Strapi bring user password on related objects

I have two models, Publications and User. There is an OneToOne relationship between, and when I make a request to /api/publications/1 (for example), I get the publication with the user BUT, the user brings the password to (encrypted)
When I make a request to /api/users/1 in that case the password does not show up

This sounds like a custom controller/service/something that isn’t passing the response from the internal API into our sanitizeEntity function. Can you share your code, or you can refer to some of our examples:


const { sanitizeEntity } = require('strapi-utils');

module.exports = {
   * Retrieve a record.
   * @return {Object}

  async findOne(ctx) {
    const { id } = ctx.params;

    const entity = await{ id });
    return sanitizeEntity(entity, { model: }); // <----- This right here

The above example, this sanitizeEntity function removes that private data from the response and comes from here:

1 Like