How to not allow an end user to update/delete another end user's post?

Vincent_Vincent · July 29, 2022, 4:12am

System Information

Strapi Version: 4.3.0
Operating System: Linux/Ubuntu
Database: sqlite
Node Version: 16.15.1
NPM Version: 8.11.0
Yarn Version: 1.22.15

Hi all, I’m quite new to Strapi and was thinking of making a clone of Facebook with it. I hit a blocker where any authenticated user can modify another authenticated user’s post even if I had set a relationship between Post and User (User has many Posts). I can’t seem to find anything related to my problem on Google or the docs, so is there a way to forbid non-authors to modify a post via the Strapi backend? If so, how so? Thank you for your answers and responses in advance

5ika · July 29, 2022, 5:38am

Hi Vincent,
The best way is to use a policy on Post endpoints.

In this policy, you can retrieve the authenticated user, his/her linked posts and the targeted post then check if user is authorized to do the action.

See doc => Policies - Backend customization - Strapi Developer Docs

Vincent_Vincent · July 31, 2022, 3:27am

Hi 5ika,

Thanks for the reply. I’m having a hard time implementing what’s in the docs. Here’s my src file structure:

src
├── admin
│   ├── app.example.tsx
│   ├── tsconfig.json
│   └── webpack.config.example.ts
├── api
│   └── post
│       ├── content-types
│       │   └── post
│       │       └── schema.json
│       ├── controllers
│       │   └── post.ts
│       ├── policies
│       │   └── user-post-policy.ts
│       ├── routes
│       │   ├── post.ts
│       │   └── router.ts
│       └── services
│           └── post.ts
├── extensions
│   └── users-permissions
│       └── content-types
│           └── user
│               └── schema.json
└── index.ts

and here’s my user post policy file; I wanted to try logging the objects first to get an idea of what they are because I couldn’t find anything more about them in the Policies docs.

export default (policyContext: any, config: any, { strapi }) => {
    console.log('policyContext: ', policyContext);
    console.log('config: ', config);
    console.log('strapi: ', strapi);
};

here’s also my router.ts file

export default {
    routes: [
        {
            method: 'DELETE',
            path: '/posts',
            handler: 'post.delete',
            config: {
                policies: ['user-post-policy']
            }
        },
        {
            method: 'PUT',
            path: '/posts',
            handler: 'post.update',
            config: {
                policies: ['user-post-policy']
            }
        }
    ]
}

Nothing logged onto the terminal when I deleted a post, it deleted but it seems like it didn’t “pass through” the custom policy I made. Thanks again in advance for a reply or answer

5ika · August 1, 2022, 8:47am

Hi Vincent,
You’re trying to configure core routers so you need to put your configuration in the main router file (src/api/post/routes/post.ts) and declare your policy here.

import { factories } from "@strapi/strapi";

export default factories.createCoreRouter("api::post.post", {
  config: {
    delete: {
      policies: ["user-post-policy"],
    },
    update: {
      policies: ["user-post-policy"],
    },
  },
  only: null,
});

Vincent_Vincent · August 2, 2022, 5:42am

Hi 5ika,

Thanks for the reply! I’ll try that later after work, thanks a lot again.

Ahmedhasan · January 6, 2023, 3:31pm

can you provide me with your user-post-policy code?