How best to limit api query to return only the specific user related data - advice please!

I’m building an e-commerce site and need to restrict access to one particular data collection ( ‘orders’ ) so that a front-end user can only see orders which they have placed. Currently my orders data collection contains some JSON fields which include personal info (name, phone, email, address), which my front-end needs access, but of course, only for that particular user.

The ‘orders’ data collection has a users_permissions_user relation field (user has many orders).

A user can be authenticated or public.

What’s critical to avoid is a having a public or authenticated user simply querying the api (from url/?query-string or say postman GET) with a random order id and seeing all the fields populated(!)

First step I enabled public and authenticated role access to ‘orders’ for find, findOne, findMany etc

I’m thinking to modify/override the find(), findOne(), findMany()… etc controllers to only return/control data for that user ( but not sure what to do with public user - maybe have some unique user-key in local storage which can be saved in the order instead of userID? - so it’s good for that session just to retrieve a new order data for display, confirmation etc)

Does this sound ‘hacky’? Is there a better way using middlewares, services or something else?

Thanks very much!

You can use policies or the controller to say that they only get THEIR data depending on ctx.state.user I believe. Atelast there is a user object, so if they are authenticating with a JWT Strapi knows which user and you can look that up instead of give back everything.

You can also use populate to give back X data if it’s nested or relationships

Thanks. That’s what I’ll do then.