I think this might be an issue with permissions ā by default quite a bit of the Users (roles / permissions) endpoint are disabled and will need to be updated before reading from them!
Just wondering, Does this issue also includes the users/me not populating the roles in the record via REST API?
Because I am a little lost on how to do the frontend user authorization checks for example if I have made a custom āSupportā role to show specific parts of the website and show a different one if its only āAuthorizedā
Just tried it and seems like itās not helping, or maybe I did something wrong.
So I placed my extended file in
./src/extension/users-permissions/server/controllers/user.js
And the code from PR
This content should properly be moved to ./src/extensions/users-permissions/strapi-server.js and be rewritten according to: Plugins extension - Strapi Developer Docs
Same here, Iāve updated strapi to 4.2.2 and when I do (as an authenticated user) http://localhost:1337/api/users/me I get the same payload than if I do http://localhost:1337/api/users/me?populate=*, just the default payload and no role field at all; the same for a UserRole conllection type I created with a relationship with users.
I canāt figure out any workaround for now, so any hint to make this work is appreciated
Iām not aware of any changes, but in my case, what I did as a workaround was to use the āmeā query just to get the userId in the front end.
Then I make a āfindOneā query in users-permissions with this userId to get all the infos I need.
To do that you have to let any logged user query a single user, wich is not ideal regarding security.
But you can add a route middleware to restrict these queries : juste make sure the user is querying himself aka the userID in the query match the id of the authenticated user doing the query (you can get this ID from the context in the middleware)
Iām using GraphQL so the middleware looks like that :
strapi/src/index.js
module.exports = {
register({ strapi }) {
// Users
extensionService.use({
resolversConfig: {
// findOne
'Query.usersPermissionsUser': {
auth: false, // Bypass strapi permissions
middlewares: [
'global::has-valid-role', // Test if is autenticated
'global::user-query-himself' // test if query himself
],
},
// ...
and Iāve got my middleware in a separate file
src/middlewares/user-query-himself.js
module.exports = (next, parent, args, ctx, info) => {
const user = ctx.state.user.id; // user ID that makes the query
const queriedUserId = args.id;
const userIsHimself = user.id && user.id == queriedUserId
if (!userIsHimself) throw new Error('You are not allowed to see this')
return next(parent, args, ctx, info)
};
It surely donāt seems to be the right way, but as a workaround, it works.
Hope that helps
OK, I fixed by setting permissions for find and findOne in Settings ā User permissions plugin ā Role ā Authenticated for the UserRole collection type and for user - me and user - find for the User permissions one