Filttering by user correctly in Strapi 4.13+

I have a very common scenario with a Collection type “Note” which has a text field and a relation to a User from users-permissions. The user should only be able to retrieve his own notes, and not the notes of other users, also no information about other users should be accessible.

Before Strapi 4.13, this simple trick in a controller would work:

find(ctx){
    ctx.query.filters = { ...(ctx.query.filters as any), user: ctx.state.user.id };
    return super.find(ctx);
}

As I understand, in newer versions of Strapi, filtering by the field not directly accessible by user is forbidden, and this code would produce the error “Invalid parameter user”. It would only work if explicitly checking User:find() permission, and I only want to check User:me().

What would be the correct way to implement this function in Strapi 4.13+? Should I use Entity API or DB API?

Same issue here

The senatization is happening on the controler layer that means if you where to do this in the service instead of in the controler this should be fine.

I managed to make it work somehow:

async find(ctx) {
    await this.validateQuery(ctx);
    let sanitizedQueryParams = await this.sanitizeQuery(ctx);
    sanitizedQueryParams.filters.$and = [...sanitizedQueryParams.filters.$and, { user: { id: ctx.state.user.id } }]
    const { results, pagination } = await strapi.service('api::yourservicename').find(sanitizedQueryParams);
    const sanitizedResults = await this.sanitizeOutput(results, ctx);
    return this.transformResponse(sanitizedResults, { pagination });
  },

You could just have done it on the service instead of the controller.

Hi, Does anyone know how to acheive this for media library.
Is there any way to add new key to fileinfo object in media library image upload, so that i can perform this filter?