I have a very common scenario with a Collection type “Note” which has a text field and a relation to a User from users-permissions. The user should only be able to retrieve his own notes, and not the notes of other users, also no information about other users should be accessible.
Before Strapi 4.13, this simple trick in a controller would work:
As I understand, in newer versions of Strapi, filtering by the field not directly accessible by user is forbidden, and this code would produce the error “Invalid parameter user”. It would only work if explicitly checking User:find() permission, and I only want to check User:me().
What would be the correct way to implement this function in Strapi 4.13+? Should I use Entity API or DB API?
The senatization is happening on the controler layer that means if you where to do this in the service instead of in the controler this should be fine.
Hi, Does anyone know how to acheive this for media library.
Is there any way to add new key to fileinfo object in media library image upload, so that i can perform this filter?