Document the permission required to access url_alias data

[arithmetric]

Feature request

Summary

It would be helpful to clarify that the Webtools Url-Alias Find permission is required for content items in Strapi API responses to include the url_alias field.

See:

Why is it needed?

For my use case, I thought I only needed the Router permission, because I want the client to lookup content by the URL alias field, but I don't want the client to be able to do a find all request for URL aliases. However I found that without the Find permission, the url_alias field in API responses was removed by the removeRestrictedRelations sanitizer because the API user did not have the find scope.

Suggested solution(s)

I'd suggest explaining the permissions in the README and also if possible on the Strapi admin Roles page.

Also, I'd suggest considering creating a separate permission from Find so that a client can get url_alias data for the content being loaded, but not query all URL aliases.

Related issue(s)/PR(s)

Let me know if you'd like me to create a PR for any of the suggested solutions.

[boazpoolman]

Hi @arithmetric,

Thank you for raising this issue!

It's common practice in Strapi to have the find permission of a content type grant access to populate content of that type in the API responses. That being said, I do understand the confusion here! We will update the documentation for this shortly.