Strapi V4 : how can I restrict user update (PUT /users/:id) to only the user itself, and admins?

Question

I've enabled the update permissions for the Authentificated role of Users-permissions.

I noticed that now, any Authentificated user can update any other user using the PUT /users/:id endpoint. That's a weird default behaviour !

I guess I have to add a policy to restrict this by editing src/extensions/users-permissions/strapi-server.js.

  ("use strict");

  module.exports = (plugin) => {

    //get api routes for 'user-permissions'
    const apiRoutes = plugin.routes['content-api'].routes;

        //add policies for PUT /users/:id
        apiRoutes
          .filter(route => route.handler === 'user.update')
          .map(route => {
            route.config.policies = [...]
            return route;
          });

      return plugin;

  };

What policies should I use (or create) to restrict that endpoint ? I want to allow the access only if the user is updating his own profile, or if he has the 'Admin' role.

Is that possible ?

Thanks !

Duplicate of https://stackoverflow.com/questions/74728231/why-all-users-in-strapi-have-access-to-update-all-users-profile/74734475#74734475 — antokhio, Jun 14 '23 at 23:45

Strapi V4 : how can I restrict user update (PUT /users/:id) to only the user itself, and admins?

0 Answers0