I'm following examples from the web and I can't understand why they don't work for me. Please help

OdifYltsaeb · May 29, 2023, 3:55pm

System Information

Strapi Version: ^4.10.5
Operating System: node-18 alpine docker image
Database: Postgres
Node Version: 18.something
NPM Version:
Yarn Version:

So I have this schema:


{
  "kind": "collectionType",
  "collectionName": "addresses",
  "info": {
    "singularName": "address",
    "pluralName": "addresses",
    "displayName": "Address",
    "description": ""
  },
  "options": {
    "draftAndPublish": false
  },
  "pluginOptions": {},
  "attributes": {
    "street": {
      "type": "string",
      "required": true
    },
    ...
    "owner": {
      "type": "relation",
      "relation": "manyToOne",
      "target": "plugin::users-permissions.user",
      "inversedBy": "addresses"
    }
  }
}

And I have updated my list endpoint like this:

'use strict';

/**
 * address controller
 */

const { createCoreController } = require("@strapi/strapi").factories;

module.exports = createCoreController("api::address.address",
  ({
     strapi
   }) => ({
    async find(ctx) {
      console.log('CTDX, ', ctx.state);
      const {
        filters
      } = ctx.query;
      ctx.query = {
        ...ctx.query,
        filters: {
          ...filters,
          owner: {
            id: ctx.state.user.id
          }
        }
      };
      return await super.find(ctx);
    }
  }));

When I query the endpoint (localhost:1337/api/addresses?populate=*) with authenticated users credentials I

I don’t see the owner field in the output - why?
Data is not filtered by where the owner is the authenticated user - I see all the data - why?
Do I need to also return async findOne to make sure single results are also filtered by authenticated user?

Thank you in advance.

OdifYltsaeb · May 29, 2023, 6:51pm

I guess, I’ll answer my own questions. What was missing was the permissions for the role - once I added permissions for user find and fineOne - everything started working. And I find this kinda stupid. Sure, It makes sense to get the data. Sure - don’t show all the data then, just show the user Id, but it makes zero sense for filtering. Why would permissions stop filtering?

mhelbich · July 28, 2023, 7:32pm

Yeah, I ran into this issue myself and would really like to find some better way to solve this problem…
Is there no way to filter for that user relation - without having to, for example, first query via entityService.findOne() or something similar (thus already doing a DB request) - instead of just using it with filters…
Giving every authenticated user the permission to use find/findOne on the U&P user type seems like the wrong move - so maybe you’d have to create custom find/findOne controllers for the U&P plugin which then also check if … you are you…? (i.e. you’re only allowed to access yourself)