?

System Information
  • Strapi Version: v4.8.1
  • Operating System: Debian
  • Database: SQLite
  • Node Version: 18
  • Yarn Version: 3.5.0

Hello!

I’m writing a Strapi plugin that adds a content type (say, plugin::foo.bar). I also have a content type (say, api::page.page) with a one-to-one relation field (say, fooBar) to plugin::foo.bar.

If I use an API token with “Full Access” or “Read-only” token type, with the ?populate=fooBar query, I can get the entries of api::page.page with the associated plugin::foo.bar entry in the fooBar field. However, if I use an API token with “Custom” token type, which permits read access (find and findOne) to api::page.page, the ?populate=fooBar query does not work and the response is missing the fooBar field.

My guess is that it needs an explicit permission to get plugin::foo.bar entries when I’m using “Custom” token type, but it does not appear in the permission settings.

How can I fix this? Thanks in advance!

1 Like

You need to enable find permission in users-permissions I think

Users & Permissions Plugin > Roles > Authenticated does not recognize plugin::foo.bar either.

It seems that API and Role permissions only recognize content types with routes. It seems fair that the permissions for plugin::foo.bar cannot be configured because it does not have the associated routes, but then I’m starting to wonder why it allows population with Full Access and Read-only API tokens in the first place. Why is it possible for these types of API tokens to populate it despite there are no routes for it?

1 Like

find needs to be enabled as a protection of populating stuff while you should not be allowed to I agree with your opinion that this should be done diffrently