Not possible to hide creator fields (Bug?)

This thread is the follow-up of my Github conversation with @DMehaffy.

I can’t hide creator fields, like mentioned in the Docs. I created a collection called “facilities” and put "populateCreatorFields": false into the options property in facilities.settings.json. Hiding specific fields using "privateAttributes": ["id", "created_at"] also doesn’t work. It’s also not working for components.

The problem is, that the encrypted password and the email address gets exposed.

The project can be found on Github: GitHub - mariusbolik/strapi-example
Please open http://localhost:1337/facilities to see the JSON response.

System Information
  • Strapi Version: 3.2.5
  • Operating System: macOS Catalina
  • Database: MySQL
  • Node Version: 12.18.3
  • NPM Version: 6.14.6

privateAttributes and populateCreatorFields by default work only with the strapi’s methods of find()/findOne(), these use sanitized by default.

These are used when you make API calls to urls:
/articles → this will call find() func which is created by strapi and has its own sanitize (all hidden fields are not displayed)
/articles/1 → this will call findOne() func, that one is also created by strapi and has its own sanitize (all hidden fields are not displayed)

When you make a manual call of - you are NOT using the sanitized method, which means you will return all hidden fields/creator fields and etc.


You are using a custom .find() and the result is not sanitized.

First, import sanitize utils:
const { sanitizeEntity } = require('strapi-utils');

Second, sanitize fetched data by providing data and defining the model:

let result = await;
let articles = sanitizeEntity(result, {
        model: strapi.models['articles'],

Now articles contains data without creator fields and without privateAttributes(id, created_at), as you defined these options in facilities.settings.json.

1 Like

Yup exactly my thoughts and why I wanted to move this discussion over here to the forum. You are most likely using a custom controller that isn’t passing the query response (or service) into the sanitize function which is where the fields are stripped.

@sunnyson I didn’t know that I have to sanitize the data. It works perfectly now. Thank you for the hint and for your time! I really appreciate it.

1 Like

how can I activate seeing the email address of the user who made a change?
It’s not showing

hi, can we disable this creator’s data only for not authenticated users? and send the creator’s data to the authenticated user? , I tried the sanitize method but the issue is there are 80 endpoints and we need to update all of them. is there any solution to do this without updating all the endpoints?

To my knowledge there is no solution for this. you can enable it for all users and then use someting like Protected Populate | Strapi Market to remove them from being requested by none auth users but this needs to happen on every single endpoint

Thanks for the update. I’m currently using Strapi version 3.6. the plugin is not working for that.can we sanitize response data from anywhere all the responses are going? Does strapi has that kind of solution like makeResponse function ?

I don’t know I asumed you where using strapi v4 since v3 is end of life. with no new updates or support.