Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Customize users API to hide sensitive information from Contributor role #138

Open
sidemt opened this issue Sep 5, 2023 · 2 comments · May be fixed by #404
Open

Customize users API to hide sensitive information from Contributor role #138

sidemt opened this issue Sep 5, 2023 · 2 comments · May be fixed by #404
Assignees

Comments

@sidemt
Copy link
Member

sidemt commented Sep 5, 2023

We should customize the API so that Contributors shouldn't be able to get sensitive information (such as emails) of other Contributors.

Background of the issue: #133

@sidemt sidemt mentioned this issue Sep 5, 2023
2 tasks
@sidemt sidemt self-assigned this Oct 19, 2023
@sidemt
Copy link
Member Author

sidemt commented Oct 31, 2023

I want to filter out email and username fields in the response of GET /users endpoint.

First I thought of overriding the default controller action, something like what I have done here:

But the difficulty is, GET /users endpoint is provided by users-permissions plugin so it's different from other core controllers such as post and tag.

I'm now looking into these approaches (haven't been successful yet):

@sidemt sidemt linked a pull request Jan 22, 2024 that will close this issue
2 tasks
@sidemt
Copy link
Member Author

sidemt commented Jan 30, 2024

What I have found so far:

  • default users-permissions plugin

    • can enable/disable each endpoint (action)
      • but if you disable /users endpoint, it also disables populate of the user data in other endpoints (e.g. /posts?populate[0]=author)
    • cannot enable/disable each field
    • can set different rule for each role
    • can set rule for API token access
    • cannot set isOwn rule
  • protected-populate plugin

    • can enable/disable each field
    • can set different rule for each role
    • cannot set rule for API token access
    • cannot set isOwn rule

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant