@dennishh i feel your pain. We ended up using a custom middleware to filter out private data. probably a better approach would have been to ‘freeze’ the graphl queries so that no additional fields could be added. We were unable to access the request.body for graphql requests though: which is not surprising if you look at the related middleware
initialize() {
strapi.app.use(async (ctx, next) => {
// disable for graphql
// TODO: find a better way later
if (ctx.url === '/graphql') {
return next();
}
how did you solve it? it’s kind of a hard problem since everything is bypassed for relational data, if you look here [graphql] controller bypassed when querying nested relations · Issue #8735 · strapi/strapi · GitHub