Strapi bring user password on related objects

Hi!
I have two models, Publications and User. There is an OneToOne relationship between, and when I make a request to /api/publications/1 (for example), I get the publication with the user BUT, the user brings the password to (encrypted)
When I make a request to /api/users/1 in that case the password does not show up

This sounds like a custom controller/service/something that isn’t passing the response from the internal API into our sanitizeEntity function. Can you share your code, or you can refer to some of our examples:

https://strapi.io/documentation/v3.x/concepts/controllers.html#findone

Specifically:

const { sanitizeEntity } = require('strapi-utils');

module.exports = {
  /**
   * Retrieve a record.
   *
   * @return {Object}
   */

  async findOne(ctx) {
    const { id } = ctx.params;

    const entity = await strapi.services.restaurant.findOne({ id });
    return sanitizeEntity(entity, { model: strapi.models.restaurant }); // <----- This right here
  },
};

The above example, this sanitizeEntity function removes that private data from the response and comes from here:

1 Like