One to many relation and cross permissions

Nico-L · October 13, 2020, 8:05pm

Hello,

I have two collections, workshops and registereds. A relation field has been added to the workshop collection: a workshop belongs to registereds.

Now, permission are: workshops can be found publicly, but not the registereds. The registereds endpoint correctly shows the forbiden message, but registereds appear through the workshops endpoint, which I don’t want to since there are email information. And since this is not allowed I am wondering why they are shown.

How can I prevent the registereds to be listed at the workshops endpoint?

Thanks,
Nicolas

DMehaffy · October 13, 2020, 9:07pm

Within your ./api/workshop/models/workshop.settings.json file you can set the autoPopulate option to false under the relation field.

Nico-L · October 14, 2020, 1:49pm

Thanks, it works perfectly. Now, would it be possible to get the relation field when having the proper permissions?

DMehaffy · October 14, 2020, 2:44pm

Not currently no, that’s something that would require a custom controller to handle (checking the ctx.state.user and sending a different populate array to the service.)

Nico-L · October 14, 2020, 2:54pm

Ok, that would have reduced the number of queries when admin, but not as important as having emails in clear.

I guess that the graphQL plugin will have the same behavior?