@strapi/plugin-users-permissions 0.0.0-next.c593a2735b35c69d2c421003b6f80adf72fcf16e → 0.0.0-next.ce51df0e18404afc8a1aa7f504c1006a7a221459

package/admin/src/pages/Roles/{ListPage → pages/ListPage}/index.js

@@ -1,8 +1,7 @@
-import React, { useMemo, useState } from 'react';
+import React, { useState } from 'react';
 
 import {
   ActionLayout,
-  Button,
   ContentLayout,
   HeaderLayout,
   Layout,
@@ -16,9 +15,11 @@ import {
   VisuallyHidden,
 } from '@strapi/design-system';
 import {
+  CheckPagePermissions,
   CheckPermissions,
   ConfirmDialog,
   EmptyStateLayout,
+  LinkButton,
   LoadingIndicatorPage,
   NoPermissions,
   SearchURLQuery,
@@ -33,20 +34,17 @@ import {
 } from '@strapi/helper-plugin';
 import { Plus } from '@strapi/icons';
 import { useIntl } from 'react-intl';
-import { useMutation, useQuery, useQueryClient } from 'react-query';
-import { useHistory } from 'react-router-dom';
+import { useMutation, useQuery } from 'react-query';
 
-import { PERMISSIONS } from '../../../constants';
-import pluginId from '../../../pluginId';
-import { getTrad } from '../../../utils';
+import { PERMISSIONS } from '../../../../constants';
+import { getTrad } from '../../../../utils';
 
 import TableBody from './components/TableBody';
 import { deleteData, fetchData } from './utils/api';
 
-const RoleListPage = () => {
+export const RolesListPage = () => {
   const { trackUsage } = useTracking();
   const { formatMessage, locale } = useIntl();
-  const { push } = useHistory();
   const toggleNotification = useNotification();
   const { notifyStatus } = useNotifyAT();
   const [{ query }] = useQueryParams();
@@ -56,26 +54,21 @@ const RoleListPage = () => {
   const [roleToDelete, setRoleToDelete] = useState();
   useFocusWhenNavigate();
 
-  const queryClient = useQueryClient();
-
-  const updatePermissions = useMemo(() => {
-    return {
-      create: PERMISSIONS.createRole,
-      read: PERMISSIONS.readRoles,
-      update: PERMISSIONS.updateRole,
-      delete: PERMISSIONS.deleteRole,
-    };
-  }, []);
-
   const {
     isLoading: isLoadingForPermissions,
     allowedActions: { canRead, canDelete },
-  } = useRBAC(updatePermissions);
+  } = useRBAC({
+    create: PERMISSIONS.createRole,
+    read: PERMISSIONS.readRoles,
+    update: PERMISSIONS.updateRole,
+    delete: PERMISSIONS.deleteRole,
+  });
 
   const {
     isLoading: isLoadingForData,
     data: { roles },
     isFetching,
+    refetch,
   } = useQuery('get-roles', () => fetchData(toggleNotification, notifyStatus), {
     initialData: {},
     enabled: canRead,
@@ -94,11 +87,6 @@ const RoleListPage = () => {
 
   const isLoading = isLoadingForData || isFetching;
 
-  const handleNewRoleClick = () => {
-    trackUsage('willCreateRole');
-    push(`/settings/${pluginId}/roles/new`);
-  };
-
   const handleShowConfirmDelete = () => {
     setShowConfirmDelete(!showConfirmDelete);
   };
@@ -121,7 +109,7 @@ const RoleListPage = () => {
 
   const deleteMutation = useMutation((id) => deleteData(id, toggleNotification), {
     async onSuccess() {
-      await queryClient.invalidateQueries('get-roles');
+      await refetch();
     },
   });
 
@@ -158,12 +146,17 @@ const RoleListPage = () => {
           })}
           primaryAction={
             <CheckPermissions permissions={PERMISSIONS.createRole}>
-              <Button onClick={handleNewRoleClick} startIcon={<Plus />} size="S">
+              <LinkButton
+                to="/settings/users-permissions/roles/new"
+                onClick={() => trackUsage('willCreateRole')}
+                startIcon={<Plus />}
+                size="S"
+              >
                 {formatMessage({
                   id: getTrad('List.button.roles'),
                   defaultMessage: 'Add new role',
                 })}
-              </Button>
+              </LinkButton>
             </CheckPermissions>
           }
         />
@@ -240,4 +233,10 @@ const RoleListPage = () => {
   );
 };
 
-export default RoleListPage;
+export const ProtectedRolesListPage = () => {
+  return (
+    <CheckPagePermissions permissions={PERMISSIONS.accessRoles}>
+      <RolesListPage />
+    </CheckPagePermissions>
+  );
+};

package/admin/src/pages/Roles/{ListPage → pages/ListPage}/utils/api.js

@@ -1,11 +1,9 @@
 import { getFetchClient } from '@strapi/helper-plugin';
 
-import { getRequestURL } from '../../../../utils';
-
 export const fetchData = async (toggleNotification, notifyStatus) => {
   try {
     const { get } = getFetchClient();
-    const { data } = await get(getRequestURL('roles'));
+    const { data } = await get('/users-permissions/roles');
     notifyStatus('The roles have loaded successfully');
 
     return data;
@@ -22,7 +20,7 @@ export const fetchData = async (toggleNotification, notifyStatus) => {
 export const deleteData = async (id, toggleNotification) => {
   try {
     const { del } = getFetchClient();
-    await del(`${getRequestURL('roles')}/${id}`);
+    await del(`/users-permissions/roles/${id}`);
   } catch (error) {
     toggleNotification({
       type: 'warning',

package/admin/src/translations/zh-Hans.json

@@ -1,82 +1,82 @@
 {
-    "BoundRoute.title": "绑定路由到",
-    "EditForm.inputSelect.description.role": "新验证身份的用户将被赋予所选角色。",
-    "EditForm.inputSelect.label.role": "认证用户的默认角色",
-    "EditForm.inputToggle.description.email": "不允许用户使用不同的认证提供者（绑定的相同的电子邮件地址）来创建多个帐户。",
-    "EditForm.inputToggle.description.email-confirmation": "启用（ON）后，新注册的用户会收到一封确认电子邮件。",
-    "EditForm.inputToggle.description.email-confirmation-redirection": "确认您的电子邮件后，选择将您重定向到的位置。",
-    "EditForm.inputToggle.description.email-reset-password": "应用程序的重置密码页面的 URL",
-    "EditForm.inputToggle.description.sign-up": "当禁用（OFF）时，注册过程将被禁止。任何人无论使用任何的供应商都不可以订阅。",
-    "EditForm.inputToggle.label.email": "每个电子邮件地址一个帐户",
-    "EditForm.inputToggle.label.email-confirmation": "启用电子邮件确认",
-    "EditForm.inputToggle.label.email-confirmation-redirection": "重定向 URL",
-    "EditForm.inputToggle.label.email-reset-password": "重置密码页面 URL",
-    "EditForm.inputToggle.label.sign-up": "启用注册",
-    "EditForm.inputToggle.placeholder.email-confirmation-redirection": "例如: https://yourfrontend.com/reset-password",
-    "EditForm.inputToggle.placeholder.email-reset-password": "例如: https://yourfrontend.com/reset-password",
-    "EditPage.form.roles": "角色详情",
-    "Email.template.data.loaded": "电子邮件模板已加载",
-    "Email.template.email_confirmation": "邮箱地址确认",
-    "Email.template.form.edit.label": "编辑模板",
-    "Email.template.table.action.label": "操作",
-    "Email.template.table.icon.label": "图标",
-    "Email.template.table.name.label": "名称",
-    "Form.advancedSettings.data.loaded": "高级设置数据已加载",
-    "HeaderNav.link.advancedSettings": "高级设置",
-    "HeaderNav.link.emailTemplates": "电子邮件模板",
-    "HeaderNav.link.providers": "提供者",
-    "Plugin.permissions.plugins.description": "定义 {name} 插件所有允许的操作。",
-    "Plugins.header.description": "下面只列出路由绑定的操作。",
-    "Plugins.header.title": "权限",
-    "Policies.header.hint": "选择应用程序或插件的操作，然后点击 COG 图标显示绑定的路由",
-    "Policies.header.title": "高级设置",
-    "PopUpForm.Email.email_templates.inputDescription": "如果你不确定如何使用变量， {link}",
-    "PopUpForm.Email.link.documentation": "查看我们的文档",
-    "PopUpForm.Email.options.from.email.label": "发件人地址",
-    "PopUpForm.Email.options.from.email.placeholder": "kai@doe.com",
-    "PopUpForm.Email.options.from.name.label": "发件人名称",
-    "PopUpForm.Email.options.from.name.placeholder": "Kai Doe",
-    "PopUpForm.Email.options.message.label": "消息",
-    "PopUpForm.Email.options.object.label": "主题",
-    "PopUpForm.Email.options.object.placeholder": "请为%APP_NAME%确认邮箱地址",
-    "PopUpForm.Email.options.response_email.label": "回复邮件",
-    "PopUpForm.Email.options.response_email.placeholder": "kai@doe.com",
-    "PopUpForm.Providers.enabled.description": "如果禁用，用户将无法使用此供应商。",
-    "PopUpForm.Providers.enabled.label": "启用",
-    "PopUpForm.Providers.key.label": "客户端 ID",
-    "PopUpForm.Providers.key.placeholder": "文本",
-    "PopUpForm.Providers.redirectURL.front-end.label": "重定向 URL",
-    "PopUpForm.Providers.redirectURL.label": "添加到{provider}应用配置的跳转URL",
-    "PopUpForm.Providers.secret.label": "客户端秘钥",
-    "PopUpForm.Providers.secret.placeholder": "文本",
-    "PopUpForm.Providers.subdomain.label": "主机URI（子域名）",
-    "PopUpForm.Providers.subdomain.placeholder": "my.subdomain.com",
-    "PopUpForm.header.edit.email-templates": "编辑电子邮件模版",
-    "PopUpForm.header.edit.providers": "编辑提供商",
-    "Providers.data.loaded": "提供商已加载",
-    "Providers.status": "状态",
-    "Roles.empty": "您还没有任何角色。",
-    "Roles.empty.search": "没有与搜索相匹配的角色。",
-    "Settings.roles.deleted": "角色已被删除",
-    "Settings.roles.edited": "角色编辑完成",
-    "Settings.section-label": "用户及权限插件",
-    "components.Input.error.validation.email": "这是一个无效的电子邮件",
-    "components.Input.error.validation.json": "这不符合JSON格式",
-    "components.Input.error.validation.max": "值过高。",
-    "components.Input.error.validation.maxLength": "值过长。",
-    "components.Input.error.validation.min": "值太低。",
-    "components.Input.error.validation.minLength": "值太短。",
-    "components.Input.error.validation.minSupMax": "不能超过上限",
-    "components.Input.error.validation.regex": "该值不符合正则表达式。",
-    "components.Input.error.validation.required": "该值为必填项。",
-    "components.Input.error.validation.unique": "该值已被使用。",
-    "notification.success.submit": "设置已被更新",
-    "page.title": "设置 - 角色",
-    "plugin.description.long": "使用基于 JWT 的完整身份验证过程来保护 API。这个插件还有一个 ACL 策略，允许你管理用户组之间的权限。",
-    "plugin.description.short": "使用基于 JWT 的完整身份验证过程保护 API",
-    "plugin.name": "角色及权限",
-    "popUpWarning.button.cancel": "取消",
-    "popUpWarning.button.confirm": "确认",
-    "popUpWarning.title": "请确认",
-    "popUpWarning.warning.cancel": "你确定你要取消你的修改？"
+  "BoundRoute.title": "绑定路由到",
+  "EditForm.inputSelect.description.role": "新验证身份的用户将被赋予所选角色。",
+  "EditForm.inputSelect.label.role": "认证用户的默认角色",
+  "EditForm.inputToggle.description.email": "不允许用户使用不同的认证提供商但相同的电子邮件地址来创建多个账户。",
+  "EditForm.inputToggle.description.email-confirmation": "启用（开）后，新注册的用户会收到一封确认电子邮件。",
+  "EditForm.inputToggle.description.email-confirmation-redirection": "确认您的电子邮件后，选择将您重定向到的位置。",
+  "EditForm.inputToggle.description.email-reset-password": "应用程序的重置密码页面的网址",
+  "EditForm.inputToggle.description.sign-up": "当禁用（关）时，注册过程将被禁止。任何人无论使用任何的供应商都不可以订阅。",
+  "EditForm.inputToggle.label.email": "每个电子邮件地址对应一个账户",
+  "EditForm.inputToggle.label.email-confirmation": "启用电子邮件确认",
+  "EditForm.inputToggle.label.email-confirmation-redirection": "重定向网址",
+  "EditForm.inputToggle.label.email-reset-password": "重置密码页面网址",
+  "EditForm.inputToggle.label.sign-up": "启用注册",
+  "EditForm.inputToggle.placeholder.email-confirmation-redirection": "例如: https://yourfrontend.com/email-confirmation-redirection",
+  "EditForm.inputToggle.placeholder.email-reset-password": "例如: https://yourfrontend.com/reset-password",
+  "EditPage.form.roles": "角色详情",
+  "Email.template.data.loaded": "电子邮件模板已加载",
+  "Email.template.email_confirmation": "邮箱地址确认",
+  "Email.template.form.edit.label": "编辑模板",
+  "Email.template.table.action.label": "操作",
+  "Email.template.table.icon.label": "图标",
+  "Email.template.table.name.label": "名称",
+  "Form.advancedSettings.data.loaded": "高级设置数据已加载",
+  "HeaderNav.link.advancedSettings": "高级设置",
+  "HeaderNav.link.emailTemplates": "电子邮件模板",
+  "HeaderNav.link.providers": "提供商",
+  "Plugin.permissions.plugins.description": "定义 {name} 插件所有允许的操作。",
+  "Plugins.header.description": "下面只列出路由绑定的操作。",
+  "Plugins.header.title": "权限",
+  "Policies.header.hint": "选择应用程序或插件对应的操作，然后点击齿轮图标显示绑定的路由",
+  "Policies.header.title": "高级设置",
+  "PopUpForm.Email.email_templates.inputDescription": "如果你不确定如何使用变量， {link}",
+  "PopUpForm.Email.link.documentation": "查看我们的文档",
+  "PopUpForm.Email.options.from.email.label": "发件人地址",
+  "PopUpForm.Email.options.from.email.placeholder": "kai@doe.com",
+  "PopUpForm.Email.options.from.name.label": "发件人名称",
+  "PopUpForm.Email.options.from.name.placeholder": "Kai Doe",
+  "PopUpForm.Email.options.message.label": "消息",
+  "PopUpForm.Email.options.object.label": "主题",
+  "PopUpForm.Email.options.object.placeholder": "请为%APP_NAME%确认邮箱地址",
+  "PopUpForm.Email.options.response_email.label": "回复邮件",
+  "PopUpForm.Email.options.response_email.placeholder": "kai@doe.com",
+  "PopUpForm.Providers.enabled.description": "如果禁用，用户将无法使用此供应商。",
+  "PopUpForm.Providers.enabled.label": "启用",
+  "PopUpForm.Providers.key.label": "客户端 ID",
+  "PopUpForm.Providers.key.placeholder": "文本",
+  "PopUpForm.Providers.redirectURL.front-end.label": "重定向网址",
+  "PopUpForm.Providers.redirectURL.label": "添加到{provider}应用配置的跳转网址",
+  "PopUpForm.Providers.secret.label": "客户端秘钥",
+  "PopUpForm.Providers.secret.placeholder": "文本",
+  "PopUpForm.Providers.subdomain.label": "主机URI（子域名）",
+  "PopUpForm.Providers.subdomain.placeholder": "my.subdomain.com",
+  "PopUpForm.header.edit.email-templates": "编辑电子邮件模版",
+  "PopUpForm.header.edit.providers": "编辑提供商",
+  "Providers.data.loaded": "提供商已加载",
+  "Providers.status": "状态",
+  "Roles.empty": "您还没有任何角色。",
+  "Roles.empty.search": "没有与搜索相匹配的角色。",
+  "Settings.roles.deleted": "角色已被删除",
+  "Settings.roles.edited": "角色编辑完成",
+  "Settings.section-label": "用户及权限插件",
+  "components.Input.error.validation.email": "这是一个无效的电子邮件",
+  "components.Input.error.validation.json": "这不符合JSON格式",
+  "components.Input.error.validation.max": "值过高。",
+  "components.Input.error.validation.maxLength": "值过长。",
+  "components.Input.error.validation.min": "值太低。",
+  "components.Input.error.validation.minLength": "值太短。",
+  "components.Input.error.validation.minSupMax": "不能超过上限",
+  "components.Input.error.validation.regex": "该值不符合正则表达式。",
+  "components.Input.error.validation.required": "该值为必填项。",
+  "components.Input.error.validation.unique": "该值已被使用。",
+  "notification.success.submit": "设置已被更新",
+  "page.title": "设置 - 角色",
+  "plugin.description.long": "使用基于 JWT 的完整身份验证过程来保护 API。这个插件还有一个 ACL 策略，允许你管理用户组之间的权限。",
+  "plugin.description.short": "使用基于 JWT 的完整身份验证过程保护 API",
+  "plugin.name": "用户及权限插件",
+  "popUpWarning.button.cancel": "取消",
+  "popUpWarning.button.confirm": "确认",
+  "popUpWarning.title": "请确认",
+  "popUpWarning.warning.cancel": "你确定你要取消你的修改？"
 }

package/admin/src/utils/index.js

@@ -1,4 +1,3 @@
 export { default as cleanPermissions } from './cleanPermissions';
 export { default as formatPolicies } from './formatPolicies';
-export { default as getRequestURL } from './getRequestURL';
 export { default as getTrad } from './getTrad';

package/documentation/content-api.yaml

@@ -93,7 +93,7 @@ paths:
         required: true
       responses:
         200:
-          description: Successfull registration
+          description: Successful registration
           content:
             application/json:
               schema:

package/jest.config.front.js

@@ -3,5 +3,5 @@
 module.exports = {
   preset: '../../../jest-preset.front.js',
   displayName: 'Users & Permissions plugin',
-  setupFilesAfterEnv: ['./tests/setup.js'],
+  setupFilesAfterEnv: ['./admin/src/tests/setup.js'],
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@strapi/plugin-users-permissions",
-  "version": "0.0.0-next.c593a2735b35c69d2c421003b6f80adf72fcf16e",
+  "version": "0.0.0-next.ce51df0e18404afc8a1aa7f504c1006a7a221459",
   "description": "Protect your API with a full-authentication process based on JWT",
   "repository": {
     "type": "git",
@@ -29,26 +29,26 @@
     "lint": "run -T eslint ."
   },
   "dependencies": {
-    "@strapi/design-system": "1.8.0",
-    "@strapi/helper-plugin": "0.0.0-next.c593a2735b35c69d2c421003b6f80adf72fcf16e",
-    "@strapi/icons": "1.8.0",
-    "@strapi/utils": "0.0.0-next.c593a2735b35c69d2c421003b6f80adf72fcf16e",
+    "@strapi/design-system": "1.9.0",
+    "@strapi/helper-plugin": "0.0.0-next.ce51df0e18404afc8a1aa7f504c1006a7a221459",
+    "@strapi/icons": "1.9.0",
+    "@strapi/utils": "0.0.0-next.ce51df0e18404afc8a1aa7f504c1006a7a221459",
     "bcryptjs": "2.4.3",
     "formik": "2.4.0",
     "grant-koa": "5.4.8",
     "immer": "9.0.19",
     "jsonwebtoken": "9.0.0",
     "jwk-to-pem": "2.0.5",
-    "koa": "^2.13.4",
+    "koa": "2.13.4",
     "koa2-ratelimit": "^1.1.2",
     "lodash": "4.17.21",
     "prop-types": "^15.8.1",
     "purest": "4.0.2",
     "react-intl": "6.4.1",
     "react-query": "3.39.3",
-    "react-redux": "8.0.5",
+    "react-redux": "8.1.1",
     "url-join": "4.0.1",
-    "yup": "^0.32.9"
+    "yup": "0.32.9"
   },
   "devDependencies": {
     "@testing-library/dom": "9.2.0",
@@ -67,7 +67,7 @@
     "styled-components": "5.3.3"
   },
   "engines": {
-    "node": ">=14.19.1 <=18.x.x",
+    "node": ">=16.0.0 <=20.x.x",
     "npm": ">=6.0.0"
   },
   "strapi": {
@@ -77,5 +77,5 @@
     "required": true,
     "kind": "plugin"
   },
-  "gitHead": "c593a2735b35c69d2c421003b6f80adf72fcf16e"
+  "gitHead": "ce51df0e18404afc8a1aa7f504c1006a7a221459"
 }

package/server/bootstrap/index.js

@@ -10,10 +10,12 @@
 const crypto = require('crypto');
 const _ = require('lodash');
 const urljoin = require('url-join');
+const { isArray } = require('lodash/fp');
 const { getService } = require('../utils');
 const getGrantConfig = require('./grant-config');
 
 const usersPermissionsActions = require('./users-permissions-actions');
+const userSchema = require('../content-types/user');
 
 const initGrant = async (pluginStore) => {
   const apiPrefix = strapi.config.get('api.rest.prefix');
@@ -97,6 +99,26 @@ const initAdvancedOptions = async (pluginStore) => {
   }
 };
 
+const userSchemaAdditions = () => {
+  const defaultSchema = Object.keys(userSchema.attributes);
+  const currentSchema = Object.keys(
+    strapi.contentTypes['plugin::users-permissions.user'].attributes
+  );
+
+  // Some dynamic fields may not have been initialized yet, so we need to ignore them
+  // TODO: we should have a global method for finding these
+  const ignoreDiffs = [
+    'createdBy',
+    'createdAt',
+    'updatedBy',
+    'updatedAt',
+    'publishedAt',
+    'strapi_reviewWorkflows_stage',
+  ];
+
+  return currentSchema.filter((key) => !(ignoreDiffs.includes(key) || defaultSchema.includes(key)));
+};
+
 module.exports = async ({ strapi }) => {
   const pluginStore = strapi.store({ type: 'plugin', name: 'users-permissions' });
 
@@ -130,4 +152,17 @@ For security reasons, prefer storing the secret in an environment variable and r
       );
     }
   }
+
+  // TODO v5: Remove this block of code and default allowedFields to empty array
+  if (!isArray(strapi.config.get('plugin.users-permissions.register.allowedFields'))) {
+    const modifications = userSchemaAdditions();
+    if (modifications.length > 0) {
+      // if there is a potential vulnerability, show a warning
+      strapi.log.warn(
+        `Users-permissions registration has defaulted to accepting the following additional user fields during registration: ${modifications.join(
+          ','
+        )}`
+      );
+    }
+  }
 };

package/server/controllers/auth.js

@@ -9,7 +9,11 @@
 /* eslint-disable no-useless-escape */
 const crypto = require('crypto');
 const _ = require('lodash');
+const { concat, compact, isArray } = require('lodash/fp');
 const utils = require('@strapi/utils');
+const {
+  contentTypes: { getNonWritableAttributes },
+} = require('@strapi/utils');
 const { getService } = require('../utils');
 const {
   validateCallbackBody,
@@ -273,20 +277,49 @@ module.exports = {
       throw new ApplicationError('Register action is currently disabled');
     }
 
+    const { register } = strapi.config.get('plugin.users-permissions');
+    const alwaysAllowedKeys = ['username', 'password', 'email'];
+    const userModel = strapi.contentTypes['plugin::users-permissions.user'];
+    const { attributes } = userModel;
+
+    const nonWritable = getNonWritableAttributes(userModel);
+
+    const allowedKeys = compact(
+      concat(
+        alwaysAllowedKeys,
+        isArray(register?.allowedFields)
+          ? // Note that we do not filter allowedFields in case a user explicitly chooses to allow a private or otherwise omitted field on registration
+            register.allowedFields // if null or undefined, compact will remove it
+          : // to prevent breaking changes, if allowedFields is not set in config, we only remove private and known dangerous user schema fields
+            // TODO V5: allowedFields defaults to [] when undefined and remove this case
+            Object.keys(attributes).filter(
+              (key) =>
+                !nonWritable.includes(key) &&
+                !attributes[key].private &&
+                ![
+                  // many of these are included in nonWritable, but we'll list them again to be safe and since we're removing this code in v5 anyway
+                  // Strapi user schema fields
+                  'confirmed',
+                  'blocked',
+                  'confirmationToken',
+                  'resetPasswordToken',
+                  'provider',
+                  'id',
+                  'role',
+                  // other Strapi fields that might be added
+                  'createdAt',
+                  'updatedAt',
+                  'createdBy',
+                  'updatedBy',
+                  'publishedAt', // d&p
+                  'strapi_reviewWorkflows_stage', // review workflows
+                ].includes(key)
+            )
+      )
+    );
+
     const params = {
-      ..._.omit(ctx.request.body, [
-        'confirmed',
-        'blocked',
-        'confirmationToken',
-        'resetPasswordToken',
-        'provider',
-        'id',
-        'createdAt',
-        'updatedAt',
-        'createdBy',
-        'updatedBy',
-        'role',
-      ]),
+      ..._.pick(ctx.request.body, allowedKeys),
       provider: 'local',
     };
 

package/server/controllers/user.js

@@ -11,7 +11,7 @@ const utils = require('@strapi/utils');
 const { getService } = require('../utils');
 const { validateCreateUserBody, validateUpdateUserBody } = require('./validation/user');
 
-const { sanitize } = utils;
+const { sanitize, validate } = utils;
 const { ApplicationError, ValidationError, NotFoundError } = utils.errors;
 
 const sanitizeOutput = async (user, ctx) => {
@@ -21,6 +21,13 @@ const sanitizeOutput = async (user, ctx) => {
   return sanitize.contentAPI.output(user, schema, { auth });
 };
 
+const validateQuery = async (query, ctx) => {
+  const schema = strapi.getModel('plugin::users-permissions.user');
+  const { auth } = ctx.state;
+
+  return validate.contentAPI.query(query, schema, { auth });
+};
+
 const sanitizeQuery = async (query, ctx) => {
   const schema = strapi.getModel('plugin::users-permissions.user');
   const { auth } = ctx.state;
@@ -143,6 +150,7 @@ module.exports = {
    * @return {Object|Array}
    */
   async find(ctx) {
+    await validateQuery(ctx.query, ctx);
     const sanitizedQuery = await sanitizeQuery(ctx.query, ctx);
     const users = await getService('user').fetchAll(sanitizedQuery);
 
@@ -155,6 +163,7 @@ module.exports = {
    */
   async findOne(ctx) {
     const { id } = ctx.params;
+    await validateQuery(ctx.query, ctx);
     const sanitizedQuery = await sanitizeQuery(ctx.query, ctx);
 
     let data = await getService('user').fetch(id, sanitizedQuery);
@@ -171,6 +180,7 @@ module.exports = {
    * @return {Number}
    */
   async count(ctx) {
+    await validateQuery(ctx.query, ctx);
     const sanitizedQuery = await sanitizeQuery(ctx.query, ctx);
 
     ctx.body = await getService('user').count(sanitizedQuery);
@@ -201,6 +211,7 @@ module.exports = {
       return ctx.unauthorized();
     }
 
+    await validateQuery(query, ctx);
     const sanitizedQuery = await sanitizeQuery(query, ctx);
     const user = await getService('user').fetch(authUser.id, sanitizedQuery);