Protecting /upload

System Information
  • Strapi Version: 3.6.8
  • Operating System: Mac
  • Database: SQLite
  • Node Version: 14.15.3
  • NPM Version: n/a
  • Yarn Version: n/a

I have an issue with the /upload route in my application, I am running:

 const handleSubmit = async (e) => {
        const formData = new FormData();
        formData.append("files", image);
        formData.append("ref", "businesses");
        formData.append("refId", collectionId);
        formData.append("field", "image");

        const res = await fetch(`${API_URL}/upload`, {
            method: "POST",
            headers: {
                Authorization: `Bearer ${token}`
            body: formData,

        if(res.ok) {

Which works as expected and uploads the image to the correct location, however anyone who is logged in can upload to any collection. Is there anyway to protect it and allow just the user who owns the collection to complete the action.
Many Thanks

How it works as it’s expected I’m trying too much to upload image to existing entry and I can’t

This is my screenshot can you help me?

Btw your solution is to create policy to that route and it’s done I’ve made one last day and it worked fine

Thanks for the reply, how do you attach a policy to the /upload route? I thought it might be the case to create a policy for it, but I could not work out in the files where in fact to put it.

To answer your question, it looks fine to me, try removing /api see if that works. On the version I’m using at least I POST too http://localhost:1337/upload

Well I copied the plugin-upload file into extensions file and modified it there

For my situation It throws 401 error (UnauthorizedError)

Ok, I’ll give that a go later, thanks!

Have you allowed public to use the upload route under users and permissions? If you have just allowed authorised users are sending a correct JWT token? Could also be an issue with moving into the extensions?

Of course I tried to send JWT with the request although I’ve turned public access to the upload plugin but still…

I finally did it!

Strapi 3.6.8 (node v14.16.0)

go to node_modules/strapi-plugin-upload/config
here you need to copy routes.json file
this file put to extensions/upload/config

Specify the policy in the required route in this file
create this policy in extensions/upload/config/policies