Data ownership policies and GraphQL

It seems that when GraphQL is enabled, any authenticated user can fetch all the data in the system without a filter. And since Data-ownership is still a workaround, not an inbuilt feature, how do you cope with (or what are the best practices) for data ownership for both REST and GraphQL?

1 Like

I was able to restrict the users from creating/updating/deleting records they don’t own using policies in v4.

Example code to restrict a user to create an entry on another’s behalf.

// path: ./src/index.js

module.exports = {
  register({ strapi }) {
    const extensionService = strapi.plugin("graphql").service("extension");

      resolversConfig: {
        "Mutation.createAuthorProfile": {
          policies: [
            async (context) => {
              const loggedInUserId =;

              const targetedUserId =;

              return loggedInUserId == targetedUserId;

1 Like