Is there a way to assign Users access to only their table entries?

System Information
  • 0.1.0:
  • vagrant homestead ‘latest’:
  • mysql:
  • v12.16.2:
  • 6.14.4:
  • 1.22.5:

Currently, I’m using Nuxt.js as frontend and Strapi as the api backend. The project is a CMS that will have multiple user’s logging in and storing their own information in the database. I’ve got the user credentials working fine using the $strapi.user variable to check for validation, and then a middleware script to check if the user has been authorized in order for them to have access beyond the logon screen.

Since everyone would share a “products” table to store their own entries, there needs to be differentiation in the table itself, such as a UUID, or unique user id, that would allow the api to determine if the table entry belongs to the user requesting it. So if I were to create the api without using strapi, the backend would crosscheck the UUID and make sure that it only retrieves the table entries for that user. One option is to do a $strapi.find() using the UUID from the $strapi.users on the nuxt client side, but this would expose this information to the client side, and allow for injection from other users. It would be better to have all this info relegated to the server side so that it isn’t exposed to the client. Another option is to create a proxy api, that first gets the user’s UUID, and does the $strapi.find() on the server, filters results for UUID, and then feeds the filtered results to the client.

So, the question is, is there a way to do this with strapi?


Take a look at Strapi’s documentation, there is an example for that:


Great, sonnyson, thanks for the pointer. Will read up on it.

1 Like

Each record in a collection stores the user who created it, but this info is by default hidden in the API.

You can expose the UUID of the creator in the API response.
This is a setting per model.
See documentation for Model-Options

As the creator is known for each record, it should be easy to override the
.find() and .update() method according to the article from @sunnyson.