Populate users-permissions to get user avatar


How i can populate users-permissions ?
I add custom field to user (avatar) but it’s not in the response…


Strapi 4

There is a bug, with a fix in route soon.

1 Like

@DMehaffy It’s time to update the Strapi community on this issue. It’s significant and has been open for 4 months yet this pull request hasn’t had any commits since March 3rd.

Our developer experience squad is placing this as one of their priorities for this quarter but they need to review all the issues around the U&P plugin to see what is possible right now.

We have identified though that our future course of action with regards to U&P is we will be working in parallel on two things:

  • Get U&P functionally stable in Strapi v4 so that it can continue to function with a reasonable degree of it’s intended purpose
  • Start planning on building an entirely new end-user authentication plugin that will replace U&P (ideally one with field level permissions, but this isn’t confirmed).

Our problem is largely that to “fix” U&P to the level we want it, it would mean breaking changes which we can’t do while we are in the v4 development cycle and with no idea when we will start Strapi v5 development. So our only option right now is to either build ourselves a replacement plugin or possibly contract the development of such a plugin externally (largely due to our small team size, we can’t handle it ourselves right now).

I’ll have more information once the Product Managers review some of the U&P issues.

Is there any possible workaround? or only the option to go back to v3?

any expectations, when you will have fixed this issue?

Thank you!

You can do this easily by customising controllers, just override add routes you need and use db query or entity service…

Would be great to put some examples of these custom controllers

Hi, I found this solution, ideally for V4.

module.exports = plugin => {
const sanitizeOutput = (user) => {
const {
password, resetPasswordToken, confirmationToken, …sanitizedUser
} = user; // be careful, you need to omit other private attributes yourself
return sanitizedUser;

plugin.controllers.user.me = async (ctx) => {
if (!ctx.state.user) {
return ctx.unauthorized();
const user = await strapi.entityService.findOne(
{ populate: [‘role’] }

ctx.body = sanitizeOutput(user);


plugin.controllers.user.find = async (ctx) => {
const users = await strapi.entityService.findMany(
{ …ctx.params, populate: [‘role’] }

ctx.body = users.map(user => sanitizeOutput(user));


return plugin;

1 Like