Hello,
I have a question regarding field-level permissions. I know that with this enterprise feature, you’re able to adjust permissions on a field level for admin panel users. However, this is not working for users/roles created by the Roles&Permissions plugin.
Example:
Users can create entries on our page, and list entries of other users. An entry has a relation to user, but users are forbidden to query users. However, every user can get entry->user->role->users via a simple GraphQL query, essentially getting all emails of all registered users. This is a big data privacy issue, and I have no idea how to solve it.
The issue is described here and here, but both issues have been closed (incorrectly, if you ask me).
Does somebody know how to solve this issue?
System Information
- Strapi Version: 3.5.1
- Operating System: macOS 10.15.7
- Database: SQLite
- Node Version: 12.18.3
- NPM Version: 6.14.6
- Yarn Version: 1.22.10