From 15e4f9985f7b85f36380ccd552d3ebd30ff8916d Mon Sep 17 00:00:00 2001
From: Jim Laurie <j.laurie6993@gmail.com>
Date: Wed, 6 Dec 2017 14:15:27 +0100
Subject: [PATCH] Remove password and token from fetchable data USER API / AUTH

---
 .../admin/src/containers/AuthPage/index.js     |  2 +-
 .../config/roles.json                          | 18 +++++++++---------
 .../controllers/Auth.js                        |  6 +++---
 .../controllers/User.js                        | 16 ++++++++++++++--
 4 files changed, 27 insertions(+), 15 deletions(-)

diff --git a/packages/strapi-plugin-users-permissions/admin/src/containers/AuthPage/index.js b/packages/strapi-plugin-users-permissions/admin/src/containers/AuthPage/index.js
index f3c318f695..f7d4a5a591 100644
--- a/packages/strapi-plugin-users-permissions/admin/src/containers/AuthPage/index.js
+++ b/packages/strapi-plugin-users-permissions/admin/src/containers/AuthPage/index.js
@@ -14,7 +14,7 @@ import { findIndex, get, isBoolean, isEmpty, map, replace } from 'lodash';
 import cn from 'classnames';
 
 // Logo
-import LogoStrapi from 'assets/images/logo.svg';
+import LogoStrapi from 'assets/images/logo_strapi.png';
 
 // Design
 import Button from 'components/Button';
diff --git a/packages/strapi-plugin-users-permissions/config/roles.json b/packages/strapi-plugin-users-permissions/config/roles.json
index 3c8f72056b..a3b716b7b6 100644
--- a/packages/strapi-plugin-users-permissions/config/roles.json
+++ b/packages/strapi-plugin-users-permissions/config/roles.json
@@ -174,6 +174,10 @@
             }
           },
           "user": {
+            "identity": {
+              "enabled": true,
+              "policy": ""
+            },
             "find": {
               "enabled": true,
               "policy": ""
@@ -193,10 +197,6 @@
             "destroy": {
               "enabled": true,
               "policy": ""
-            },
-            "identity": {
-              "enabled": true,
-              "policy": ""
             }
           },
           "userspermissions": {
@@ -430,11 +430,15 @@
               "policy": ""
             },
             "changePassword": {
-              "enabled": true,
+              "enabled": false,
               "policy": ""
             }
           },
           "user": {
+            "identity": {
+              "enabled": false,
+              "policy": ""
+            },
             "find": {
               "enabled": true,
               "policy": ""
@@ -454,10 +458,6 @@
             "destroy": {
               "enabled": false,
               "policy": ""
-            },
-            "identity": {
-              "enabled": false,
-              "policy": ""
             }
           },
           "userspermissions": {
diff --git a/packages/strapi-plugin-users-permissions/controllers/Auth.js b/packages/strapi-plugin-users-permissions/controllers/Auth.js
index 905d149daf..291836c61f 100644
--- a/packages/strapi-plugin-users-permissions/controllers/Auth.js
+++ b/packages/strapi-plugin-users-permissions/controllers/Auth.js
@@ -57,7 +57,7 @@ module.exports = {
       } else {
         ctx.send({
           jwt: strapi.plugins['users-permissions'].services.jwt.issue(user),
-          user: user
+          user: _.omit(user.toJSON(), ['password', 'resetPasswordToken'])
         });
       }
     } else {
@@ -100,7 +100,7 @@ module.exports = {
 
     ctx.send({
       jwt: strapi.plugins['users-permissions'].services.jwt.issue(user),
-      user: user
+      user: _.omit(user.toJSON(), ['password', 'resetPasswordToken'])
     });
   },
 
@@ -170,7 +170,7 @@ module.exports = {
 
       ctx.send({
         jwt: strapi.plugins['users-permissions'].services.jwt.issue(user),
-        user: user
+        user: _.omit(user.toJSON(), ['password', 'resetPasswordToken'])
       });
     } else if (params.password && params.passwordConfirmation && params.password !== params.passwordConfirmation) {
       return ctx.badRequest(null, ctx.request.admin ? [{ messages: [{ id: 'Auth.form.error.password.matching' }] }] : 'Passwords do not match.');
diff --git a/packages/strapi-plugin-users-permissions/controllers/User.js b/packages/strapi-plugin-users-permissions/controllers/User.js
index efe2a40fdd..fbbda04090 100644
--- a/packages/strapi-plugin-users-permissions/controllers/User.js
+++ b/packages/strapi-plugin-users-permissions/controllers/User.js
@@ -17,20 +17,32 @@ module.exports = {
    */
 
   find: async (ctx) => {
-    const data = await strapi.plugins['users-permissions'].services.user.fetchAll(ctx.query);
+    let data = await strapi.plugins['users-permissions'].services.user.fetchAll(ctx.query);
+
+    if (data) {
+      data = _.reduce(data, (acc, user) => {
+        acc.push(_.omit(user.toJSON(), ['password', 'resetPasswordToken']));
+        return acc;
+      }, []);
+    }
 
     // Send 200 `ok`
     ctx.send(data);
   },
 
   /**
+}
    * Retrieve a user record.
    *
    * @return {Object}
    */
 
   findOne: async (ctx) => {
-    const data = await strapi.plugins['users-permissions'].services.user.fetch(ctx.params);
+    let data = await strapi.plugins['users-permissions'].services.user.fetch(ctx.params);
+
+    if (data) {
+      data = _.omit(data.toJSON(), ['password', 'resetPasswordToken']);
+    }
 
     // Send 200 `ok`
     ctx.send(data);