Currently the plugin bypasses the permission checks of the users-permissions plugin.
To reproduce the fix, disable a content type's permissions for the public role. It won't be available through Strapi's /api/:contentType route anymore. But you can still access it on the /api/slugify/slugs/:modelName/:slug route, which is a security issue.
To fix it, I added auth information when sanitizing the response. It's what we do on our content API.
Currently the plugin bypasses the permission checks of the users-permissions plugin.
To reproduce the fix, disable a content type's permissions for the public role. It won't be available through Strapi's
/api/:contentType
route anymore. But you can still access it on the/api/slugify/slugs/:modelName/:slug
route, which is a security issue.To fix it, I added auth information when sanitizing the response. It's what we do on our content API.