Customize users API to hide sensitive information from Contributor role

[sidemt]

We should customize the API so that Contributors shouldn't be able to get sensitive information (such as emails) of other Contributors.

Background of the issue: #133

[sidemt]

I want to filter out email and username fields in the response of GET /users endpoint.

First I thought of overriding the default controller action, something like what I have done here:

publish/publish-backend/src/api/post/controllers/post.js

Line 17 in a27fc5e

async create(ctx) {

But the difficulty is, GET /users endpoint is provided by users-permissions plugin so it's different from other core controllers such as post and tag.

I'm now looking into these approaches (haven't been successful yet):

• Extending a plugin's interface in this doc:
  https://docs.strapi.io/dev-docs/plugins-extension
• Using middleware:
  https://stackoverflow.com/questions/75390415/private-strapi-data-for-current-user/75447871#75447871

[sidemt]

What I have found so far:

• default users-permissions plugin

  • can enable/disable each endpoint (action)
    • but if you disable /users endpoint, it also disables populate of the user data in other endpoints (e.g. /posts?populate[0]=author)
  • cannot enable/disable each field
  • can set different rule for each role
  • can set rule for API token access
  • cannot set isOwn rule

• protected-populate plugin

  • can enable/disable each field
  • can set different rule for each role
  • cannot set rule for API token access
  • cannot set isOwn rule