IsOwner Guide Update for V4 Fix for #652

[nextrapi]

What does it do?

Updates the IsOwner guide for Strapi v4

Why is it needed?

The current guide is deprecated.

Important to note that I think this guide is useful and popular enough that it should be added to the sidebar but I haven't done that yet.

Related issue(s)/PR(s)

Fix for #652

[vercel]

This pull request is being automatically deployed with Vercel (learn more).
To see the status of your deployment, click below or on the icon next to each commit.

🔍 Inspect: https://vercel.com/strapijs/documentation/DP1Apd2LsKUm4H3TnojFUJnV1vHV
✅ Preview: https://documentation-git-fork-nextrapi-dev-isowner-v4-strapijs.vercel.app

[strapi-cla]

All committers have signed the CLA.

[derrickmehaffy]

Instead of controllers, this type of action should use route policies and route middlewares

[nextrapi]

Hi @derrickmehaffy, thank you a lot for your feedback. I updated the code using policies and middlewares.
This is a strapi project with the example code: https://github.com/nextrapi/Strapi_v4_IsOwner

If you can give me any feedback on the code or the way its written, I can do another update and rewording.

[derrickmehaffy]

Hi @derrickmehaffy, thank you a lot for your feedback. I updated the code using policies and middlewares. This is a strapi project with the example code: https://github.com/nextrapi/Strapi_v4_IsOwner

If you can give me any feedback on the code or the way its written, I can do another update and rewording.

Yes I'll try and provide some feedback hopefully later today if I get some time or on monday if my schedule fills up

[Spasio]

Hi @nextrapi i try your solution and it's works perfectly, thanks a lot. But i have a little problem, when i try to make post request from my app i have an error:

{
  "status": 403,
  "name": "TypeError",
  "message": "Cannot set property 'author' of undefined",
  "details": {}
}

But from postman it works fine. Maybe you can tell me what i'm doing wrong? My axios call:

      axios({
        method: "POST",
        url: "http://localhost:1337/api/articles",
        headers: {
          "content-type": "application/json",
          Authorization: `Bearer ${window.localStorage.getItem("jwt")} `,
        },
        title: "Test article from app",
      });

[nextrapi]

Hi @nextrapi i try your solution and it's works perfectly, thanks a lot. But i have a little problem, when i try to make post request from my app i have an error:

{
  "status": 403,
  "name": "TypeError",
  "message": "Cannot set property 'author' of undefined",
  "details": {}
}

But from postman it works fine. Maybe you can tell me what i'm doing wrong? My axios call:

      axios({
        method: "POST",
        url: "http://localhost:1337/api/articles",
        headers: {
          "content-type": "application/json",
          Authorization: `Bearer ${window.localStorage.getItem("jwt")} `,
        },
        title: "Test article from app",
      });

Hi @Spasio, thank you but I think your axios config is wrong. Try this:

var axios = require('axios');
axios({
  method: 'post',
  url: 'http://localhost:1337/api/articles',
  headers: { 
    'Authorization': 'Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwiaWF0IjoxNjQzNDM1OTg2LCJleHAiOjE2NDYwMjc5ODZ9.byIvqOTfx-zNjN85v3OCirBAubaKt3YqOZ5mNI0y370', 
    'Content-Type': 'application/json'
  },
  data : JSON.stringify({"data":{"title":"Test"}})
})

I am however going to correct it so it returns the correct error!

[Spasio]

Hi @nextrapi i try your solution and it's works perfectly, thanks a lot. But i have a little problem, when i try to make post request from my app i have an error:

{
  "status": 403,
  "name": "TypeError",
  "message": "Cannot set property 'author' of undefined",
  "details": {}
}

But from postman it works fine. Maybe you can tell me what i'm doing wrong? My axios call:

      axios({
        method: "POST",
        url: "http://localhost:1337/api/articles",
        headers: {
          "content-type": "application/json",
          Authorization: `Bearer ${window.localStorage.getItem("jwt")} `,
        },
        title: "Test article from app",
      });

Hi @Spasio, thank you but I think your axios config is wrong. Try this:

var axios = require('axios');
axios({
  method: 'post',
  url: 'http://localhost:1337/api/articles',
  headers: { 
    'Authorization': 'Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwiaWF0IjoxNjQzNDM1OTg2LCJleHAiOjE2NDYwMjc5ODZ9.byIvqOTfx-zNjN85v3OCirBAubaKt3YqOZ5mNI0y370', 
    'Content-Type': 'application/json'
  },
  data : JSON.stringify({"data":{"title":"Test"}})
})

I am however going to correct it so it returns the correct error!

Thanks for fast reply, your axios config solved my problem. Now everything working great!

[strapi-bot]

This pull request has been mentioned on Strapi Community Forum. There might be relevant details there:

https://forum.strapi.io/t/isowner-policy-in-strapi-4-0/14824/5

[derrickmehaffy]

} else {
      ctx.request.query.filters = { ...ctx.request.query.filters, [field]: userId };
      return true;
    }

You can't do this, setting stuff in the policy ctx won't travel down the chain. You can't set something in a policy only return true/false.

I think this policy could be simplified quite a bit.

---

I also don't understand the purpose of the middleware

[alpakaxaxa]

Hey everyone, at the moment my code in isOwner.js policy looks like this:

module.exports = async (ctx, next) => {
  const { id } = ctx.params;
  const userID = ctx.state.user.id;
  if (id) {
    // content type is hardcoded in this example
    const [entity] = await strapi.entityService.findMany('api::article.article', {
      filters: { id, author: userID },
    });
    if (entity) {
      return true;
    }
  }
  return false
}

As far as I have understood, this works for update, findOne and delete controllers (everything that works on one article). However, what would be the approach if I would want to filter the find controller in a policy? Or am I just able to filter in the controller, e.g. article.js:

module.exports = createCoreController('api::article.article', ({ strapi }) => ({
    async find(ctx) {
        const { data, meta} = await super.find(ctx);
        const { user } = ctx.state;
        let articles = onlyAuthorArticles(data, user);
        return {articles, meta}; 
    }
}));

function onlyAuthorArticles(articles, user) {
    let filteredArticles = articles.filter(article => article.attributes.author.data.id == user.id);
    return filteredArticles;
}

Filtering the ctx object in the policy file is not possible as @derrickmehaffy mentioned.

My approach works I am just not sure if it is the most sensible approach (I doubt that :D)

[pwizla]

@Convly and/or @petersg83 I'd like to have your review on the suggested changes, from a technical point of view, before I can have my technical writing review ready :-)

[leandrosena]

@nextrapi I am very grateful for this documentation PR.
I've been looking for a solution for a long time and this one fits like a glove, thanks 🚀 ❤️

[pwizla]

Hello @derrickmehaffy , @petersg83 and @Convly . I'm following up on this PR to have your technical feedback and see how we can go forward with it 😎

[Convly]

I might be wrong, but this SetOwner won't do much since we can only update entities that belong to the current user.
If this is just to demonstrate where you can put the middleware, maybe we could add a comment next to it to explain things?

[pwizla]

Hello everyone! I'm closing this PR as the recommended way to add an "is-owner policy" equivalent in Strapi v4 is now documented: https://docs.strapi.io/dev-docs/backend-customization/middlewares#restricting-content-access-with-an-is-owner-policy