Okay I where able to figure it out by myself. Unfortunately there is no ctx.badRequest for policies. I added the PolicyError class from utils to my policy and then I where able to post custom error messages.
Here my final code:
'use strict';
/**
* `updateOwnerOnly` policy.
*/
module.exports = (policyContext, config, { strapi }) => {
const { PolicyError } = require("@strapi/utils").errors;
// Add your own logic here.
strapi.log.info('updateOwnerOnly policy.');
if (policyContext.state.auth.strategy.name === "api-token") {
if (policyContext.state.auth.credentials.type === "full-access")
return true;
} else if (
policyContext.state.auth.strategy.name === "users-permissions"
) {
// Skip for admins
if (policyContext.state.auth.credentials.role.type === "admin")
return true;
const currentUserId = policyContext.state.auth.credentials.id;
const userToUpdate = policyContext.params.id;
// Unable that an user can update an other user
if (currentUserId != userToUpdate) {
strapi.log.info(`WARNING: User ${currentUserId} tried to edit user ${userToUpdate}`);
throw new PolicyError('Unable to edit this user ID');
}
if (
policyContext.request.body.lastname === undefined ||
policyContext.request.body.lastname.trim() === ""
)
throw new PolicyError("Lastname name is required");
if (
policyContext.request.body.firstname === undefined ||
policyContext.request.body.firstname.trim() === ""
)
throw new PolicyError("Firstname is required");
return true
}
return false;
};