I was able to restrict the users from creating/updating/deleting records they don’t own using policies in v4.
Example code to restrict a user to create an entry on another’s behalf.
// path: ./src/index.js
module.exports = {
register({ strapi }) {
const extensionService = strapi.plugin("graphql").service("extension");
extensionService.use({
resolversConfig: {
"Mutation.createAuthorProfile": {
policies: [
async (context) => {
const loggedInUserId = context.state.user.id;
const targetedUserId = context.args.data.users_permissions_user;
return loggedInUserId == targetedUserId;
},
],
},
},
});
},
};