- Strapi Version: 4.1.7
- Operating System: macOS
- Database: postgress
- Node Version: 14.17.4
- NPM Version: 6.14.14
- Yarn Version: 1.22.17
I’m building an e-commerce site and need to restrict access to one particular data collection ( ‘orders’ ) so that a front-end user can only see orders which they have placed. Currently my orders data collection contains some JSON fields which include personal info (name, phone, email, address), which my front-end needs access, but of course, only for that particular user.
The ‘orders’ data collection has a users_permissions_user relation field (user has many orders).
A user can be authenticated or public.
What’s critical to avoid is a having a public or authenticated user simply querying the api (from url/?query-string or say postman GET) with a random order id and seeing all the fields populated(!)
First step I enabled public and authenticated role access to ‘orders’ for find, findOne, findMany etc
I’m thinking to modify/override the find(), findOne(), findMany()… etc controllers to only return/control data for that user ( but not sure what to do with public user - maybe have some unique user-key in local storage which can be saved in the order instead of userID? - so it’s good for that session just to retrieve a new order data for display, confirmation etc)
Does this sound ‘hacky’? Is there a better way using middlewares, services or something else?
Thanks very much!