# Policies
Policies are functions that execute specific logic on each request before it reaches the controller. They are mostly used for securing business logic.
Each route of a Strapi project can be associated to an array of policies. For example, a policy named is-admin
could check that the request is sent by an admin user, and restrict access to critical routes.
Policies can be global or scoped. Global policies can be associated to any route in the project. Scoped policies only apply to a specific API or plugin.
# Implementation
A new policy can be implemented:
- with the interactive CLI command
strapi generate
- or manually by creating a JavaScript file in the appropriate folder (see project structure):
./src/policies/
for global policies./src/api/[api-name]/policies/
for API policies./src/plugins/[plugin-name]/policies/
for plugin policies
Global policy implementation example:
policyContext
is a wrapper arround the controller context. It adds some logic that can be useful to implement a policy for both REST and GraphQL.
Policies can be configured using a config
object:
# Usage
To apply policies to a route, add them to its configuration object (see routes documentation).
Policies are called different ways depending on their scope:
- use
global::policy-name
for global policies - use
api::api-name.policy-name
for API policies - use
plugin::plugin-name.policy-name
for plugin policies
💡 TIP
To list all the available policies, run yarn strapi policies:list
.
# Global policies
Global policies can be associated to any route in a project.
# Plugin policies
Plugins can add and expose policies to an application. For example, the Users & Permissions plugin comes with policies to ensure that the user is authenticated or has the rights to perform an action:
# API policies
API policies are associated to the routes defined in the API where they have been declared.
To use a policy in another API, reference it with the following syntax: api::[apiName].[policyName]
:
← Routes Middlewares →