Skip to main content

Advanced policies for the GraphQL API

Requests sent to the GraphQL API pass through Strapi's middlewares and policies system. Policies can be attached to resolvers to implement complex authorization rules, as shown in the present short guide.

For additional information on GraphQL policies, please refer to the GraphQL plugin configuration documentation.

Conditional visibility

To limit the number of returned entries for unauthenticated users you can write a policy that modifies resolver arguments:

/src/policies/limit-public-results.ts
export default async (policyContext, config, { strapi }) => {
  const { state, args } = policyContext;

  if (!state.user) {
    args.limit = 4; // only return 4 results for public
  }

  return true;
};

Register the policy in /config/policies.ts and apply it to a resolver:

/config/policies.ts
export default {
  'api::restaurant.restaurant': {
    find: [ 'global::limit-public-results' ],
  },
};

Group membership

Policies can access policyContext.state.user to check group membership, as in the following example:

/src/policies/is-group-member.ts
export default async ({ state }, config, { strapi }) => {
  const userGroups = await strapi.query('plugin::users-permissions.group').findMany({
    where: { users: { id: state.user.id } },
  });
  return userGroups.some(g => g.name === config.group);
};

Use the policy with the following configuration:

/config/policies.ts
export default {
  'api::restaurant.restaurant': {
    find: [{ name: 'global::is-group-member', config: { group: 'editors' } }],
  },
};

With this setup the resolver only returns results if the authenticated user belongs to the editors group.

Contribute to this page