[Bug] User can call /user/id API and access other user data

[becevka]

Describe the bug
A clear and concise description of what the bug is.

To Reproduce
Steps to reproduce the behavior:

1. Login to strapi using '/api/auth/local' and test user with id 1, 'tester'
2. Go to /api/users/2
3. User details are returned with response code 200

Expected behavior
Response code 403 or other error not allowing to get another user details

ACCEPTANCE CRITERIA

• PII is restricted to the currently authenticated user
• The IdeaSpace workshopping page no longer displays PII (current displays users' emails)
• The IdeaSpace comments no longer displays PII (currently displays users' full names)

[becevka]

Good read https://stackoverflow.com/questions/74728231/why-all-users-in-strapi-have-access-to-update-all-users-profile

[becevka]

• We will need to enable this as we should be able to access profiles of users who posted comment, or created notifications.
• The solution would be to add a middleware to select only configured fields in user and profile collection.

[dbradham]

@chadcrotchett @chungthuang currently, user names and emails are displayed on the idea workshopping page. If this change is merged, IdeaSpace would need to update this page.

Chad, does it sound okay to you if we make a ticket in Platform board to use the display name instead of the emails or full legal names on the Idea Workshopping page? Or do you want this change to be made by the IdeaSpace team?

[chadcrotchett]

I'd like to remove PII, such as email and full name....so, I think that's what you are offering, right? I'm on my phone now - but if you can send a screenshot of what it will look like after the merge I could glance at it. Thanks, Chad

…

On Sat, Sep 21, 2024, 10:25 AM dbradham ***@***.***> wrote: @chadcrotchett <https://github.com/chadcrotchett> @chungthuang <https://github.com/chungthuang> currently, user names and emails are displayed on the idea workshopping page. If this change is merged, IdeaSpace would need to update this page. Chad, does it sound okay to you if we make a ticket in Platform board to use the display name instead of the emails or full legal names on the Idea Workshopping page? Or do you want this change to be made by the IdeaSpace team? Screenshot.2024-09-21.at.10.18.58.AM.png (view on web) <https://github.com/user-attachments/assets/4a35c102-4531-48ab-bca5-6fbbc21c6f89> Screenshot.2024-09-21.at.10.19.57.AM.png (view on web) <https://github.com/user-attachments/assets/3abd724c-92a9-4660-84ce-9f9ad536095e> — Reply to this email directly, view it on GitHub <#179 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AB7IG63ELRY4OOMPUMC3THDZXWFVBAVCNFSM6AAAAABG4VK2L6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGNRVGIZDMNBZGE> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[dbradham]

@chadcrotchett yes, we can remove PII from the Workshopping page.

• Instead of displaying the user's full name on the comments, we will update to show their display name
• Instead of displaying the user's email on the workshopping page, we will update to show their display name

[chadcrotchett]

Sounds great!

…

On Sat, Sep 21, 2024, 9:05 PM dbradham ***@***.***> wrote: @chadcrotchett <https://github.com/chadcrotchett> yes, we can remove PII from the Workshopping page. - Instead of displaying the user's full name on the comments, we will update to show their display name - Instead of displaying the user's email on the workshopping page, we will update to show their display name — Reply to this email directly, view it on GitHub <#179 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AB7IG642HJJVGHBQRPKPE2TZXYQWXAVCNFSM6AAAAABG4VK2L6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGNRVGQYTKNBRGI> . You are receiving this because you were mentioned.Message ID: ***@***.***>