Policies are functions that execute specific logic on each request before it reaches the controller. They are mostly used for securing business logic.
Each route of a Strapi project can be associated to an array of policies. For example, a policy named
is-admin could check that the request is sent by an admin user, and restrict access to critical routes.
A new policy can be implemented:
- with the interactive CLI command
./src/policies/for global policies
./src/api/[api-name]/policies/for API policies
./src/plugins/[plugin-name]/policies/for plugin policies
Global policy implementation example:
policyContext is a wrapper around the controller context. It adds some logic that can be useful to implement a policy for both REST and GraphQL.
Policies can be configured using a
To apply policies to a route, add them to its configuration object (see routes documentation).
Policies are called different ways depending on their scope:
global::policy-namefor global policies
api::api-name.policy-namefor API policies
plugin::plugin-name.policy-namefor plugin policies
To list all the available policies, run
yarn strapi policies:list.
# Global policies
Global policies can be associated to any route in a project.
# Plugin policies
# API policies
API policies are associated to the routes defined in the API where they have been declared.
To use a policy in another API, reference it with the following syntax: