Remove password and token from fetchable data USER API / AUTH

packages/strapi-plugin-users-permissions/admin/src/containers/AuthPage/index.js

@@ -14,7 +14,7 @@ import { findIndex, get, isBoolean, isEmpty, map, replace } from 'lodash';
 import cn from 'classnames';
 
 // Logo
-import LogoStrapi from 'assets/images/logo.svg';
+import LogoStrapi from 'assets/images/logo_strapi.png';
 
 // Design
 import Button from 'components/Button';

packages/strapi-plugin-users-permissions/config/roles.json

@@ -174,6 +174,10 @@
             }
           },
           "user": {
+            "identity": {
+              "enabled": true,
+              "policy": ""
+            },
             "find": {
               "enabled": true,
               "policy": ""
@@ -193,10 +197,6 @@
             "destroy": {
               "enabled": true,
               "policy": ""
-            },
-            "identity": {
-              "enabled": true,
-              "policy": ""
             }
           },
           "userspermissions": {
@@ -430,11 +430,15 @@
               "policy": ""
             },
             "changePassword": {
-              "enabled": true,
+              "enabled": false,
               "policy": ""
             }
           },
           "user": {
+            "identity": {
+              "enabled": false,
+              "policy": ""
+            },
             "find": {
               "enabled": true,
               "policy": ""
@@ -454,10 +458,6 @@
             "destroy": {
               "enabled": false,
               "policy": ""
-            },
-            "identity": {
-              "enabled": false,
-              "policy": ""
             }
           },
           "userspermissions": {

packages/strapi-plugin-users-permissions/controllers/Auth.js

@@ -57,7 +57,7 @@ module.exports = {
       } else {
         ctx.send({
           jwt: strapi.plugins['users-permissions'].services.jwt.issue(user),
-          user: user
+          user: _.omit(user.toJSON(), ['password', 'resetPasswordToken'])
         });
       }
     } else {
@@ -100,7 +100,7 @@ module.exports = {
 
     ctx.send({
       jwt: strapi.plugins['users-permissions'].services.jwt.issue(user),
-      user: user
+      user: _.omit(user.toJSON(), ['password', 'resetPasswordToken'])
     });
   },
 
@@ -170,7 +170,7 @@ module.exports = {
 
       ctx.send({
         jwt: strapi.plugins['users-permissions'].services.jwt.issue(user),
-        user: user
+        user: _.omit(user.toJSON(), ['password', 'resetPasswordToken'])
       });
     } else if (params.password && params.passwordConfirmation && params.password !== params.passwordConfirmation) {
       return ctx.badRequest(null, ctx.request.admin ? [{ messages: [{ id: 'Auth.form.error.password.matching' }] }] : 'Passwords do not match.');

packages/strapi-plugin-users-permissions/controllers/User.js

@@ -17,20 +17,32 @@ module.exports = {
    */
 
   find: async (ctx) => {
-    const data = await strapi.plugins['users-permissions'].services.user.fetchAll(ctx.query);
+    let data = await strapi.plugins['users-permissions'].services.user.fetchAll(ctx.query);
+
+    if (data) {
+      data = _.reduce(data, (acc, user) => {
+        acc.push(_.omit(user.toJSON(), ['password', 'resetPasswordToken']));
+        return acc;
+      }, []);
+    }
 
     // Send 200 `ok`
     ctx.send(data);
   },
 
   /**
+}
    * Retrieve a user record.
    *
    * @return {Object}
    */
 
   findOne: async (ctx) => {
-    const data = await strapi.plugins['users-permissions'].services.user.fetch(ctx.params);
+    let data = await strapi.plugins['users-permissions'].services.user.fetch(ctx.params);
+
+    if (data) {
+      data = _.omit(data.toJSON(), ['password', 'resetPasswordToken']);
+    }
 
     // Send 200 `ok`
     ctx.send(data);