Serve Different Content Based on User Data

This article may be outdated as it is using a previous version of Strapi. To access the most up-to-date information about Strapi, we recommend referring to the official documentation.

This is a companion discussion topic for the original entry at

Thanks for the tutorial. There is one thing that I didn’t quite understand.
I think that a user should only be able to delete/update the Business it belongs to. And not any Business.
To me it seems that in this example any user can update any Business.
If this example is meant to be so that any user can update any Business, then please direct me to where I can find an example on how to restrict update/delete so that only he user that has a relation to the Business can do update/delete.

1 Like

Good tutorial. Noticed that it needs to add /api/ after localhost:3000
On signup or login POST request to /api/user-details throws error 403 (Forbidden). After enabling Create permissions in Roles it works but allows to Create entry without filling up form fields at all. Are there any changes needed in Setting > Roles?

Good tutorial. However I believe this is not actually restricting user for real. Take for example if I login and try to access business page where you are fetching business data using filters in the API request I will get the desired result. What happens if someone who knows how to use the Dev tool goes in and find the JWT token and used that to send a request to the API without any filters? They will get all the data including the once they should not have access to. So this is not restricting the user really.

1 Like

You have to use policy for this. Check out strapi documentation for policy. or create custom controller.