Improved protection of user data

We have now improved the security of user data.

What has changed?

When returning the User object, the following API endpoints

• GET /users
• GET /users/{id}
• POST /users
• PUT /users/{id}

will have all fields except for id, name and email set to null if the user is unverified in the company (which is always the case for the POST /users endpoint).

This also affects endpoints of other entities such as Deals, Persons, Organizations, Notes, etc., which may contain related User objects.

Who is affected?

Anyone with functionality built on top of the previous behaviour, for example: anyone who strictly relies on the values in the response of the aforementioned endpoints and related webhooks.

The list of affected fields in User endpoints:

• phone: string
• created: string (date)
• modified: string (date)
• default_currency: string
• locale: string
• lang: int
• timezone_name: string
• timezone_offset: string
• signup_flow_variation: string
• icon_url: string

The field lang will return the default value of 1.

Published on July 14, 2020