How to configure Roles Admin Editor

Hi Guys,

I’m trying to configure some permissions.

I have to do the following configuration.

I have to have a Super Admin who will have access to everything.
An Admin Client profile in which he will only have access to the roles he creates and access to the user list he creates

What I managed to do was create the Client Admin profile, but he has access to the list of all roles and users, the idea here is that he does not have access to the Super Admin role or to roles that other Client Admins have created, just roles and user that he created himself.

I tried the settings to display only data that it created, but it hasn’t had any effect, I also tried to create a middleware and without much progress, I would like some light on what I need. Thanks

I created this structure:

api/
└── user-permissions/
└── config/
└── routes.json
└── controllers/
└── role.js
└── user.js
└── policies/
└── isSuperAdminOrClientSuperAdmin.js
└── models/
└── role.settings.json

routes.json

{
  "routes": [
    {
      "method": "GET",
      "path": "/roles",
      "handler": "role.find",
      "config": {
        "policies": ["global::isSuperAdminOrClientSuperAdmin"]
      }
    },
    {
      "method": "POST",
      "path": "/roles",
      "handler": "role.create",
      "config": {
        "policies": ["global::isSuperAdminOrClientSuperAdmin"]
      }
    },
    {
      "method": "GET",
      "path": "/users",
      "handler": "user.find",
      "config": {
        "policies": ["global::isSuperAdminOrClientSuperAdmin"]
      }
    },
    {
      "method": "POST",
      "path": "/users",
      "handler": "user.create",
      "config": {
        "policies": ["global::isSuperAdminOrClientSuperAdmin"]
      }
    }
  ]
}

role.js

'use strict';

const { sanitize } = require('@strapi/utils');

module.exports = {
  async find(ctx) {
    const { user } = ctx.state;
    console.log('Current User in find roles:', user);

    let roles;
    if (user.role.name === 'Super Admin') {
      roles = await strapi.query('plugin::users-permissions.role').findMany();
    } else if (user.role.name === 'Client Super Admin') {
      roles = await strapi.query('plugin::users-permissions.role').findMany({
        where: { type: 'client-super-admin' },
      });
    } else {
      return ctx.forbidden('Você não tem permissão para visualizar roles.');
    }

    const schema = strapi.getModel('plugin::users-permissions.role');
    console.log('Roles found:', roles);
    return await sanitize.contentAPI.output(roles, schema);
  },

  async create(ctx) {
    const { user } = ctx.state;
    console.log('Current User in create roles:', user);

    let role;
    if (user.role.name === 'Super Admin') {
      role = await strapi.query('plugin::users-permissions.role').create({
        data: ctx.request.body,
      });
    } else if (user.role.name === 'Client Super Admin') {
      role = await strapi.query('plugin::users-permissions.role').create({
        data: {
          ...ctx.request.body,
          type: 'client-super-admin',
        },
      });
    } else {
      return ctx.forbidden('Você não tem permissão para criar roles.');
    }

    const schema = strapi.getModel('plugin::users-permissions.role');
    console.log('Role created:', role);
    return await sanitize.contentAPI.output(role, schema);
  },
};

user.js

'use strict';

const { sanitize } = require('@strapi/utils');

module.exports = {
  async find(ctx) {
    const { user } = ctx.state;
    console.log('Current User in find users:', user);

    let users;
    if (user.role.name === 'Super Admin') {
      users = await strapi.query('plugin::users-permissions.user').findMany();
    } else if (user.role.name === 'Client Super Admin') {
      users = await strapi.query('plugin::users-permissions.user').findMany({
        where: { role: { type: 'client-super-admin' } },
      });
    } else {
      return ctx.forbidden('Você não tem permissão para visualizar usuários.');
    }

    const schema = strapi.getModel('plugin::users-permissions.user');
    console.log('Users found:', users);
    return await sanitize.contentAPI.output(users, schema);
  },

  async create(ctx) {
    const { user } = ctx.state;
    console.log('Current User in create users:', user);

    let newUser;
    if (user.role.name === 'Super Admin') {
      newUser = await strapi.query('plugin::users-permissions.user').create({
        data: ctx.request.body,
      });
    } else if (user.role.name === 'Client Super Admin') {
      newUser = await strapi.query('plugin::users-permissions.user').create({
        data: {
          ...ctx.request.body,
          role: 'client-super-admin',
        },
      });
    } else {
      return ctx.forbidden('Você não tem permissão para criar usuários.');
    }

    const schema = strapi.getModel('plugin::users-permissions.user');
    console.log('User created:', newUser);
    return await sanitize.contentAPI.output(newUser, schema);
  },
};

isSuperAdminOrClientSuperAdmin.js

module.exports = async (ctx, next) => {
  const { user } = ctx.state;
  if (!user || !['Super Admin', 'Client Super Admin'].includes(user.role.name)) {
    return ctx.forbidden('Você não tem permissão para acessar esta rota.');
  }
  await next();
};

role.settings.json

{
  "kind": "collectionType",
  "collectionName": "up_roles",
  "info": {
    "singularName": "role",
    "pluralName": "roles",
    "displayName": "Role",
    "description": ""
  },
  "options": {
    "draftAndPublish": false,
    "timestamps": true
  },
  "attributes": {
    "name": {
      "type": "string",
      "required": true,
      "unique": true
    },
    "description": {
      "type": "string"
    },
    "type": {
      "type": "string",
      "default": "default"
    },
    "permissions": {
      "type": "relation",
      "relation": "manyToMany",
      "target": "plugin::users-permissions.permission",
      "mappedBy": "roles"
    },
    "users": {
      "type": "relation",
      "relation": "manyToMany",
      "target": "plugin::users-permissions.user",
      "inversedBy": "roles"
    },
    "created_by": {
      "type": "relation",
      "relation": "manyToOne",
      "target": "plugin::users-permissions.user"
    }
  }
}

However, this structure is not working, I don’t know if I’m doing something wrong.