Agreed, relation population and find API permissions should be handled separately but aren’t right now.
What I did was I created a custom Policy:
// /src/policies/prevent-direct-access.js
const { PolicyError } = require('@strapi/utils/lib/errors');
module.exports = (ctx /*, config, { strapi }*/) => {
throw new PolicyError(`Direct access to ${ctx.routerPath} is forbidden`, {
policy: 'prevent-direct-access',
});
};
And if there is a find route that I want to prevent from being accessed directly, but need to enable for population, I configure it like so:
// /src/api/category/routes/category.js
const { createCoreRouter } = require('@strapi/strapi').factories;
module.exports = createCoreRouter('api::category.category', {
only: ['find'],
config: {
find: {
policies: ['global::prevent-direct-access'],
},
},
});
Documentation: