strapi - restrict user to fetch only data related to him
Usually, a logged-in user gets all entries of a Content Type.
I created a "snippets" content type (_id,name,content,users<<->>snippets)
<<->> means "has and belongs to many" relation.
I created some test users and make a request:
curl -H 'Authorization: Bearer eyJ...' http://localhost:1337/snippets/
Main Problem: an authenticated user should only see the entries assigned to him. Instead, a logged-in user gets all snippets, which is bad.
How is it possible to modify the fetchAll(ctx.query); query to take that into account so it does something like fetchAll(ctx.state.user.id); at the /-route->find-method ?
The basic find method is here:
find: async (ctx) =>
if (ctx.query._q)
return strapi.services.snippet.search(ctx.query);
else
return strapi.services.snippet.fetchAll(ctx.query);
,
Sub-Question: Does strapi even know which user is logged in when I do Bearer-Token Authentication ?
koa strapi
asked Nov 12 '18 at 15:42
roothahnroothahn
17010
add a comment |
Usually, a logged-in user gets all entries of a Content Type.
I created a "snippets" content type (_id,name,content,users<<->>snippets)
<<->> means "has and belongs to many" relation.
I created some test users and make a request:
curl -H 'Authorization: Bearer eyJ...' http://localhost:1337/snippets/
Main Problem: an authenticated user should only see the entries assigned to him. Instead, a logged-in user gets all snippets, which is bad.
How is it possible to modify the fetchAll(ctx.query); query to take that into account so it does something like fetchAll(ctx.state.user.id); at the /-route->find-method ?
The basic find method is here:
find: async (ctx) =>
if (ctx.query._q)
return strapi.services.snippet.search(ctx.query);
else
return strapi.services.snippet.fetchAll(ctx.query);
,
Sub-Question: Does strapi even know which user is logged in when I do Bearer-Token Authentication ?
koa strapi
asked Nov 12 '18 at 15:42
roothahnroothahn
17010
add a comment |
Usually, a logged-in user gets all entries of a Content Type.
I created a "snippets" content type (_id,name,content,users<<->>snippets)
<<->> means "has and belongs to many" relation.
I created some test users and make a request:
curl -H 'Authorization: Bearer eyJ...' http://localhost:1337/snippets/
Main Problem: an authenticated user should only see the entries assigned to him. Instead, a logged-in user gets all snippets, which is bad.
How is it possible to modify the fetchAll(ctx.query); query to take that into account so it does something like fetchAll(ctx.state.user.id); at the /-route->find-method ?
The basic find method is here:
find: async (ctx) =>
if (ctx.query._q)
return strapi.services.snippet.search(ctx.query);
else
return strapi.services.snippet.fetchAll(ctx.query);
,
Sub-Question: Does strapi even know which user is logged in when I do Bearer-Token Authentication ?
koa strapi
asked Nov 12 '18 at 15:42
roothahnroothahn
17010
Usually, a logged-in user gets all entries of a Content Type.
I created a "snippets" content type (_id,name,content,users<<->>snippets)
<<->> means "has and belongs to many" relation.
I created some test users and make a request:
curl -H 'Authorization: Bearer eyJ...' http://localhost:1337/snippets/
Main Problem: an authenticated user should only see the entries assigned to him. Instead, a logged-in user gets all snippets, which is bad.
How is it possible to modify the fetchAll(ctx.query); query to take that into account so it does something like fetchAll(ctx.state.user.id); at the /-route->find-method ?
The basic find method is here:
find: async (ctx) =>
if (ctx.query._q)
return strapi.services.snippet.search(ctx.query);
else
return strapi.services.snippet.fetchAll(ctx.query);
,
Sub-Question: Does strapi even know which user is logged in when I do Bearer-Token Authentication ?
koa strapi
koa strapi
asked Nov 12 '18 at 15:42
roothahnroothahn
17010
asked Nov 12 '18 at 15:42
roothahnroothahn
17010
edited Nov 13 '18 at 19:58
roothahn
asked Nov 12 '18 at 15:42
roothahnroothahn
17010
asked Nov 12 '18 at 15:42
roothahnroothahn
17010
asked Nov 12 '18 at 15:42
roothahnroothahn
17010
17010
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
You could set up a /snippets/me route under the snippets config.
That route could call the Snippets.me controller method which would check for the user then query snippets based on the user.
So in api/snippet/config/routes.json there would be something like :
"method": "GET",
"path": "/snippets/me",
"handler": "Snippets.me",
"config":
"policies":
,
Then in the controller (api/snippet/controllers/Snippet.js), you could do something like:
me: async (ctx) =>
const user = ctx.state.user;
if (!user)
return ctx.badRequest(null, [ messages: [ id: 'No authorization header was found' ] ]);
const data = await strapi.services.snippet.fetch(user:user.id);
if(!data)
return ctx.notFound();
ctx.send(data);
,
Then you would give authenticated users permissions for the me route not for the overall snippets route.
edited Nov 13 '18 at 16:49
roothahn
17010
answered Nov 12 '18 at 22:36
MosesMoses
465
I see that this is the first/only answer you gave and I wanted to explicitly thank you for being so kind to register to help me! :-)
– roothahn
Nov 13 '18 at 14:08
I get only one snippet. does fetch(user:user.id); fetch only one entry? fetchAll(user:user.id) does not give any output
– roothahn
Nov 13 '18 at 15:55
are the ?_sort/find querys still possible with that solution?
– roothahn
Nov 13 '18 at 15:57
can the query of ctx.query be extended to restrict to the user:user.id part? so I could use the /-route find model
– roothahn
Nov 13 '18 at 16:04
The query construction might be off using fetchAll(). If there is more than one snippet per user, that should work. Play around with it. _sort and other params should work, you just have to construct the query including those properties.
– Moses
Nov 13 '18 at 16:48
|
show 5 more comments
Your Answer
StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53265503%2fstrapi-restrict-user-to-fetch-only-data-related-to-him%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
You could set up a /snippets/me route under the snippets config.
That route could call the Snippets.me controller method which would check for the user then query snippets based on the user.
So in api/snippet/config/routes.json there would be something like :
"method": "GET",
"path": "/snippets/me",
"handler": "Snippets.me",
"config":
"policies":
,
Then in the controller (api/snippet/controllers/Snippet.js), you could do something like:
me: async (ctx) =>
const user = ctx.state.user;
if (!user)
return ctx.badRequest(null, [ messages: [ id: 'No authorization header was found' ] ]);
const data = await strapi.services.snippet.fetch(user:user.id);
if(!data)
return ctx.notFound();
ctx.send(data);
,
Then you would give authenticated users permissions for the me route not for the overall snippets route.
edited Nov 13 '18 at 16:49
roothahn
17010
answered Nov 12 '18 at 22:36
MosesMoses
465
I see that this is the first/only answer you gave and I wanted to explicitly thank you for being so kind to register to help me! :-)
– roothahn
Nov 13 '18 at 14:08
I get only one snippet. does fetch(user:user.id); fetch only one entry? fetchAll(user:user.id) does not give any output
– roothahn
Nov 13 '18 at 15:55
are the ?_sort/find querys still possible with that solution?
– roothahn
Nov 13 '18 at 15:57
can the query of ctx.query be extended to restrict to the user:user.id part? so I could use the /-route find model
– roothahn
Nov 13 '18 at 16:04
The query construction might be off using fetchAll(). If there is more than one snippet per user, that should work. Play around with it. _sort and other params should work, you just have to construct the query including those properties.
– Moses
Nov 13 '18 at 16:48
|
show 5 more comments
You could set up a /snippets/me route under the snippets config.
That route could call the Snippets.me controller method which would check for the user then query snippets based on the user.
So in api/snippet/config/routes.json there would be something like :
"method": "GET",
"path": "/snippets/me",
"handler": "Snippets.me",
"config":
"policies":
,
Then in the controller (api/snippet/controllers/Snippet.js), you could do something like:
me: async (ctx) =>
const user = ctx.state.user;
if (!user)
return ctx.badRequest(null, [ messages: [ id: 'No authorization header was found' ] ]);
const data = await strapi.services.snippet.fetch(user:user.id);
if(!data)
return ctx.notFound();
ctx.send(data);
,
Then you would give authenticated users permissions for the me route not for the overall snippets route.
edited Nov 13 '18 at 16:49
roothahn
17010
answered Nov 12 '18 at 22:36
MosesMoses
465
I see that this is the first/only answer you gave and I wanted to explicitly thank you for being so kind to register to help me! :-)
– roothahn
Nov 13 '18 at 14:08
I get only one snippet. does fetch(user:user.id); fetch only one entry? fetchAll(user:user.id) does not give any output
– roothahn
Nov 13 '18 at 15:55
are the ?_sort/find querys still possible with that solution?
– roothahn
Nov 13 '18 at 15:57
can the query of ctx.query be extended to restrict to the user:user.id part? so I could use the /-route find model
– roothahn
Nov 13 '18 at 16:04
The query construction might be off using fetchAll(). If there is more than one snippet per user, that should work. Play around with it. _sort and other params should work, you just have to construct the query including those properties.
– Moses
Nov 13 '18 at 16:48
|
show 5 more comments
You could set up a /snippets/me route under the snippets config.
That route could call the Snippets.me controller method which would check for the user then query snippets based on the user.
So in api/snippet/config/routes.json there would be something like :
"method": "GET",
"path": "/snippets/me",
"handler": "Snippets.me",
"config":
"policies":
,
Then in the controller (api/snippet/controllers/Snippet.js), you could do something like:
me: async (ctx) =>
const user = ctx.state.user;
if (!user)
return ctx.badRequest(null, [ messages: [ id: 'No authorization header was found' ] ]);
const data = await strapi.services.snippet.fetch(user:user.id);
if(!data)
return ctx.notFound();
ctx.send(data);
,
Then you would give authenticated users permissions for the me route not for the overall snippets route.
edited Nov 13 '18 at 16:49
roothahn
17010
answered Nov 12 '18 at 22:36
MosesMoses
465
You could set up a /snippets/me route under the snippets config.
That route could call the Snippets.me controller method which would check for the user then query snippets based on the user.
So in api/snippet/config/routes.json there would be something like :
"method": "GET",
"path": "/snippets/me",
"handler": "Snippets.me",
"config":
"policies":
,
Then in the controller (api/snippet/controllers/Snippet.js), you could do something like:
me: async (ctx) =>
const user = ctx.state.user;
if (!user)
return ctx.badRequest(null, [ messages: [ id: 'No authorization header was found' ] ]);
const data = await strapi.services.snippet.fetch(user:user.id);
if(!data)
return ctx.notFound();
ctx.send(data);
,
Then you would give authenticated users permissions for the me route not for the overall snippets route.
edited Nov 13 '18 at 16:49
roothahn
17010
answered Nov 12 '18 at 22:36
MosesMoses
465
edited Nov 13 '18 at 16:49
roothahn
17010
edited Nov 13 '18 at 16:49
roothahn
17010
edited Nov 13 '18 at 16:49
roothahn
17010
17010
answered Nov 12 '18 at 22:36
MosesMoses
465
answered Nov 12 '18 at 22:36
MosesMoses
465
answered Nov 12 '18 at 22:36
MosesMoses
465
465
I see that this is the first/only answer you gave and I wanted to explicitly thank you for being so kind to register to help me! :-)
– roothahn
Nov 13 '18 at 14:08
I get only one snippet. does fetch(user:user.id); fetch only one entry? fetchAll(user:user.id) does not give any output
– roothahn
Nov 13 '18 at 15:55
are the ?_sort/find querys still possible with that solution?
– roothahn
Nov 13 '18 at 15:57
can the query of ctx.query be extended to restrict to the user:user.id part? so I could use the /-route find model
– roothahn
Nov 13 '18 at 16:04
The query construction might be off using fetchAll(). If there is more than one snippet per user, that should work. Play around with it. _sort and other params should work, you just have to construct the query including those properties.
– Moses
Nov 13 '18 at 16:48
|
show 5 more comments
I see that this is the first/only answer you gave and I wanted to explicitly thank you for being so kind to register to help me! :-)
– roothahn
Nov 13 '18 at 14:08
I get only one snippet. does fetch(user:user.id); fetch only one entry? fetchAll(user:user.id) does not give any output
– roothahn
Nov 13 '18 at 15:55
are the ?_sort/find querys still possible with that solution?
– roothahn
Nov 13 '18 at 15:57
can the query of ctx.query be extended to restrict to the user:user.id part? so I could use the /-route find model
– roothahn
Nov 13 '18 at 16:04
The query construction might be off using fetchAll(). If there is more than one snippet per user, that should work. Play around with it. _sort and other params should work, you just have to construct the query including those properties.
– Moses
Nov 13 '18 at 16:48
I see that this is the first/only answer you gave and I wanted to explicitly thank you for being so kind to register to help me! :-)
– roothahn
Nov 13 '18 at 14:08
I see that this is the first/only answer you gave and I wanted to explicitly thank you for being so kind to register to help me! :-)
– roothahn
Nov 13 '18 at 14:08
I get only one snippet. does fetch(user:user.id); fetch only one entry? fetchAll(user:user.id) does not give any output
– roothahn
Nov 13 '18 at 15:55
I get only one snippet. does fetch(user:user.id); fetch only one entry? fetchAll(user:user.id) does not give any output
– roothahn
Nov 13 '18 at 15:55
are the ?_sort/find querys still possible with that solution?
– roothahn
Nov 13 '18 at 15:57
are the ?_sort/find querys still possible with that solution?
– roothahn
Nov 13 '18 at 15:57
can the query of ctx.query be extended to restrict to the user:user.id part? so I could use the /-route find model
– roothahn
Nov 13 '18 at 16:04
can the query of ctx.query be extended to restrict to the user:user.id part? so I could use the /-route find model
– roothahn
Nov 13 '18 at 16:04
The query construction might be off using fetchAll(). If there is more than one snippet per user, that should work. Play around with it. _sort and other params should work, you just have to construct the query including those properties.
– Moses
Nov 13 '18 at 16:48
The query construction might be off using fetchAll(). If there is more than one snippet per user, that should work. Play around with it. _sort and other params should work, you just have to construct the query including those properties.
– Moses
Nov 13 '18 at 16:48
|
show 5 more comments
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53265503%2fstrapi-restrict-user-to-fetch-only-data-related-to-him%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
