- Strapi Version: 4.1.5
- Operating System: macos
- Database: mysql
- Node Version: 16.14.0
- NPM Version: 8.3.1
- Yarn Version: 1.22.17
I have a comment api that has a relation with userPermissionUser model which has email field.
strapi graphql would automatically create a Query endpoint for
comments and client application can query users information as much as they want.
You can disable email field with shadow CRUD like this. However, if you do this, it will remove email from all graphql response which means
updateUser returns payload without email.
That makes the all other graphql endpoint pretty useless.
strapi .plugin('graphql') .service('extension') .shadowCRUD('plugin::users-permissions.user') .field('email') .disable();
I digged around and tried to find a way to handle this. Policy or middleware none of them can customize endpoint for that.
If you are not careful, your users’ email account can leak to public by calling all the comments with
So be careful.
I am not sure if strapi would provide a way to handle in the future but for now, there is no way.
Please let me know if I am missing something
have a good day!