I'm following examples from the web and I can't understand why they don't work for me. Please help

System Information
  • Strapi Version: ^4.10.5
  • Operating System: node-18 alpine docker image
  • Database: Postgres
  • Node Version: 18.something
  • NPM Version:
  • Yarn Version:

So I have this schema:

  "kind": "collectionType",
  "collectionName": "addresses",
  "info": {
    "singularName": "address",
    "pluralName": "addresses",
    "displayName": "Address",
    "description": ""
  "options": {
    "draftAndPublish": false
  "pluginOptions": {},
  "attributes": {
    "street": {
      "type": "string",
      "required": true
    "owner": {
      "type": "relation",
      "relation": "manyToOne",
      "target": "plugin::users-permissions.user",
      "inversedBy": "addresses"

And I have updated my list endpoint like this:

'use strict';

 * address controller

const { createCoreController } = require("@strapi/strapi").factories;

module.exports = createCoreController("api::address.address",
   }) => ({
    async find(ctx) {
      console.log('CTDX, ', ctx.state);
      const {
      } = ctx.query;
      ctx.query = {
        filters: {
          owner: {
            id: ctx.state.user.id
      return await super.find(ctx);

When I query the endpoint (localhost:1337/api/addresses?populate=*) with authenticated users credentials I

  1. I don’t see the owner field in the output - why?
  2. Data is not filtered by where the owner is the authenticated user - I see all the data - why?
  3. Do I need to also return async findOne to make sure single results are also filtered by authenticated user?

Thank you in advance.

I guess, I’ll answer my own questions. What was missing was the permissions for the role - once I added permissions for user find and fineOne - everything started working. And I find this kinda stupid. Sure, It makes sense to get the data. Sure - don’t show all the data then, just show the user Id, but it makes zero sense for filtering. Why would permissions stop filtering?

Yeah, I ran into this issue myself and would really like to find some better way to solve this problem…
Is there no way to filter for that user relation - without having to, for example, first query via entityService.findOne() or something similar (thus already doing a DB request) - instead of just using it with filters…
Giving every authenticated user the permission to use find/findOne on the U&P user type seems like the wrong move - so maybe you’d have to create custom find/findOne controllers for the U&P plugin which then also check if … you are you…? (i.e. you’re only allowed to access yourself)