Thanks, I’ve followed your suggestion and created a new route for this purpose, also revoked access to other /user routes to avoid ability that a user updates (or deletes) a different user.
A several things to bear in mind:
- You should verify yourself that the updated email and/or user is not taken (this is done when using /users/:id)
- You should hash the new password (if provided) before saving it by:
await strapi.plugins[“users-permissions”].services.user.hashPassword({ password })
- Also make sure to nullify resetPasswordToken field once changing the password.
Thanks again for your assistance,
Yossi