Which user's jwt token belongs to, how can only data belonging to that user's be retrieved?

System Information
  • Strapi Version: Strapi v3.6.2
  • Operating System: ubunutu
  • Database: postgre
  • Node Version:
  • NPM Version:
  • Yarn Version:

I want the user to access only his data when he / she enters the “My orders” screen. Making an id query reveals a vulnerability just like someone else is querying for another id. So I just want the jwt token to return whatever user’s orders it belongs to. how can I do that. has it been done before?

Is this in the frontend or the admin panel? (I assume frontend)

If it is the frontend, then writing a policy would be best: Backend customization - Strapi Developer Documentation

Basically you prefilter results on the logged-in user’s id (assuming orders have a relation to the user) you can extract user information from ctx.state.user and modify the ctx.query to inject additional filters. (or return errors)

hi @DMehaffy,

I’ve created file config / policies / includeUserRelations.

module.exports = async (ctx, next) => {
    if (ctx.state.user) {
      let { id } = await strapi.query('user', 'users-permissions').findOne({ id: ctx.state.user.id }, ['id']);
      ctx.state.user.id = id;
    return await next();

here I can get the ID you received according to the token.

api / order / config / route

      "method": "GET",
      "path": "/orders",
      "handler": "order.find",
      "config": {
        "policies": ["global::includeUserRelations"]


but still all orders are returning. Unfortunately, there was no filtering by user. Where did I go wrong?

I’m curious here why you are doing a query since if you console.log(ctx.state.user) it should contain all the user information you need (including the id). But you are missing a filter, the ctx.state.user contains the users information based on the JWT they supplied (if they supplied one, else the request is public). But you need to inject the filter.

I wrote a sample policy that was for controlling access to a content-type based on which organization a user belonged to (this is an older example and the code sucks but it’s there to prove a point, don’t do what I did here and loop a bunch of different checks into one policy. It’s better to have multiple policies)

1 Like


This is a good starting point for Data Ownership problem; however, my question is, can the policy be applied to GraphQL quires and mutations? I have asked this on the forum and haven’t gotten a reply yet.

If you see the note here: Backend customization - Strapi Developer Documentation

To apply policies with GraphQL please see the following guide.

Which links to here: GraphQL - Strapi Developer Documentation but yes policies can be applied to GraphQL as well.

1 Like

Perfect! Thank you.

But can we please know when is the official method/plugin is coming to address the data ownership issue? It is listed in the roadmap for over a year now and have many votes as well.

Thank you for the reference. I accidentally replied to myself there.

Most likely in the v4, though maybe not in the initial stable release, it will be a focus for us.

1 Like