I can’t hide creator fields, like mentioned in the Docs. I created a collection called “facilities” and put "populateCreatorFields": false into the options property in facilities.settings.json. Hiding specific fields using "privateAttributes": ["id", "created_at"] also doesn’t work. It’s also not working for components.
The problem is, that the encrypted password and the email address gets exposed.
privateAttributes and populateCreatorFields by default work only with the strapi’s methods of find()/findOne(), these use sanitized by default.
These are used when you make API calls to urls: /articles → this will call find() func which is created by strapi and has its own sanitize (all hidden fields are not displayed) /articles/1 → this will call findOne() func, that one is also created by strapi and has its own sanitize (all hidden fields are not displayed)
When you make a manual call of strapi.services.articles.find() - you are NOT using the sanitized method, which means you will return all hidden fields/creator fields and etc.
Yup exactly my thoughts and why I wanted to move this discussion over here to the forum. You are most likely using a custom controller that isn’t passing the query response (or service) into the sanitize function which is where the fields are stripped.