Data ownership policies and GraphQL

It seems that when GraphQL is enabled, any authenticated user can fetch all the data in the system without a filter. And since Data-ownership is still a workaround, not an inbuilt feature, how do you cope with (or what are the best practices) for data ownership for both REST and GraphQL?

1 Like

I was able to restrict the users from creating/updating/deleting records they don’t own using policies in v4.

Example code to restrict a user to create an entry on another’s behalf.

// path: ./src/index.js

module.exports = {
  register({ strapi }) {
    const extensionService = strapi.plugin("graphql").service("extension");

    extensionService.use({
      resolversConfig: {
        "Mutation.createAuthorProfile": {
          policies: [
            async (context) => {
              const loggedInUserId = context.state.user.id;

              const targetedUserId = context.args.data.users_permissions_user;

              return loggedInUserId == targetedUserId;
            },
          ],
        },
      },
    });
  },
};