2020-02-19 17:08:16 +01:00
# Create is owner policy
2020-02-20 19:06:40 +01:00
This guide will explain how to restrict content edition to content authors only.
2020-02-19 17:08:16 +01:00
## Introduction
2020-02-20 19:06:40 +01:00
It is often required that the author of an entry is the only user allowed to edit or delete the entry.
2020-02-19 17:08:16 +01:00
2020-02-20 19:06:40 +01:00
This is a feature that is requested a lot and in this guide we will see how to implement it.
2020-02-19 17:08:16 +01:00
## Example
For this example, we will need an Article Content Type.
Add a `text` field and a `relation` field for this Content Type.
The `relation` field is a **many-to-one** relation with User.< br >
One User can have many Articles and one Article can have only one User.< br >
Name the field `author` for the Article Content Type and `articles` on the User side.
Now we are ready to start customization.
## Apply the author by default
2020-02-20 19:06:40 +01:00
When we are creating a new Article via `POST /articles` we will need to set the authenticated user as the author of the article.
2020-02-19 17:08:16 +01:00
2020-02-20 19:06:40 +01:00
To do so we will customize the `create` controller function of the Article API.
2020-02-19 17:08:16 +01:00
**Concepts we will use:**
Here is the code of [core controllers ](../concepts/controllers.html#core-controllers ).
We will also use this [documentation ](../plugins/users-permissions.html#user-object-in-strapi-context ) to access the current authenticated user information.
**Path —** `./api/article/controllers/Article.js`
```js
const { parseMultipartData, sanitizeEntity } = require('strapi-utils');
module.exports = {
/**
* Create a record.
*
* @return {Object}
*/
async create(ctx) {
let entity;
if (ctx.is('multipart')) {
const { data, files } = parseMultipartData(ctx);
data.author = ctx.state.user.id;
entity = await strapi.services.article.create(data, { files });
} else {
ctx.request.body.author = ctx.state.user.id;
entity = await strapi.services.article.create(ctx.request.body);
}
return sanitizeEntity(entity, { model: strapi.models.article });
},
};
```
Now, when an article is created, the authenticated user is automaticaly set as author of the article.
## Limit the update
Now we will restrict the update of articles only for the author.
We will use the same concepts as previously.
**Path —** `./api/article/controllers/Article.js`
```js
const { parseMultipartData, sanitizeEntity } = require('strapi-utils');
module.exports = {
/**
* Create a record.
*
* @return {Object}
*/
async create(ctx) {
let entity;
if (ctx.is('multipart')) {
const { data, files } = parseMultipartData(ctx);
data.author = ctx.state.user.id;
entity = await strapi.services.article.create(data, { files });
} else {
ctx.request.body.author = ctx.state.user.id;
entity = await strapi.services.article.create(ctx.request.body);
}
return sanitizeEntity(entity, { model: strapi.models.article });
},
/**
* Update a record.
*
* @return {Object}
*/
async update(ctx) {
2020-04-02 18:10:22 +02:00
const { id } = ctx.params;
2020-02-19 17:08:16 +01:00
let entity;
const [article] = await strapi.services.article.find({
id: ctx.params.id,
'author.id': ctx.state.user.id,
});
if (!article) {
return ctx.unauthorized(`You can't update this entry` );
}
if (ctx.is('multipart')) {
const { data, files } = parseMultipartData(ctx);
2020-04-02 18:10:22 +02:00
entity = await strapi.services.article.update({ id }, data, {
2020-02-19 17:08:16 +01:00
files,
});
} else {
2020-04-02 18:10:22 +02:00
entity = await strapi.services.article.update({ id }, ctx.request.body);
2020-02-19 17:08:16 +01:00
}
return sanitizeEntity(entity, { model: strapi.models.article });
},
};
```
And tada!
2020-02-20 16:23:07 +01:00
::: tip
For the delete action, it will be the exact same check than the update action.
:::
