Middleware in graphql not work

Quang_nguy_n_d_c · September 24, 2021, 11:00am

I want to make a middleware that allows only owner of this entry can’t update but it doesnt return error as i expect. Although it runs through is-belong-user policy
Here’s my policy in /config/policies/is-belong-user.js

module.exports = async (ctx, next) => {
    const todo = await strapi.services.todos.find({
        id: ctx.params.id,
        'user_id': ctx.state.user.id,
    });
    if (todo && todo.length) {
        return await next();
    }
    ctx.unauthorized(`You don't have authorize for this entry`);
};

and Here’s my api/todos/config/schema.graphql

Mutation: {
    updateTodo: {
      description: 'Update todo detail',
      policies: [
          'global::is-belong-user',
      ],
    },
  }

Can anyone help me. Thanks in advance

pedrosimao · October 15, 2021, 3:52pm

@Quang_nguy_n_d_c I have the same problem. Did you find a solution?

kamal-ch · June 27, 2022, 11:36am

I was able to restrict the users from creating/updating/deleting records they don’t own using policies in v4.

Example code to restrict a user to create an entry on another’s behalf.

// path: ./src/index.js

module.exports = {
  register({ strapi }) {
    const extensionService = strapi.plugin("graphql").service("extension");

    extensionService.use({
      resolversConfig: {
        "Mutation.createAuthorProfile": {
          policies: [
            async (context) => {
              const loggedInUserId = context.state.user.id;

              const targetedUserId = context.args.data.users_permissions_user;

              return loggedInUserId == targetedUserId;
            },
          ],
        },
      },
    });
  },
};