Request — Stop silently removing relations when auth fails and I spesficly request the relation.

[Boegie19]

Intended for V5

Strapi should give an error and tell you that you don't have authorization to view content-type X only when specific requested it. on the API layer if I make a request but I request data I don't have auth for strapis senatization just removes it and does not error.

Examples of what is not specific

{populate: "*" }

Examples of what is specific:

{ populate: ["relationName"] }
{ populate: ["otherrelation.relationName"] }
{ populate: { relationName: true }

If I tell strapi to populate a specific relationship. I want an ForbiddenError by default if I don't have permissions.

WHY I want this since lots of beginning and even veteran strapi users get stuck for hours since strapi removes there relationship without us being able to see why.

[derrickmehaffy]

Cc @innerdvations / @Convly since we discussed this last time you already know this is what I suggested as well.

[innerdvations]

Yes, we will definitely add this in v5. The only reason it did not start validating in v4 with the other params is because it works a bit differently and didn't cause the same security issues, so we didn't want to make an "unnecessary" breaking change.