This sounds like a custom controller/service/something that isn’t passing the response from the internal API into our sanitizeEntity function. Can you share your code, or you can refer to some of our examples:
https://strapi.io/documentation/v3.x/concepts/controllers.html#findone
Specifically:
const { sanitizeEntity } = require('strapi-utils');
module.exports = {
/**
* Retrieve a record.
*
* @return {Object}
*/
async findOne(ctx) {
const { id } = ctx.params;
const entity = await strapi.services.restaurant.findOne({ id });
return sanitizeEntity(entity, { model: strapi.models.restaurant }); // <----- This right here
},
};
The above example, this sanitizeEntity function removes that private data from the response and comes from here: