Disable select: false fields to query from specific find() operations even try get explicitly. #14333
Description
Prerequisites
- I have written a descriptive issue title
- I have searched existing issues to ensure the feature has not already been requested
🚀 Feature Proposal
We all know about select:false & sanitizeProjection what it does. For certain query operations like find(), findById(), or findOne(), I, as a developer, want to ensure that no sensitive data is queried. I intend to disable the inclusion of such fields explicitly, even when attempting to retrieve them using syntax like find({}, '+password') or through population like .populate({ path: 'users', select: '+password' }). If I provide sanitizeProjection as an optional parameter, it should handle this exclusion for me.
Here we handle the projection and population from query parameter.
Or any other suggestions?
Example:
const userSchema = new Schema({
name: { type: String, required: true },
password: { type: String, required: true, select: false }
})
const result = await User.find({}, '+password', {
sanitizeProjection: true
})
// At this point it return "name" and "password" both
// Requested features will return only "name"Motivation
Motivation
The motivation stems from the ongoing development of the mongoose-query-maker package, where precise control over query parameters is fundamental for filtering, pagination, selection, and population in a controlled way with proper security via query parameter. Currently we're developing v3 for this, which can make it very easier from v2.
Example
No response