Hey,
I’m not aware of any changes, but in my case, what I did as a workaround was to use the “me” query just to get the userId in the front end.
Then I make a “findOne” query in users-permissions with this userId to get all the infos I need.
To do that you have to let any logged user query a single user, wich is not ideal regarding security.
But you can add a route middleware to restrict these queries : juste make sure the user is querying himself aka the userID in the query match the id of the authenticated user doing the query (you can get this ID from the context in the middleware)
I’m using GraphQL so the middleware looks like that :
strapi/src/index.js
module.exports = {
register({ strapi }) {
// Users
extensionService.use({
resolversConfig: {
// findOne
'Query.usersPermissionsUser': {
auth: false, // Bypass strapi permissions
middlewares: [
'global::has-valid-role', // Test if is autenticated
'global::user-query-himself' // test if query himself
],
},
// ...
and I’ve got my middleware in a separate file
src/middlewares/user-query-himself.js
module.exports = (next, parent, args, ctx, info) => {
const user = ctx.state.user.id; // user ID that makes the query
const queriedUserId = args.id;
const userIsHimself = user.id && user.id == queriedUserId
if (!userIsHimself) throw new Error('You are not allowed to see this')
return next(parent, args, ctx, info)
};
It surely don’t seems to be the right way, but as a workaround, it works.
Hope that helps