Not possible to hide creator fields (Bug?)

This thread is the follow-up of my Github conversation with @DMehaffy.

I can’t hide creator fields, like mentioned in the Docs. I created a collection called “facilities” and put "populateCreatorFields": false into the options property in facilities.settings.json. Hiding specific fields using "privateAttributes": ["id", "created_at"] also doesn’t work. It’s also not working for components.

The problem is, that the encrypted password and the email address gets exposed.

The project can be found on Github: GitHub - mariusbolik/strapi-example
Please open http://localhost:1337/facilities to see the JSON response.

System Information
  • Strapi Version: 3.2.5
  • Operating System: macOS Catalina
  • Database: MySQL
  • Node Version: 12.18.3
  • NPM Version: 6.14.6

privateAttributes and populateCreatorFields by default work only with the strapi’s methods of find()/findOne(), these use sanitized by default.

These are used when you make API calls to urls:
/articles → this will call find() func which is created by strapi and has its own sanitize (all hidden fields are not displayed)
/articles/1 → this will call findOne() func, that one is also created by strapi and has its own sanitize (all hidden fields are not displayed)

When you make a manual call of strapi.services.articles.find() - you are NOT using the sanitized method, which means you will return all hidden fields/creator fields and etc.

Solution:

You are using a custom .find() and the result is not sanitized.

First, import sanitize utils:
const { sanitizeEntity } = require('strapi-utils');

Second, sanitize fetched data by providing data and defining the model:

let result = await strapi.services.articles.find();
let articles = sanitizeEntity(result, {
        model: strapi.models['articles'],
});

Now articles contains data without creator fields and without privateAttributes(id, created_at), as you defined these options in facilities.settings.json.

1 Like

Yup exactly my thoughts and why I wanted to move this discussion over here to the forum. You are most likely using a custom controller that isn’t passing the query response (or service) into the sanitize function which is where the fields are stripped.

@sunnyson I didn’t know that I have to sanitize the data. It works perfectly now. Thank you for the hint and for your time! I really appreciate it.

1 Like

how can I activate seeing the email address of the user who made a change?
It’s not showing