Hide creator fields from public api by default

[Convly]

❓ What has been done?

🙅 Removed the creator's fields (updated_by, created_by) by default from public API responses.

🔧 Added a model option to populate and return the creator's fields in public API responses (populateCreatorFields)

✅ Added new utilities to centralize checks on the attribute's privacy.

🌄 Removed the creator's fields from upload's controller routes.

🐛 Fixed GraphQL behavior with privates attributes (removed computed private attributes from resolvers generation)

🗒️ Notes

@alexandrebodin, @petersg83, I went with populateCreatorFields as the name of the model option but any feedback or suggestion is welcome

resolve #7177
resolve #8069

[derrickmehaffy]

Should move docs to the v3 not v3-beta

[codecov]

Codecov Report

Merging #8052 into master will increase coverage by 0.05%.
The diff coverage is 47.76%.

@@            Coverage Diff             @@
##           master    #8052      +/-   ##
==========================================
+ Coverage   32.71%   32.77%   +0.05%     
==========================================
  Files        1194     1197       +3     
  Lines       12969    13019      +50     
  Branches     1280     1286       +6     
==========================================
+ Hits         4243     4267      +24     
- Misses       7886     7907      +21     
- Partials      840      845       +5     

Flag	Coverage Δ
#front	24.80% <16.66%> (-0.01%)	⬇️
#unit	53.88% <50.81%> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
...n/src/containers/NotificationProvider/selectors.js	0.00% <0.00%> (ø)
...-manager/admin/src/components/Wysiwyg/constants.js	0.00% <ø> (ø)
...nt-manager/admin/src/components/Wysiwyg/helpers.js	0.00% <ø> (ø)
...cumentation/admin/src/containers/HomePage/index.js	0.00% <ø> (ø)
...ugin-upload/admin/src/components/EditForm/index.js	0.00% <0.00%> (ø)
.../containers/InputModalStepper/InputModalStepper.js	0.00% <ø> (ø)
.../src/containers/InputModalStepperProvider/index.js	0.00% <0.00%> (ø)
...-upload/admin/src/containers/ModalStepper/index.js	0.00% <ø> (ø)
...rapi-plugin-upload/admin/src/translations/index.js	0.00% <0.00%> (ø)
packages/strapi-plugin-upload/services/Upload.js	15.75% <0.00%> (-0.45%)	⬇️
... and 20 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 7a45bde...c37df67. Read the comment docs.

[alexandrebodin]

Last comment :)

[derrickmehaffy]

Docs look fine to me

[dalbitresb12]

Hi @Convly, I was looking at the files that were changed with this PR and I saw something strange.

strapi/packages/strapi-utils/lib/__tests__/sanitize-entity.test.js

Lines 38 to 43 in dbfde36

	const userModel = {
	primaryKey: 'id',
	options: {
	timestamps: ['created_at', 'updated_at'],
	},
	privateAttributes: ['email'],

Correct me if I'm wrong, but I thought the privateAttributes option was supposed to be inside the options. This also happens in some other parts of that same test file.

strapi/packages/strapi-utils/lib/__tests__/sanitize-entity.test.js

Lines 82 to 87 in dbfde36

	const articleModel = {
	primaryKey: 'id',
	options: {
	timestamps: ['created_at', 'updated_at'],
	},
	privateAttributes: ['secret'],

strapi/packages/strapi-utils/lib/__tests__/sanitize-entity.test.js

Lines 206 to 213 in dbfde36

	const model = {
	...models.user,
	options: {
	...models.user.options,
	privateAttributes: ['firstname'],
	},
	privateAttributes: [].concat(models.user.privateAttributes, ['firstname'], ['id']),
	};

Is there something I'm missing here?

[Convly]

Hello @dalbitresb12

The privateAttributes is indeed an option in the model schema.
However this is not the only place where we use this notion.
Starting from this PR, we also introduce a privateAttributes in the mounted model's definition (strapi.models[modelName].privateAttributes) which will run the getPrivateAttributes computation once for all instead of each time we want to check if an attribute is private.
This attribute is created in the mount-model (eg: here) process in every connector using the getPrivateAttributes utility to calculate the value (using config.api.response.privateAttributes + model.options.privateAttributes + attributes.filter(isPrivate)).

In the tests, we simulate the result of the mount-model operation and attach it to the object. (so that the model.privateAttributes should be equal to model.options.privateAttributes + global privateAttributes (hardcoded at this level) + model attributes with private=true

[dalbitresb12]

Oh, so this is just a calculated value that Strapi uses internally? It is not one that us as developers should add manually?

[Convly]

Exactly 🙂

[dalbitresb12]

That's actually great. Thank you for clarifying this. 😄

[lauriejim]

This pull request has been mentioned on Strapi Community. There might be relevant details there:

https://forum.strapi.io/t/new-release-strapi-v3-1-7/256/1