-
-
Notifications
You must be signed in to change notification settings - Fork 7.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Private fields of components are show in response #7335
Comments
Hello there, thanks for the issue! I tried to reproduce your scenario but didn't succeed. In my tests, the private fields remain hidden from the public REST API. Here are my models:
{
"kind": "collectionType",
"collectionName": "tests",
"info": {
"name": "Test"
},
"options": {
"increments": true,
"timestamps": true
},
"attributes": {
"demo": {
"type": "string",
"private": true,
"default": "demo-value"
},
"slider": {
"type": "component",
"repeatable": false,
"component": "default.compo"
},
"other": {
"type": "string"
}
}
}
{
"collectionName": "components_default_compos",
"info": {
"name": "Compo",
"icon": "allergies"
},
"options": {},
"attributes": {
"demo": {
"type": "string",
"private": true,
"default": "Demo-value"
}
}
} This is the entry I've created And the result of my request at If you have further information about how to reproduce it, I'll try it again. |
Follow-up: I've just tested with a dynamic zone instead of a simple component and I've successfully reproduced the issue. |
I'm happy that you could reproduce it. Otherwise I would have checked tomorrow morning. Thx for your effort so far. |
I checked and can confirm that my configured component is used within a dynamic zone. |
@Convly I was doing some testing about this issue and found that the sanitizeEntity function isn't sanitizing dynamic zones because of this strapi/packages/strapi-utils/lib/sanitize-entity.js Lines 62 to 72 in 7113f7f
The function never enters the if statement because of it. Removing it works, but I don't know if this is safe to do. |
I'm working on this very file right now. The issue indeed comes from here. |
Simply put, If this variable is set to null, it means you want to keep every field. Bear in mind though, it doesn't force the field to be present in the final response, it only allows it (a password will be removed even if It is for example used in the permissions-manager to target specific fields based on some permissions. |
Describe the bug
When adding a private field (advanced settings) to a component the field is still present in the REST response.
The field does not show up qhen querying it with GraphQL and private fields in content-types also do not show up as expected.
Steps to reproduce the behavior
Expected behavior
I expect private fields from components not to show up in any response. Similar to private fields in content-types.
Screenshots
Code snippets
Attribute of created component:
Attribute of created content-type:
REST response when fetching content-type with configured component (snippet):
System
Additional context
The text was updated successfully, but these errors were encountered: