Skip to main content

The Users & Permissions plugin's register.allowedFields configuration option defaults to []

In Strapi 5, the Users & Permissions plugin's register.allowedFields configuration option defaults to [].

This page is part of the breaking changes database and provides information about the breaking change and additional instructions to migrate from Strapi v4 to Strapi 5.

 Is this breaking change affecting plugins?No
 Is this breaking change automatically handled by a codemod?Yes
(see use-uid-for-config-namespace)

Breaking change description

In Strapi v4

Any new fields added to the User content type would be accepted by the registration form by default, and Strapi would warn about each field on startup.

The users have the option to set users-permissions.register.allowedFields in the config/plugins.js file to an array of the fields they wanted to accept on their registration endpoint. For example, [’picture’] to accept a picture attribute on registration. Or an empty array [] if they do not want to accept anything else.

However, if users did not set any value, that is, when allowedFields is undefined, all user fields are accepted.

In Strapi 5

An undefined allowedFields is treated as an empty array, and no fields are accepted by default. Users must explicitly choose to allow extra fields on registration.

Migration

This section regroups useful notes and procedures about the introduced breaking change.

Manual procedure

A codemod should handle this migration. If not, please refer to the documentation on how to register allowed fields for the Users & Permissions plugin.

How it works in Strapi 5

The fields username, email, and password are always accepted by the registration endpoint -- they are hardcoded as alwaysAllowedKeys in the Users & Permissions plugin source. Any other field on the User content-type must be explicitly listed in allowedFields or the request will be rejected with a 400 status and an error message like "Invalid parameters: fieldName".

To allow additional fields on registration, update your plugin configuration:

config/plugins.js
module.exports = {
  'users-permissions': {
    config: {
      register: {
        allowedFields: ['firstName', 'lastName'],
      },
    },
  },
};

If you relied on the Strapi v4 behavior (all fields accepted by default), list every extra field in allowedFields. Fields not listed will be silently dropped or rejected.

Contribute to this page