Policy isOwner on upload

System Information
  • Strapi Version: 3.5.3
  • Operating System: linux
  • Database: postgresql
  • Node Version: 12.21
  • NPM Version: 6.14.11
  • Yarn Version:


I have an article api where user can insert illustration. The illustration model is linked to images the user can upload, it contains a relation to the actual image file as well as relations to user, tags an so on. The user has the possibility to manage its own illustrations with a dedicated isOwner policy. In particulare, delete an illustration is performed in two step : first delete the illustration entry then delete the corresponding file. The isOwner policy is applied to illustration but can hardly be used for the file as there is no user linked to the file

Would it be possible to make sure a user can not delete images or files from other users?


1 Like

Hi. you fixed this issue? I want the user to only upload image on the content type he is related to. right now any authenticated user can upload files and replace the image on any content type.