Closed Boegie19 closed 1 month ago
Cc @innerdvations / @Convly since we discussed this last time you already know this is what I suggested as well.
Yes, we will definitely add this in v5. The only reason it did not start validating in v4 with the other params is because it works a bit differently and didn't cause the same security issues, so we didn't want to make an "unnecessary" breaking change.
Intended for V5
Strapi should give an error and tell you that you don't have authorization to view content-type X only when specific requested it. on the API layer if I make a request but I request data I don't have auth for strapis senatization just removes it and does not error.
Examples of what is not specific
Examples of what is specific:
If I tell strapi to populate a specific relationship. I want an ForbiddenError by default if I don't have permissions.
WHY I want this since lots of beginning and even veteran strapi users get stuck for hours since strapi removes there relationship without us being able to see why.