strapi · alexandrebodin · Oct 1, 2020 · Sep 24, 2020 · Sep 25, 2020 · Sep 25, 2020
diff --git a/docs/v3.x/concepts/models.md b/docs/v3.x/concepts/models.md
@@ -166,13 +166,16 @@ The options key on the model-json states.
 
 - `privateAttributes`: This configuration allows to treat a set of attributes as private, even if they're not actually defined as attributes in the model. Accepts an `Array` of strings. It could be used to remove from API responses timestamps or `_v` when using MongoDB. The set of `privateAttributes` defined in the model are merged with the `privateAttributes` defined in the global Strapi configuration.
 
+- `populateCreatorFields`: Configure whether the API response should include `created_by` and `updated_by` fields or not. Accepts a `boolean`. The default value is `false`.
+
 **Path —** `User.settings.json`.
 
 ```json
 {
   "options": {
     "timestamps": true,
-    "privateAttributes": ["id", "created_at"]
+    "privateAttributes": ["id", "created_at"],
+    "populateCreatorFields": true
   }
 }
 ```
@@ -461,7 +464,7 @@ xhr.send(
 
 ::: tab "Polymorphic" id="polymorphic"
 
-Polymorphic relationships are the solution when you don't know which kind of model will be associated to your entry, or when you want to connect different types of models to a model. 
+Polymorphic relationships are the solution when you don't know which kind of model will be associated to your entry, or when you want to connect different types of models to a model.
 A common use case is an `Image` model that can be associated to different types of models (Article, Product, User, etc.).
 
 #### Single vs Many

diff --git a/packages/strapi-admin/services/__tests__/permissions-manager.test.js b/packages/strapi-admin/services/__tests__/permissions-manager.test.js
@@ -74,6 +74,7 @@ describe('Permissions Manager', () => {
     global.strapi = {
       getModel() {
         return {
+          privateAttributes: [],
           attributes: {
             title: {
               type: 'text',

diff --git a/packages/strapi-admin/services/permission/permissions-manager/index.js b/packages/strapi-admin/services/permission/permissions-manager/index.js
@@ -43,7 +43,7 @@ module.exports = (ability, action, model) => ({
     } = options;
 
     if (_.isArray(data)) {
-      return data.map(this.sanitize.bind(this));
+      return data.map(entity => this.sanitize(entity, { action, withPrivate, isOutput }));
     }
 
     const permittedFields = permittedFieldsOf(ability, actionOverride, subject);

diff --git a/packages/strapi-admin/test/admin-role.test.e2e.js b/packages/strapi-admin/test/admin-role.test.e2e.js
@@ -6,6 +6,7 @@ const { registerAndLogin } = require('../../../test/helpers/auth');
 const { createAuthRequest } = require('../../../test/helpers/request');
 
 const edition = process.env.STRAPI_DISABLE_EE === 'true' ? 'CE' : 'EE';
+const sortPermissionArray = arr => _.sortBy(arr, ['action', 'subject']);
 
 let rq;
 
@@ -661,8 +662,10 @@ describe('Role CRUD End to End', () => {
 
         expect(res.statusCode).toBe(200);
         expect(res.body.data.length > 0).toBe(true);
-        expect(res.body.data).toMatchObject(
-          permissions.map(perm => ({ subject: null, fields: null, conditions: [], ...perm }))
+        expect(sortPermissionArray(res.body.data)).toMatchObject(
+          sortPermissionArray(
+            permissions.map(perm => ({ subject: null, fields: null, conditions: [], ...perm }))
+          )
         );
       });
 

diff --git a/packages/strapi-connector-bookshelf/lib/mount-models.js b/packages/strapi-connector-bookshelf/lib/mount-models.js
@@ -2,7 +2,7 @@
 const _ = require('lodash');
 const { singular } = require('pluralize');
 
-const utilsModels = require('strapi-utils').models;
+const { models: utilsModels, contentTypes } = require('strapi-utils');
 const relations = require('./relations');
 const buildDatabaseSchema = require('./build-database-schema');
 const {
@@ -115,15 +115,19 @@ module.exports = ({ models, target }, ctx) => {
       GLOBALS,
     });
 
+    const isPrivate = !_.get(definition, 'options.populateCreatorFields', false);
+
     if (!definition.uid.startsWith('strapi::') && definition.modelType !== 'component') {
       definition.attributes['created_by'] = {
         model: 'user',
         plugin: 'admin',
+        private: isPrivate,
       };
 
       definition.attributes['updated_by'] = {
         model: 'user',
         plugin: 'admin',
+        private: isPrivate,
       };
     }
 
@@ -609,6 +613,8 @@ module.exports = ({ models, target }, ctx) => {
       target[model].updateRelations = relations.update;
       target[model].deleteRelations = relations.deleteRelations;
 
+      target[model].privateAttributes = contentTypes.getPrivateAttributes(target[model]);
+
       await buildDatabaseSchema({
         ORM,
         definition,

diff --git a/packages/strapi-connector-mongoose/lib/mount-models.js b/packages/strapi-connector-mongoose/lib/mount-models.js
@@ -3,7 +3,7 @@
 const _ = require('lodash');
 const mongoose = require('mongoose');
 
-const utilsModels = require('strapi-utils').models;
+const { models: utilsModels, contentTypes } = require('strapi-utils');
 const utils = require('./utils');
 const relations = require('./relations');
 const { findComponentByGlobalId } = require('./utils/helpers');
@@ -27,15 +27,19 @@ module.exports = ({ models, target }, ctx) => {
       primaryKeyType: 'string',
     });
 
+    const isPrivate = !_.get(definition, 'options.populateCreatorFields', false);
+
     if (!definition.uid.startsWith('strapi::') && definition.modelType !== 'component') {
       definition.attributes['created_by'] = {
         model: 'user',
         plugin: 'admin',
+        private: isPrivate,
       };
 
       definition.attributes['updated_by'] = {
         model: 'user',
         plugin: 'admin',
+        private: isPrivate,
       };
     }
 
@@ -128,7 +132,7 @@ module.exports = ({ models, target }, ctx) => {
 
     target[model].allAttributes = _.clone(definition.attributes);
 
-    // Use provided timestamps if the elemnets in the array are string else use default.
+    // Use provided timestamps if the elements in the array are string else use default.
     const timestampsOption = _.get(definition, 'options.timestamps', true);
     if (_.isArray(timestampsOption)) {
       const [createAtCol = 'createdAt', updatedAtCol = 'updatedAt'] = timestampsOption;
@@ -269,6 +273,8 @@ module.exports = ({ models, target }, ctx) => {
     target[model]._attributes = definition.attributes;
     target[model].updateRelations = relations.update;
     target[model].deleteRelations = relations.deleteRelations;
+
+    target[model].privateAttributes = contentTypes.getPrivateAttributes(target[model]);
   }
 
   // Parse every authenticated model.