Unable to set created_by on model in controller action

Hi I’m trying to update a controller so that users can only see items created by them or their organizations.

I’m unable to set any values for created_by or modified_by via controller. The ORM appears to strip out and ignore these fields which is super frustrating because there’s zero documentation on how to use this feature.

I created a model hook for “afterCreate” to see what the Admin UI was doing, and I am seemingly passing it the same data but it just won’t work from my controller.

  async create(ctx) {

    let newCampaign = ctx.request.body;

    newCampaign.created_by = parseInt(ctx.state.user.id);
    newCampaign.updated_by = parseInt(ctx.state.user.id);

    let entity = await strapi.services.campaign.create(newCampaign);
    return sanitizeEntity(entity, { model: strapi.models.campaign });

Here’s an example of what data is present in the payload I’m passing to strapi.model.create() and the a console.log from the beforeCreate() function to show that the unhelpful ORM is taking off my created_by fields because “reasons”??!! :face_with_symbols_over_mouth:

Super frustrated with this, but I realize its just my lack of understanding and inability to read the docs thats blocking me. There HAS to be a way to do this… I’m just not finding it.

payload passed to create()
  name: 'Fake Data 737',
  startDate: '2020-11-25T21:10:11+00:00',
  endDate: '2020-11-26T17:10:11+00:00',
  created_by: 4,
  updated_by: 4
beforeCreate lifecycle hook
  status: 'draft',
  endDate: '2020-11-26T17:10:11+00:00',
  startDate: '2020-11-25T21:10:11+00:00',
  name: 'Fake Data 737'

So I have sort of a hacky way to accomplish what I want.

To save anybody who is facing this issue the time / struggle… Strapi just doesn’t let you do what I am trying to do above here. Don’t research it… you’ll just waste your time and get angry. You can’t use the built in created_by field so stop trying.

The solution is to add your own createdBy editedBy or editedAt fields to the model and update them manually in every controller action that touches your records. Then in your controller you can look at the ctx.state.user to find IDs for assignment that will work. Then update your list/find controller actions to ignore any URL params, and set the createdBy from the ctx.state.user.id value you can grab.

<frustrated rant>

This is by far the worst part of Strapi I’ve encountered yet. Its the type of thing that will cause people to be discouraged from using the platform because what I’d consider basic functionality is totally lacking. I am trying to channel my frustration into constructive criticism… I hope someone reads these posts and updates the holes in the documentation or writes a blog post about “how to deal with the fact that your admin users and API users are two different sets”.

I really… REALLY wish there was a way to undo the separation of admin users and web users. Especially with the great ACL admin UI that Strapi has it takes a great feature and completely ruins it.



Still impossible to edit created_by field when make a post to an entity.

dirtybirdnj has the correct answer

Just wanted to come in and say that honestly I agree with you, we are planning to make the users-permissions plugin optional in the v4 and it won’t be installed by default however I personally believe that we could do better on this.

On that note, those specific fields are only used by the admin plugin as I assume you figured out and they aren’t polymorphic nor are they configurable without heavy modification to the strapi-admin package. Your solution is the correct one, I believe in the v4 we might be changing their name but I would need to confirm.

If anyone stumbles upon this, in v4 passing created_by_id and updated_by_id in the payload works. No hacks required.


I tried this, but it doesn’t work.