I’m making multivendor e-commerce website and I was going well until I found this:
When I’m creating a products Content-Type and I’m setting the permission for deleting just for authenticated users I can delete any product with any user’s jwt.
How can I delete just the user’s own products without being able to delete the other’s
Best method is either the policies system or the route middleware’s system depend on how you want to handle it.
Using policies if someone tries to delete or whatever something owned by someone else you can simply reject the request and return an error.
Using the route middlewares you could modify the request to make it valid (injecting filters, changing filters, ect). Or return an error depending on the case.
The users-permissions on it’s own isn’t advanced enough yet to pay attention to ownership or field level permissions and it’s those features we want to build natively eventually but for now that type of complex logic needs to be built by you (admittedly it’s not that complex to build per user’s project but it’s difficult for us to build generic enough for everyone’s use-case)
You are right it seems easy for the user to build. Can you tell me specific point to start at (document, file…)??
well to generate the templates for policies/middlewares you can use yarn strapi generate or npm run strapi generate
It’s an interactive CLI to build out cookie-cutter templated code.
As for the documentation:
Policies: Policies - Backend customization - Strapi Developer Docs
Middlewares: Backend customization - Middlewares - Strapi Developer Docs
Routes (which has info on policies/middlewares also): Routes - Strapi Developer Docs
Thank you so much 