Ctx.state.user undefined in context policy custom plugin

System Information
  • Strapi Version: 3.6.2
  • Operating System: Ubuntu 20.04
  • Database: Mysql
  • Node Version: 12.19
  • NPM Version: 6.14.11
  • Yarn Version: 1.22.5


I’m trying to make a POST request from a component in my custom plugin. I defined the route, the controller, the service and the policy I want this request to send to. But I’m struggling with my policy because I want this request to be executed only if you are an administrator and I’m getting

error TypeError: Cannot read property 'role' of undefined

So I cannot get the user in the policy context. Based on the example on Strapi documentation, here is my policy

plugins/dataImport/config/policies/isAdmin.js :

module.exports = async (ctx, next) => {
    if (ctx.state.user.role.name === 'Administrator') {
      // Go to next policy or will reach the controller's action.
      return await next();
    ctx.unauthorized(`You're not allowed to perform this action!`);

Here is my plugin routes :

  "routes": [
      "method": "GET",
      "path": "/",
      "handler": "data-import.index",
      "config": {
        "policies": []
      "method": "POST",
      "path": "/import",
      "handler": "data-import.import",
      "config": {
        "policies": ["isAdmin"]

And here is my React component (in the plugin) :
import React, { Component } from “react”;
import axios from “axios”;

class DataImportForm extends Component {

    constructor(props) {

    handleChange = (event) => {
        axios.post("/data-import/import").then((response) => {

    render() {
        return (
            <form onSubmit={this.handleChange}>
                <button type="submit" class="btn btn-primary hxsPO">Import data</button>

export default DataImportForm;

Thank you for you help.

Do you want to allow only Strapi Admins or you are refering to User-permissions plugin?

Only Strapi Admins

Then you can use the admin::hasPermissions policy, which checks if you are logged-in as admin in the Strapi’s UI.

An example of policy applied to a custom route:

  "routes": [
      "method": "POST",
      "path": "/email-send",
      "handler": "email-send.send",
      "config": {
        "policies": [["admin::hasPermissions", ["plugins::email-connector.send"]]]

Also, if you want to make a request to the API with the Authorization header from Strapi’s UI in react, then you can use the request module which is offered by the strapi-helper-plugin module.
Example of http request from Strapi’s Admin to a custom route:

import { request } from 'strapi-helper-plugin';

request('/email-send', { 
        method: 'POST',
        body: {
          email: email

This module includes the Authorization header automatically.

1 Like


It worked. And then, I don’t know what I did, maybe rebuild the Admin UI. But I get a 403 Forbidden even with my token.
I tried to set role permissions to my route :

  • When I authorized Authenticated user with or without “isauthenticated”, I get 403 Forbidden (with my jwt admin token in the header)
  • When I authorized Public user with “isauthenticated” advanced settings, I get 403 Forbidden (with my jwt admin token in the header), and 401 Unauthorized.
  • When I authorize Public user without “isauthenticated”, it’s even worse. I can POST when my jwt is not in the header, but I get 403 forbidden when my jwt is in the header.

My code hasn’t changed since my first question, i just add the solution which worked at first, then I don’t know what happened.

Well, I just set the policies to default and it works as I expected, only for admin. I don’t get it