Strapi Version: 3.2.4
Operating System: macOS High Sierra 10.13.6
Database: SQLite 5.0.0, PostgreSQL 8.4.1
Node Version: 12.18.4
NPM Version: >=6.0.0
Yarn Version: 1.22.4
I’m making a blogging platform system that has 3 models:
User has many
User has many
Posts has and belongs to many
Goals (many-to-many, because I can write many different posts about 1 goal, and 1 post can be categorized under a few goals)
The concept is that a
User have many
Goals set out to be achieved, and can categorize the
Posts he writes under various
Goals. But only the
User can use his own
Goals to categorize his
Posts. I did a POST request to the
Posts endpoint, but found that
User2 can use
User1's Goals, even though the authorization header is using
Why is that? Did I do something wrong to the model relations? Is it due to the many-to-many relation between
That happens because you got the Posts with Goals, in that case Goals doesn’t care if they are related to User or not(since they do not include any informations about user, as you use One-to-many, only Users contain information about Goals, and not vice-vera). You should write some complex custom controllers/queries and verify if Users are in the relation with current goals list before getting the data/or before updating the data.
So when you are getting the posts + goals, you should check if user has relation with these returned goals, if not, then exclude it.
Nice, thanks for the tips Sunny!
Do you think there’s a way where I can simply change the models for
Posts--Goals to get the effect I want?
Another possible solution I’m thinking is if I can just ensure that the user can only select from a drop-down list of his own
Goals using a GET request to his
Goals to populate the choices, rather than a open input field - what do you think?
Hey Sunny, I wonder if this tutorial (which you just shared in another forum post) is the answer to my questions?
To restrict content editing of
Authors only. What do you think?