I think this might be an issue with permissions – by default quite a bit of the Users (roles / permissions) endpoint are disabled and will need to be updated before reading from them!
Just wondering, Does this issue also includes the users/me not populating the roles in the record via REST API?
Because I am a little lost on how to do the frontend user authorization checks for example if I have made a custom “Support” role to show specific parts of the website and show a different one if its only “Authorized”
Just tried it and seems like it’s not helping, or maybe I did something wrong.
So I placed my extended file in
./src/extension/users-permissions/server/controllers/user.js
And the code from PR
This content should properly be moved to ./src/extensions/users-permissions/strapi-server.js and be rewritten according to: Plugins extension - Strapi Developer Docs
Same here, I’ve updated strapi to 4.2.2 and when I do (as an authenticated user) http://localhost:1337/api/users/me I get the same payload than if I do http://localhost:1337/api/users/me?populate=*, just the default payload and no role field at all; the same for a UserRole conllection type I created with a relationship with users.
I can’t figure out any workaround for now, so any hint to make this work is appreciated
I’m not aware of any changes, but in my case, what I did as a workaround was to use the “me” query just to get the userId in the front end.
Then I make a “findOne” query in users-permissions with this userId to get all the infos I need.
To do that you have to let any logged user query a single user, wich is not ideal regarding security.
But you can add a route middleware to restrict these queries : juste make sure the user is querying himself aka the userID in the query match the id of the authenticated user doing the query (you can get this ID from the context in the middleware)
I’m using GraphQL so the middleware looks like that :
strapi/src/index.js
module.exports = {
register({ strapi }) {
// Users
extensionService.use({
resolversConfig: {
// findOne
'Query.usersPermissionsUser': {
auth: false, // Bypass strapi permissions
middlewares: [
'global::has-valid-role', // Test if is autenticated
'global::user-query-himself' // test if query himself
],
},
// ...
and I’ve got my middleware in a separate file
src/middlewares/user-query-himself.js
module.exports = (next, parent, args, ctx, info) => {
const user = ctx.state.user.id; // user ID that makes the query
const queriedUserId = args.id;
const userIsHimself = user.id && user.id == queriedUserId
if (!userIsHimself) throw new Error('You are not allowed to see this')
return next(parent, args, ctx, info)
};
It surely don’t seems to be the right way, but as a workaround, it works.
Hope that helps
OK, I fixed by setting permissions for find and findOne in Settings → User permissions plugin → Role → Authenticated for the UserRole collection type and for user - me and user - find for the User permissions one