I’m looking to use Strapi to group user accounts together (ex. users belonging to companies). Each company will have the same collections/model of data as the other but obviously I don’t want users from one company to be able to see the data from another company. Ideally I would also get to control what users within a company can see/do whatever.
Effectively the data itself is federated by users/groups but the model is common across my installation.
You are more than welcome to test out my rough example I made a few months back, but it may require some customization and I don’t generally recommend throwing a bunch of checks in a single policy and instead break them out into their own. This example was written for a user while I was twitch streaming one day.
There is lot there to digest but the examples I gave kind give two ways to handle the requests, either by forcefully moving the request to the proper query param or to return an error. The key take-away though is where you put the code in the policy (before the await next() or after the await next()) and if your goal is to reject/return an error/secure the route you will want to make sure it’s before the await next()