# Create is owner policy
This guide will explain how to restrict content editing to content authors only.
# Introduction
It is often required that the author of an entry is the only user allowed to edit or delete the entry.
This is a feature that is requested a lot and in this guide we will show how to implement it.
# Example
For this example, we will need an Article Content Type.
Add a text
field and a relation
field for this Content Type.
The relation
field is a many-to-one relation with User.
One User can have many Articles and one Article can have only one User.
Name the field author
for the Article Content Type and articles
on the User side.
Now we are ready to start customization.
# Apply the author by default
When we are creating a new Article via POST /articles
we will need to set the authenticated user as the author of the article.
To do so we will customize the create
controller function of the Article API.
Concepts we will use: Here is the code of core controllers. We will also use this documentation to access the current authenticated user information.
Path — ./api/article/controllers/Article.js
const { parseMultipartData, sanitizeEntity } = require('strapi-utils');
module.exports = {
/**
* Create a record.
*
* @return {Object}
*/
async create(ctx) {
let entity;
if (ctx.is('multipart')) {
const { data, files } = parseMultipartData(ctx);
data.author = ctx.state.user.id;
entity = await strapi.services.article.create(data, { files });
} else {
ctx.request.body.author = ctx.state.user.id;
entity = await strapi.services.article.create(ctx.request.body);
}
return sanitizeEntity(entity, { model: strapi.models.article });
},
};
Now, when an article is created, the authenticated user is automatically set as author of the article.
# Limit the update
Now we will restrict the update of articles only for the author.
We will use the same concepts as previously.
Path — ./api/article/controllers/Article.js
const { parseMultipartData, sanitizeEntity } = require('strapi-utils');
module.exports = {
/**
* Create a record.
*
* @return {Object}
*/
async create(ctx) {
let entity;
if (ctx.is('multipart')) {
const { data, files } = parseMultipartData(ctx);
data.author = ctx.state.user.id;
entity = await strapi.services.article.create(data, { files });
} else {
ctx.request.body.author = ctx.state.user.id;
entity = await strapi.services.article.create(ctx.request.body);
}
return sanitizeEntity(entity, { model: strapi.models.article });
},
/**
* Update a record.
*
* @return {Object}
*/
async update(ctx) {
const { id } = ctx.params;
let entity;
const [article] = await strapi.services.article.find({
id: ctx.params.id,
'author.id': ctx.state.user.id,
});
if (!article) {
return ctx.unauthorized(`You can't update this entry`);
}
if (ctx.is('multipart')) {
const { data, files } = parseMultipartData(ctx);
entity = await strapi.services.article.update({ id }, data, {
files,
});
} else {
entity = await strapi.services.article.update({ id }, ctx.request.body);
}
return sanitizeEntity(entity, { model: strapi.models.article });
},
};
And tada!
💡 TIP
For the delete action, it will be the exact same check as the update action.