From cff8fd904149ab993df73ec144490e16d17a926b Mon Sep 17 00:00:00 2001
From: Victor LAMBERT <vic.lambert195@gmail.com>
Date: Sat, 16 Nov 2019 01:05:21 +0100
Subject: [PATCH] Populate only role relation to authorize user

---
 .../config/policies/permissions.js                            | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/packages/strapi-plugin-users-permissions/config/policies/permissions.js b/packages/strapi-plugin-users-permissions/config/policies/permissions.js
index 55ae6bf4ad..e4fd13b294 100644
--- a/packages/strapi-plugin-users-permissions/config/policies/permissions.js
+++ b/packages/strapi-plugin-users-permissions/config/policies/permissions.js
@@ -16,11 +16,11 @@ module.exports = async (ctx, next) => {
       if (isAdmin) {
         ctx.state.admin = await strapi
           .query('administrator', 'admin')
-          .findOne({ id });
+          .findOne({ id }, ['role']);
       } else {
         ctx.state.user = await strapi
           .query('user', 'users-permissions')
-          .findOne({ id });
+          .findOne({ id }, ['role']);
       }
     } catch (err) {
       return handleErrors(ctx, err, 'unauthorized');