I don't understand API permissions

System Information
  • Strapi Version: 3.6.7
  • Operating System: Debian
  • Database: MySQL Azure Database
  • Frontend: NextJS static website (next export)

I have a question about security using the GraphQL plugin, and about how Strapi API endpoints work in general. It stems from my lack of experience and may seem obvious to some of you, so bear with me please.

Say I want my users to be able to like posts made by others. My user naturally has Authenticated role, so in Strapi I give that role access to the default update permission in Posts to achive this.

Then in my NextJS soon to become serverless front end I put this code :

const QUERY = gql`
    mutation AddPostLike($postID: ID!, $userID: ID!) {
            input: { where: { id: $postID }, data: { liker: $userID } }
        ) {
            post {

I then pass $userID to this function depending on current connected user in my user context. This works. But here comes the part that I’m not sure about… If I understand correctly, any Authenticated user has now the ability to update any post through the API.

Since everything is client side, can the user potentially extract his own token, and use it to fire whatever update query he wants outisde of what I defined in my code?

If he can’t for some reason, can he instead hijack this exact query by modifing the$userID varriable (in browser memory? since it’s stored client side) to an id other than his own, for example?

Is all of this magically prevented by GraphQL/Strapi API/something else…? If it isn’t, where can I learn more about the correct way of doing this?

It has been bugging me for a while now, I’d appreciate any help filling this gap in my understanding of how the API works!

will bump only this once :frowning_face:

Yes, this is true.

Yes, he can.

I don’t have much experience with graphql but if the user has the permissions, he can do whatever he wants. He can for example fire up Postman and achieve the same result through the REST API.

I would create an API route to handle liking and such, you can find more information about creating routes, controllers and doing backend logics here ( Backend customization - Strapi Developer Documentation)

You can also create a policy to prevent users from modifying posts where they are not the author of.
( [Backend customization - Strapi Developer Documentation] - Also from the link above

And I would suggest restricting users from the update permission and just write your own logic on the backend.

Added another example/tutorial from the docs: Is Owner - Strapi Developer Documentation

Thanks a lot! it finally clicked :grinning_face_with_smiling_eyes:

This guide is actually outdated, I wouldn’t recommend doing a controller customization here and just use policies.