I want the user to access only his data when he / she enters the “My orders” screen. Making an id query reveals a vulnerability just like someone else is querying for another id. So I just want the jwt token to return whatever user’s orders it belongs to. how can I do that. has it been done before?
Is this in the frontend or the admin panel? (I assume frontend)
If it is the frontend, then writing a policy would be best: Backend customization - Strapi Developer Documentation
Basically you prefilter results on the logged-in user’s id (assuming orders have a relation to the user) you can extract user information from ctx.state.user and modify the ctx.query to inject additional filters. (or return errors)
hi @DMehaffy,
I’ve created file config / policies / includeUserRelations.
module.exports = async (ctx, next) => {
if (ctx.state.user) {
let { id } = await strapi.query('user', 'users-permissions').findOne({ id: ctx.state.user.id }, ['id']);
ctx.state.user.id = id;
}
return await next();
};
here I can get the ID you received according to the token.
api / order / config / route
{
"method": "GET",
"path": "/orders",
"handler": "order.find",
"config": {
"policies": ["global::includeUserRelations"]
}
},
added.
but still all orders are returning. Unfortunately, there was no filtering by user. Where did I go wrong?
I’m curious here why you are doing a query since if you console.log(ctx.state.user) it should contain all the user information you need (including the id). But you are missing a filter, the ctx.state.user contains the users information based on the JWT they supplied (if they supplied one, else the request is public). But you need to inject the filter.
I wrote a sample policy that was for controlling access to a content-type based on which organization a user belonged to (this is an older example and the code sucks but it’s there to prove a point, don’t do what I did here and loop a bunch of different checks into one policy. It’s better to have multiple policies)
Hi
This is a good starting point for Data Ownership problem; however, my question is, can the policy be applied to GraphQL quires and mutations? I have asked this on the forum and haven’t gotten a reply yet.
If you see the note here: Back-end customization | Strapi Documentation
WARNING
To apply policies with GraphQL please see the following guide.
Which links to here: https://strapi.io/documentation/developer-docs/latest/development/plugins/graphql.html#customize-the-graphql-schema but yes policies can be applied to GraphQL as well.
Perfect! Thank you.
But can we please know when is the official method/plugin is coming to address the data ownership issue? It is listed in the roadmap for over a year now and have many votes as well.
Thank you for the reference. I accidentally replied to myself there.
Most likely in the v4, though maybe not in the initial stable release, it will be a focus for us.