isOwner policy in strapi 4.0

feorse · January 23, 2022, 12:31am

System Information

Strapi Version: 4.0.5

Hello guys, im new in Strapi. I tried to make backend for my Todo app. I’m create the content type - Todo and field like: “Todo” - type text. Additional im add realation “users have many todos” but still if i make http request from user1 i see all todo’s not only todo assigned to user1. Im find somthing like “isOwner policy” but it’s don’t work for me. Is there any instructions how to do this in strapi 4.0.5? Thanks for all reply.

alpakaxaxa · January 23, 2022, 11:11am

Hello mate, the last time I had to do something like this in version 3 I had to implement this logic manually

However, as I am a bad programmer and this usecase seems to be very common and important, I would be VERY interested if there are better ways to implement the owner policy.

Here is an example what I did for my content type survey:

async findOne(ctx) {
    const { id } = ctx.params;
    const { user } = ctx.state;
    const entity = await strapi.services.survey.findOne({ id });
    const interviewees = entity.interviewees;
    let survey = sanitizeEntity(entity, { model: strapi.models.survey });
    // if the request is made by an authenticated user and the authenticated user
    // does not match the survey author then return error
    if (user && user.id != survey.survey_author.id) {
      ctx.throw(403, 'You are not allowed to access the information');
      return
    }
    // if the request is not made by an authenticated user check if user belongs to
    // survey interviewee and if so return non sensitive survey data
    if (!user) {
      const cValue = await strapi.services.user.cookieValue(ctx);
      // if provided cookie value is not valid return error
      if (!identifierExists(interviewees, cValue)) {
        ctx.throw(403, 'Provide a correct surveycode');
        return
      } else {
        // if provided cookie value is valid delete sensitive survey data
        delete survey.survey_author;
        delete survey.interviewees;
      }
    }
    // default case return all survey information
    return survey
  }

feorse · January 23, 2022, 1:53pm

I’m try your solution, but unfortunately don’t work for me

alpakaxaxa · January 29, 2022, 7:50am

Can you tell me what you did and what did not work?

It would be awesome if others could help regarding good ‘isOwner’ policy implementation in strapi 4.0.

feorse · January 29, 2022, 6:37pm

@alpakaxaxa I’m trying many ways to implement the isOwner policy, watched many tutorials on youtube, and anything goes work because it’s for version 3. Finally i find the solution on strapi github - user nextrapi create the isOwner policy for strapi 4.0, you can check it here: IsOwner Guide Update for V4 Fix for #652 by nextrapi · Pull Request #674 · strapi/documentation · GitHub
I tried this, and works perfectly for me.