Introduction
In this post, we will see:
- create a test user
- Authenticate it via REST API
- How we will create an Article using REST API.
- How to configure that only Author can add/update/delete an article
So far, we have seen How to Configure permissions on Article
Create a Test User
- Click on Users
- Add new User
Authenticate the User
The REST end point for this is:
POST /auth/local
Body:
{
identifier: "email",
password: ""
}
As you can see, once we authenticate user by REST API, we get a jwt token. Which will be used for authenticated other APIs, like create/update/delete.
Create an Article
POST /articles
Body:
{
title: "",
body: ""
}
Header:
Authorization: Bearer <jwt token>
Edit or Update an Article
The process will remain same, only HTTP method will change
PUT /articles
Body:
{
title: "",
body: ""
}
Header:
Authorization: Bearer <jwt token>Delete an Article
The process will remain same, only HTTP method will change
PUT /articles/<id>
Header:
Authorization: Bearer <jwt token>Configure only Author can Update/Delete an Article
So far we have configured that authenticated users can create/update/delete articles. But, we do not want that any authenticated user will update other author’s articles.
We need to do little tweaking in strapi. Lets follow.
Save Author user details in Articles created.
Till now, there is no information saved that who created a particular article. Lets starting saving it.
- Goto Content types builder.
- Goto your Article type
- Click on: “Add Another field”
- Click on Relation type
- On right side, select: “User (from users-permission)”
- On left side, give it a name as “author”
- Select relation as: “many-to-one”. It will show as: “User has many articles”
Now, we need to start saving user information with created articles. For this, we need to write little code.
Open /api/article/controllers/article.js
Replace file content with following:
const { parseMultipartData, sanitizeEntity } = require('strapi-utils');
module.exports = {
/**
* Create a record.
*
* @return {Object}
*/
async create(ctx) {
let entity;
if (ctx.is('multipart')) {
const { data, files } = parseMultipartData(ctx);
data.author = ctx.state.user.id;
entity = await strapi.services.article.create(data, { files });
} else {
ctx.request.body.author = ctx.state.user.id;
entity = await strapi.services.article.create(ctx.request.body);
}
return sanitizeEntity(entity, { model: strapi.models.article });
},
};Save it.
Create Article again from REST API
Now when you submit the create article request again, you will have author information saved with each article. A sample response will look like:
{
"_id": "608e66f33c976e44787564c4",
"title": "How to create an Article2",
"body": "I will explain the process",
"published_at": "2021-05-02T08:46:43.948Z",
"createdAt": "2021-05-02T08:46:43.952Z",
"updatedAt": "2021-05-02T08:46:43.959Z",
"__v": 0,
"author": {
"confirmed": true,
"blocked": false,
"_id": "608e0771a81d84396e94a1d8",
"username": "test",
"email": "[email protected]",
"provider": "local",
"createdAt": "2021-05-02T01:59:13.156Z",
"updatedAt": "2021-05-02T01:59:13.163Z",
"__v": 0,
"role": "608d84c0dbb8e436fba3faa4",
"id": "608e0771a81d84396e94a1d8"
},
"id": "608e66f33c976e44787564c4"
}Restrict Author can Update only his Articles
Again, we will need to write little code for this.
Open same file again: /api/article/controllers/article.js
Add following code:
/**
* Update a record.
*
* @return {Object}
*/
async update(ctx) {
const { id } = ctx.params;
let entity;
const [article] = await strapi.services.article.find({
id: ctx.params.id,
'author.id': ctx.state.user.id,
});
if (!article) {
return ctx.unauthorized(`You can't update this entry`);
}
if (ctx.is('multipart')) {
const { data, files } = parseMultipartData(ctx);
entity = await strapi.services.article.update({ id }, data, {
files,
});
} else {
entity = await strapi.services.article.update({ id }, ctx.request.body);
}
return sanitizeEntity(entity, { model: strapi.models.article });
},In above code, while receiving update article request. We are checking if the authenticated user is the author of article asked. If yes, proceed else reject the call.
Restrict that Author can delete only his Articles
Similarly to restrict that users can delete only their articles. Write below code in same file: /api/article/controllers/article.js
async delete(ctx) {
const { id } = ctx.params;
let entity;
const [article] = await strapi.services.article.find({
id: ctx.params.id,
'author.id': ctx.state.user.id,
});
if (!article) {
return ctx.unauthorized(`You can't update this entry`);
}
if (ctx.is('multipart')) {
const { data, files } = parseMultipartData(ctx);
entity = await strapi.services.article.delete({ id }, data, {
files,
});
} else {
entity = await strapi.services.article.delete({ id }, ctx.request.body);
}
return sanitizeEntity(entity, { model: strapi.models.article });
},Next
In next post, we will see how to setup a Slug(Nice URL) system.
