Field Level access based on role

Where should we implement business logic to restrict field access to specific user roles?

We started using collection type policies and adding some filters based on user roles and field names, with some issues:

  • Populated collection types were ignored. We are now iterating over the entire data object to detect collectiontype fields, but this doesn’t seem to be very performant

  • It doesn’t seem very smart to change all API routes of each collection types. We would prefer a more global way.

Is there a way to just add a filter function that checks each query and blocks the fields that the user doesn’t have access to? Maybe iterate over the query?

do you want to do this for the admin or the API?

if in the admin you have RBAC.

if you are talking about the API. You have users and permissions if that is not good enough you can try. Protected Populate | Strapi Market on top of U&P

For the API. Thanks! This plugin seems to be in development, but maybe it will help us!

But aren’t there some best practices to restrict users when accessing field level?
I can’t imagine that the goal is to represent this via Collection Types.

the plugin is made by me and is stable. It is the only thing that gives you field level controls over the API trough a UI sadly enough. you can do it programmatically with with polices what the plugin does behind the screens. How to build a Secure Web App with Strapi Policies

That helps us a lot. Thank you very much!