Cannot populate content types from plugin with "Custom" API token?

Hello!

I’m writing a Strapi plugin that adds a content type (say, plugin::foo.bar). I also have a content type (say, api::page.page) with a one-to-one relation field (say, fooBar) to plugin::foo.bar.

If I use an API token with “Full Access” or “Read-only” token type, with the ?populate=fooBar query, I can get the entries of api::page.page with the associated plugin::foo.bar entry in the fooBar field. However, if I use an API token with “Custom” token type, which permits read access (find and findOne) to api::page.page, the ?populate=fooBar query does not work and the response is missing the fooBar field.

My guess is that it needs an explicit permission to get plugin::foo.bar entries when I’m using “Custom” token type, but it does not appear in the permission settings.

How can I fix this? Thanks in advance!

You need to enable find permission in users-permissions I think

Users & Permissions Plugin > Roles > Authenticated does not recognize plugin::foo.bar either.

It seems that API and Role permissions only recognize content types with routes. It seems fair that the permissions for plugin::foo.bar cannot be configured because it does not have the associated routes, but then I’m starting to wonder why it allows population with Full Access and Read-only API tokens in the first place. Why is it possible for these types of API tokens to populate it despite there are no routes for it?

find needs to be enabled as a protection of populating stuff while you should not be allowed to I agree with your opinion that this should be done diffrently