Improved protection of user data

We have now improved the security of user data.

What has changed?

When returning the User object, the following API endpoints

• GET /users
• GET /users/{id}
• POST /users
• PUT /users/{id}

  <p>will have all fields except for <code>id</code>, <code>name</code> and <code>email</code> set to <code>null</code>  if the user is unverified in the company (which is always the case for the <code>POST /users</code> endpoint).</p>
  
  <p>This also affects endpoints of other entities such as Deals, Persons, Organizations, Notes, etc., which may contain related User objects.</p>
  
  <p><b>Who is affected?</b></p>
  <p>Anyone with functionality built on top of the previous behaviour, for example: anyone who strictly relies on the values in the response of the aforementioned endpoints and related webhooks.</p>
  
  <p>The list of affected fields in <code>User</code> endpoints:</p>

• phone: string
• created: string (date)
• modified: string (date)
• default_currency: string
• locale: string
• lang: int
• timezone_name: string
• timezone_offset: string
• signup_flow_variation: string
• icon_url: string

The field lang will return the default value of 1.

Published on July 14, 2020