From 2319c6d15ee54813d34238209d93c26c5474da9f Mon Sep 17 00:00:00 2001
From: Fernando Chavez <fernando.chavez@strapi.io>
Date: Tue, 13 Jun 2023 04:12:47 +0200
Subject: [PATCH] show creator fields only if user has admin read permissions

---
 .../AttributeFilter/hooks/useAllowedAttributes.js   | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/packages/core/admin/admin/src/content-manager/components/AttributeFilter/hooks/useAllowedAttributes.js b/packages/core/admin/admin/src/content-manager/components/AttributeFilter/hooks/useAllowedAttributes.js
index b8441cd590..53c7777606 100644
--- a/packages/core/admin/admin/src/content-manager/components/AttributeFilter/hooks/useAllowedAttributes.js
+++ b/packages/core/admin/admin/src/content-manager/components/AttributeFilter/hooks/useAllowedAttributes.js
@@ -5,6 +5,7 @@ import { useIntl } from 'react-intl';
 
 const NOT_ALLOWED_FILTERS = ['json', 'component', 'media', 'richtext', 'dynamiczone', 'password'];
 const TIMESTAMPS = ['createdAt', 'updatedAt'];
+const CREATOR_ATTRIBUTES = ['createdBy', 'updatedBy'];
 
 const useAllowedAttributes = (contentType, slug) => {
   const { allPermissions } = useRBACProvider();
@@ -21,6 +22,14 @@ const useAllowedAttributes = (contentType, slug) => {
     },
   ]);
 
+  const canReadAdminUsers =
+    findMatchingPermissions(allPermissions, [
+      {
+        action: 'admin::users.read',
+        subject: null,
+      },
+    ]).length > 0;
+
   const readPermissionForAttr = get(readPermissionsForSlug, ['0', 'properties', 'fields'], []);
   const attributesArray = Object.keys(get(contentType, ['attributes']), {});
   const allowedAttributes = attributesArray
@@ -39,6 +48,10 @@ const useAllowedAttributes = (contentType, slug) => {
         return false;
       }
 
+      if (CREATOR_ATTRIBUTES.includes(attr) && !canReadAdminUsers) {
+        return false;
+      }
+
       return true;
     })
     .sort((a, b) => formatter.compare(a, b));