System Information
- Strapi Version: 4.8.2
- Operating System: Mac
- Database: Postgres
- Node Version: 16.18
- Yarn Version: 1.22.19
Hi,
Goal:
I try to create a middleware that allows me to put two restrictions in place.
a). Only allow users who are creators of a content type can edit it (e.g. author of a comment)
b). Public users should only see 5 results for nested content (e.g. see only 5 comments for a block posts out of 30 comments). Authorised users should be able to see all.
Context
- The content may be nested (e.g. posts have comments nested below)
- This is about users & permissions plugin, not admin users.
- All is done in GraphQL, not with Rest APIs
Current approach:
In the middleware I execute the following code:
export default async (resolve, parent, args, context, info) => {
const res = await resolve(parent, args, context, info)
const {value, ...rest} = res
const val = await value
// conditions:
// only allow users who are creator of the content to edit it
// do manipulation (e.g. limit results)
Issue with the approach:
The val variable only contains the upper level content (e.g. Post), but the nested content is missing (e.g.repeatable components such as comments and relational data such as users).
Questions:
- What would be the best way to achieve this? Can I get access to nested content? Where else would I be able to implement these rules?
- Can I only control the actions “Query” and “Mutation” or also “findOne”, “findMany”, etc.
- Bonus question: is there a nice way to type middleware with TypeScript?
Other tested approaches:
- Manipulating the resolver → I think this could work. But I would have to rewrite every resolver which seems wrong
- Using policies → seem to not give access to the resolver
- Using Admin users and with that the option for conditions and advanced RBAC → I don’t think that content (Posts, Comments) can be created via GraphQL as a admin user. I also don’t think this is how it would be intended.