Author can select relational content that another user created.

[Naxos84]

Describe the bug
When a user has the role "author" he can only see and edit the content that was created by the user.
When a content-type contains a relation field to another content-type then the user can select an entry that was not created by him.

Steps to reproduce the behavior

1. create 2 users. (Author A, Author B)
2. assign both users the Author role.
3. create 2 content-types (A and B)
   3.1 add a relation field in A of type B
4. add at least 1 content entry of type B with Author B
5. add a content entry of type A with Author A
6. expand the dropdown for the relational field and see the entry that Author B created.

Expected behavior
Author A should not be able to select relational content that was not created by himself.

Screenshots

Code snippets
//shop.settings.json

{
  "kind": "collectionType",
  "connection": "default",
  "collectionName": "shops",
  "info": {
    "name": "Shop"
  },
  "options": {
    "increments": true,
    "timestamps": true
  },
  "attributes": {
    "pages": {
      "via": "shops",
      "collection": "page",
      "dominant": true
    },
    "identifier": {
      "type": "string",
      "required": true,
      "unique": true
    },
    "name": {
      "type": "string",
      "required": true
    },
  }
}

//page.settings.json

{
  "kind": "collectionType",
  "connection": "default",
  "collectionName": "pages",
  "info": {
    "name": "Page"
  },
  "options": {
    "increments": true,
    "timestamps": true
  },
  "attributes": {
    "slug": {
      "type": "string",
      "required": false,
      "unique": false
    },
    "metaTitle": {
      "type": "string"
    },
    "title": {
      "type": "string",
      "required": true
    },
    "shops": {
      "collection": "shop",
      "via": "pages"
    }
  }
}

System

• Node.js version: v12.16.0
• NPM version: 6.13.4
• Strapi version: 3.1.3
• Database: sqlite
• Operating system: windows 10

Additional context
None

If you need more information please let me know.

In the meantime: Is it possible to implement the expected filter behaviour on my end via Controller/Services?

[derrickmehaffy]

Currently this is the intended as you can select the relation but you can only see the field selected for that relation, it will not allow the user to access the related information.

We don't currently have the option to restrict selecting relations the user owns at the moment, I've set this as an enhancement for now after confirming with our engineering team.

For now we do not have a workaround for this.

[Naxos84]

hey derrickmehaffy.

Thank you very much for the response and the explanation.

When this enhancement will get implemented: Is this issue used for that? (in order to be able to keep track of it?)

[derrickmehaffy]

We don't currently have an ETA for this, it will be something we will be looking into when we start work on the RBAC v2 as it requires some very complex permissions. It's already in our internal to-do, but we don't have a public tracking issue for it.

[itsMattShull]

Just adding my voice to this ticket to follow along. Really useful feature! Also if anyone has thought of a workaround please share :-)

[itsMattShull]

@Naxos84 I found a workaround. The use case being that any role other than Super Admin should only see entries they created in the relation list. Super Admin's should still be able to see all entries of a relation list.

In the strapi-plugin-content-manager package you'll find a file called ContentManager.js. In the strapi project you can find it at node_modules/strapi-plugin-content-manager/controllers/ContentManager.js.

Inside the file you'll find an async function called findRelationList. At the top of the function you'll want to add const { user } = ctx.state;. This will provide you with all the info about the user making the request for the relation list.

Then further down the function, right under let entities = [];, you'll want to add the following:

// START CUSTOM CODE
    // FILTERS RELATION LISTS FOR AUTHORS TO ONLY SHOW ENTRIES THEY HAVE CREATED
    if (user.roles[0].code !== 'strapi-super-admin') {
      query['created_by'] = `${user.id}`;
    }
    // END CUSTOM CODE

This if statement takes checks to see if the User's role is Super Admin, and if not it will add created_by as a parameter to the filter that Strapi uses to fetch the relation list.

If you want to filter the relation list for all the roles, including Super Admin, then you only need to add the following right under let entities = [];:

query['created_by'] = `${user.id}`;

There wouldn't be a need to get the user info or the if statement.

I know it's not an official fix, but hopefully it's a good work around for you too! Would still love this ability built into the platform.

[itsMattShull]

@derrickmehaffy I'm new to strapi, but would the proper way to make this change so that when it upgrades it doesn't break be to use Extensions? So I created extensions/strapi-plugin-content-manager/controllers/ContentManager.js in my root folder and use the code I discussed above?

If so, I understand that any time I update Strapi I'd need to make sure that file I created is similar to node_modules/strapi-plugin-content-manager/controllers/ContentManager.js or it'll break.

[derrickmehaffy]

If so, I understand that any time I update Strapi I'd need to make sure that file I created is similar to node_modules/strapi-plugin-content-manager/controllers/ContentManager.js or it'll break.

Yes exactly, it's the downside to the extensions system as it requires you to keep that part of the code in sync with our version. We are planning some changes to the v4 with more programmatic hooks into various parts of the code so you don't need to override whole files or functions.

[derrickmehaffy]

This issue has been mentioned on Strapi Community Forum. There might be relevant details there:

https://forum.strapi.io/t/author-is-reading-other-authors-items-by-the-related-field/2920/2

[silasaragozo]

I'm new to strapi, I started this same topic on the forum! in version 3.5.0, I can't find the file, node_modules / strapi-plugin-content-manager / controllers / ContentManager.js

No solution so far!

[derrickmehaffy]

@silasaragozo that file was broken down into multiple new files: https://github.com/strapi/strapi/tree/master/packages/strapi-plugin-content-manager/controllers

[silasaragozo]

very good! you would have an example of what file and what that file would look like after the modification! I'm new to strapi, I did some tests on these files, but I didn't get the expected result!

[derrickmehaffy]

I'm not sure as I have not reviewed these files lately, it's been quite a busy quarter so hard to keep up with custom modifications and workarounds right now.

[silasaragozo]

I understand! thank you very much for pointing a north in my research! I will look for a solution!