const _ = require('lodash'); module.exports = async (ctx, next) => { const route = ctx.request.route; let role = '1'; if (ctx.request && ctx.request.header && ctx.request.header.authorization) { try { ctx.state.user = await strapi.plugins['users-permissions'].services.jwt.getToken(ctx); role = ctx.state.user.role; if (role.toString() === '0') { return await next(); } } catch (err) { return ctx.unauthorized(err); } } const permission = _.get(strapi.plugins['users-permissions'].config, ['roles', role.toString(), 'permissions', route.plugin || 'application', 'controllers', route.controller, route.action]); if (!permission) { return await next(); } if (permission.enabled && permission.policy) { try { await strapi.plugins['users-permissions'].config.policies[permission.policy](ctx, next); } catch (err) { ctx.unauthorized(err); } } else if (permission.enabled) { await next(); } else { ctx.unauthorized('Access restricted for this action.'); } };