Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Customize users API to hide sensitive information from Contributor role #138

Open
sidemt opened this issue Sep 5, 2023 · 2 comments · May be fixed by #404
Open

Customize users API to hide sensitive information from Contributor role #138

sidemt opened this issue Sep 5, 2023 · 2 comments · May be fixed by #404
Assignees
@sidemt
Labels
scope: backend

Comments

@sidemt
Copy link
Member

sidemt commented Sep 5, 2023
edited

We should customize the API so that Contributors shouldn't be able to get sensitive information (such as emails) of other Contributors.

Background of the issue: #133
@sidemt sidemt mentioned this issue Sep 5, 2023
Merged
2 tasks
@sidemt sidemt self-assigned this Oct 19, 2023
@sidemt
Copy link
Member Author

sidemt commented Oct 31, 2023

I want to filter out email and username fields in the response of GET /users endpoint.

First I thought of overriding the default controller action, something like what I have done here:

publish/publish-backend/src/api/post/controllers/post.js

Line 17 in a27fc5e

async create(ctx) {

But the difficulty is, GET /users endpoint is provided by users-permissions plugin so it's different from other core controllers such as post and tag.

I'm now looking into these approaches (haven't been successful yet):

@sidemt sidemt mentioned this issue Nov 20, 2023
Open
@sidemt sidemt linked a pull request Jan 22, 2024 that will close this issue
Draft
2 tasks
@sidemt
Copy link
Member Author

sidemt commented Jan 30, 2024

What I have found so far:

  • default users-permissions plugin

    • can enable/disable each endpoint (action)
      • but if you disable /users endpoint, it also disables populate of the user data in other endpoints (e.g. /posts?populate[0]=author)
    • cannot enable/disable each field
    • can set different rule for each role
    • can set rule for API token access
    • cannot set isOwn rule

  • protected-populate plugin

    • can enable/disable each field
    • can set different rule for each role
    • cannot set rule for API token access
    • cannot set isOwn rule

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sidemt sidemt

Labels
scope: backend
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: hide sensitive data sidemt/publish
1 participant
@sidemt