It seems that when GraphQL is enabled, any authenticated user can fetch all the data in the system without a filter. And since Data-ownership is still a workaround, not an inbuilt feature, how do you cope with (or what are the best practices) for data ownership for both REST and GraphQL?
1 Like
I was able to restrict the users from creating/updating/deleting records they don’t own using policies in v4.
Example code to restrict a user to create an entry on another’s behalf.
// path: ./src/index.js
module.exports = {
register({ strapi }) {
const extensionService = strapi.plugin("graphql").service("extension");
extensionService.use({
resolversConfig: {
"Mutation.createAuthorProfile": {
policies: [
async (context) => {
const loggedInUserId = context.state.user.id;
const targetedUserId = context.args.data.users_permissions_user;
return loggedInUserId == targetedUserId;
},
],
},
},
});
},
};
1 Like