Prevent user registration with confirmed status

Pull request https://github.com/strapi/strapi/pull/6072 aimed to add security by preventing creation of user with email confirmation enabled. By limiting user params to 'username', 'email', 'password', the current code do not allow adding custom field to user entity during registration which may breaks existing applications that have added required custom fields into user model . Signed-off-by: François Rosato <francois.rosato@ekino.com>
2025-11-01 18:33:55 +00:00 · 2020-05-08 15:00:27 +02:00 · 2020-05-08 15:00:27 +02:00 · 37e97d6219
commit 37e97d6219
parent cd8ccb3c7a
1 changed files with 1 additions and 1 deletions
--- a/packages/strapi-plugin-users-permissions/controllers/Auth.js
+++ b/packages/strapi-plugin-users-permissions/controllers/Auth.js
@ -395,7 +395,7 @@ module.exports = {
    }

    const params = {
-      ..._.pick(ctx.request.body, ['username', 'email', 'password']),
+      ..._.omit(ctx.request.body, ['confirmed', 'resetPasswordToken']),
      provider: 'local',
    };