I can’t hide creator fields, like mentioned in the Docs. I created a collection called “facilities” and put "populateCreatorFields": false into the options property in facilities.settings.json. Hiding specific fields using "privateAttributes": ["id", "created_at"] also doesn’t work. It’s also not working for components.
The problem is, that the encrypted password and the email address gets exposed.
privateAttributes and populateCreatorFields by default work only with the strapi’s methods of find()/findOne(), these use sanitized by default.
These are used when you make API calls to urls: /articles → this will call find() func which is created by strapi and has its own sanitize (all hidden fields are not displayed) /articles/1 → this will call findOne() func, that one is also created by strapi and has its own sanitize (all hidden fields are not displayed)
When you make a manual call of strapi.services.articles.find() - you are NOT using the sanitized method, which means you will return all hidden fields/creator fields and etc.
Second, sanitize fetched data by providing data and defining the model:
let result = await strapi.services.articles.find();
let articles = sanitizeEntity(result, {
model: strapi.models['articles'],
});
Now articles contains data without creator fields and without privateAttributes(id, created_at), as you defined these options in facilities.settings.json.
Yup exactly my thoughts and why I wanted to move this discussion over here to the forum. You are most likely using a custom controller that isn’t passing the query response (or service) into the sanitize function which is where the fields are stripped.
hi, can we disable this creator’s data only for not authenticated users? and send the creator’s data to the authenticated user? , I tried the sanitize method but the issue is there are 80 endpoints and we need to update all of them. is there any solution to do this without updating all the endpoints?
To my knowledge there is no solution for this. you can enable it for all users and then use someting like Protected Populate | Strapi Market to remove them from being requested by none auth users but this needs to happen on every single endpoint
Thanks for the update. I’m currently using Strapi version 3.6. the plugin is not working for that.can we sanitize response data from anywhere all the responses are going? Does strapi has that kind of solution like makeResponse function ?