Add privateAttributes to global and per model response

docs/v3.x/concepts/configurations.md

@@ -192,6 +192,25 @@ module.exports = ({ env }) => ({
 | `admin.forgotPassword.from` | Sender mail address | string | Default value defined in your [provider configuration](../plugins/email.md#configure-the-plugin) |
 | `admin.forgotPassword.replyTo` | Default address or addresses the receiver is asked to reply to | string | Default value defined in your [provider configuration](../plugins/email.md#configure-the-plugin) |
 
+## API
+
+**Path —** `./config/api.js`.
+
+```js
+module.exports = ({ env }) => ({
+  responses: {
+    privateAttributes: ['_v', 'id', 'created_at'],
+  },
+});
+```
+
+**Available options**
+
+| Property                      | Description                                                                                                                                                       | Type         | Default |
+| ----------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------ | ------- |
+| `responses`                   | Global API response configuration                                                                                                                                 | Object       |         |
+| `responses.privateAttributes` | Set of globally defined attributes to be treated as private. E.g. `_v` when using MongoDb or timestamps like `created_at`, `updated_at` can be treated as private | String array | `[]`    |
+
 ## Functions
 
 The `./config/functions/` folder contains a set of JavaScript files in order to add dynamic and logic based configurations.

docs/v3.x/concepts/models.md

@@ -92,7 +92,7 @@ Use the CLI, and run the following command `strapi generate:model restaurant nam
 
 This will create two files located at `./api/restaurant/models`:
 
-- `Restaurant.settings.json`: contains the list of attributes and settings. The JSON format makes the file easily editable.
+- `Restaurant.settings.json`: contains the list of attributes and settings. The JSON format makes the file easily editable.
 - `Restaurant.js`: imports `Restaurant.settings.json` and extends it with additional settings and life cycle callbacks.
 
 ::: tip
@@ -164,12 +164,18 @@ The options key on the model-json states.
 
 - `timestamps`: This tells the model which attributes to use for timestamps. Accepts either `boolean` or `Array` of strings where first element is create date and second element is update date. Default value when set to `true` for Bookshelf is `["created_at", "updated_at"]` and for MongoDB is `["createdAt", "updatedAt"]`.
 
+- `privateAttributes`: This configuration allows to treat a set of attributes as private, even if they're not actually defined as attributes in the model. Accepts an `Array` of strings. It could be used to remove from API responses timestamps or `_v` when using MongoDB. The set of `privateAttributes` defined in the model are merged with the `privateAttributes` defined in the global Strapi configuration.
+
+- `ignorePrivateFor`: This configuration allows to ignore some attributes from the global `privateAttributes` configuration. Accepts an `Array` of strings. The attributes defined in this `Array` will be removed from the `Array` of the global and local `privateAttributes` configuration.
+
 **Path —** `User.settings.json`.
 
 ```json
 {
   "options": {
-    "timestamps": true
+    "timestamps": true,
+    "privateAttributes": ["id", "created_at"],
+    "ignorePrivateFor": ["some_global_private"]
   }
 }
 ```

packages/strapi-admin/services/__tests__/permissions-manager.test.js

@@ -84,6 +84,9 @@ describe('Permissions Manager', () => {
           options: {},
         };
       },
+      config: {
+        get: jest.fn,
+      },
     };
 
     test('Pick all fields (output) using default model', () => {

packages/strapi-plugin-graphql/services/type-definitions.js

@@ -41,8 +41,14 @@ const buildTypeDefObj = model => {
     typeDef[updatedAtKey] = 'DateTime!';
   }
 
+  const ignoredPrivateAttributes = getIgnoredPrivateAttributes(model);
+
   Object.keys(attributes)
-    .filter(attributeName => attributes[attributeName].private !== true)
+    .filter(
+      attributeName =>
+        attributes[attributeName].private !== true &&
+        !ignoredPrivateAttributes.includes(attributeName)
+    )
     .forEach(attributeName => {
       const attribute = attributes[attributeName];
       // Convert our type to the GraphQL type.
@@ -56,17 +62,43 @@ const buildTypeDefObj = model => {
   // Change field definition for collection relations
   associations
     .filter(association => association.type === 'collection')
-    .filter(association => attributes[association.alias].private !== true)
+    .filter(
+      association =>
+        attributes[association.alias].private !== true &&
+        !ignoredPrivateAttributes.includes(association.alias)
+    )
     .forEach(association => {
       typeDef[`${association.alias}(sort: String, limit: Int, start: Int, where: JSON)`] =
         typeDef[association.alias];
 
       delete typeDef[association.alias];
     });
 
+  // Remove private attributes (which are not attributes) defined per model or globally
+  const privateAttributes = getPrivateAttributes(model);
+  privateAttributes.forEach(attr => {
+    if (typeDef[attr]) {
+      delete typeDef[attr];
+    }
+  });
+
   return typeDef;
 };
 
+const getIgnoredPrivateAttributes = model => {
+  return _.get(model, 'options.ignorePrivateFor', []);
+};
+
+const getPrivateAttributes = model => {
+  const allPrivatesAttributes = _.union(
+    strapi.config.get('api.responses.privateAttributes', []),
+    _.get(model, 'options.privateAttributes', [])
+  );
+  const ignoredPrivateAttributes = getIgnoredPrivateAttributes(model);
+
+  return _.difference(allPrivatesAttributes, ignoredPrivateAttributes);
+};
+
 const generateEnumDefinitions = (attributes, globalId) => {
   return Object.keys(attributes)
     .filter(attribute => attributes[attribute].type === 'enumeration')