From 37e97d621960bb46b998b508029ff4944f6e80ce Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Rosato?= <francois.rosato@ekino.com>
Date: Fri, 8 May 2020 15:00:27 +0200
Subject: [PATCH] Prevent user registration with confirmed status
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Pull request https://github.com/strapi/strapi/pull/6072 aimed to add security by preventing creation of user with email confirmation enabled. By limiting user params to 'username', 'email', 'password', the current code do not allow adding custom field to user entity during registration which may breaks existing applications that have added required custom fields into user model .

Signed-off-by: François Rosato <francois.rosato@ekino.com>
---
 packages/strapi-plugin-users-permissions/controllers/Auth.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/strapi-plugin-users-permissions/controllers/Auth.js b/packages/strapi-plugin-users-permissions/controllers/Auth.js
index 7b0f34f4c1..080f7d6b5b 100644
--- a/packages/strapi-plugin-users-permissions/controllers/Auth.js
+++ b/packages/strapi-plugin-users-permissions/controllers/Auth.js
@@ -395,7 +395,7 @@ module.exports = {
     }
 
     const params = {
-      ..._.pick(ctx.request.body, ['username', 'email', 'password']),
+      ..._.omit(ctx.request.body, ['confirmed', 'resetPasswordToken']),
       provider: 'local',
     };