V4 REST API OpenAPI/Swagger Documentation users, roles and permissions missing

System Information
  • Strapi Version: v4.0.0
  • Operating System: W10 Home 20H2
  • Database: sqlite
  • Node Version: 14.15.1
  • NPM Version: 6.14.15

When generating Swagger/OpenAPI documentation in v4 it do not contain endpoints for users or roles/permissions. In v3 we have the user-permissions-roles and user-permissions-users endpoints.
However in v4 I can use the /users endpoint but can not get role(s) and the populate and fields query parameters are not available.

What can I do to get the user roles with the new v4 REST APIs?

BTW - The new API endpoints are much better than before. I use Client Generator for TypeScript/Angular which generates the service and model classes from the OpenAPI spec json file - ready to use in just a few seconds. Well done!

Regards Ivar

1 Like

This one :point_up_2::point_up_2::point_up_2::point_up_2:

I’m going nuts, cant get roles populates nor get the users populated from the roles endpoint.
Using V4 too

heard about creating a controller, but, where?

Any solutions for this please, its urgent?
Previously v3, I used to get user.role after login in response but now I get this: also seems like I can’t use populate=* too.

“user”: {
“id”: 2,
“username”: “test@test.com”,
“email”: “test@test.com”,
“provider”: “local”,
“confirmed”: true,
“blocked”: false,
“createdAt”: “2022-02-27T08:55:56.733Z”,
“updatedAt”: “2022-03-07T12:50:48.426Z”,
“mobile”: “011000000”,
“fullname”: “test”

Hello mate.
Yes, indeed in V4 there are a bug where user-role relationship will not populate even if you use the populate argument in your query. For now there is a work around to this until the official version is fixed

Create a strapi-server.js file in /src/extensions/users-permissions/ and put this code in

module.exports = plugin => {
  const sanitizeOutput = (user) => {
    const {
      password, resetPasswordToken, confirmationToken, ...sanitizedUser
    } = user; // be careful, you need to omit other private attributes yourself
    return sanitizedUser;

  plugin.controllers.user.me = async (ctx) => {
    if (!ctx.state.user) {
      return ctx.unauthorized();
    const user = await strapi.entityService.findOne(
      { populate: ['role'] }

    ctx.body = sanitizeOutput(user);

  plugin.controllers.user.find = async (ctx) => {
    const users = await strapi.entityService.findMany(
      { ...ctx.params, populate: ['role'] }

    ctx.body = users.map(user => sanitizeOutput(user));

  return plugin;

This will makes by default the role relationship to populate in /api/users/me and /api/users. Also you can add more relationships if you need.

Source: Population does not work for Users in Users-Permissions · Issue #11957 · strapi/strapi · GitHub
By: @iicdii

1 Like