server/AyaNova/Controllers/UserController.cs

@@ -353,10 +353,31 @@ namespace AyaNova.Api.Controllers
                 await ct.SaveChangesAsync();
 
                 //return success and link
-                return CreatedAtAction("GetUser", new { id = o.Id }, new ApiCreatedResponse(o));
+                //NOTE: this is a USER object so we don't want to return some key fields for security reasons
+                //So the easiest way to do that is to return an anonymous object created on the fly
+                // var returnObject = new
+                // {
+                //     Id = o.Id,
+                //     ConcurrencyToken = o.ConcurrencyToken,
+                //     OwnerId = o.OwnerId,
+                //     Active = o.Active,
+                //     Name = o.Name,
+                //     Roles = o.Roles,
+                //     LocaleId = o.LocaleId,
+                //     UserType = o.UserType,
+                //     EmployeeNumber = o.EmployeeNumber,
+                //     Notes = o.Notes,
+                //     ClientId = o.ClientId,
+                //     HeadOfficeId = o.HeadOfficeId,
+                //     SubVendorId = o.SubVendorId
+                // };
+
+
+                return CreatedAtAction("GetUser", new { id = o.Id }, new ApiCreatedResponse(UserBiz.CleanUserForReturn(o)));
             }
         }
 
+        
 
 
         /// <summary>
@@ -416,7 +437,7 @@ namespace AyaNova.Api.Controllers
         {
             return ct.User.Any(e => e.Id == id);
         }
-      
+
 
         //------------
 

server/AyaNova/biz/UserBiz.cs

@@ -431,9 +431,33 @@ namespace AyaNova.Biz
         }
 
 
+        ////////////////////////////////////////////////////////////////////////////////////////////////
+        // Utilities
+        //
+        internal static object CleanUserForReturn(User o)
+        {
+            return new
+            {
+                Id = o.Id,
+                ConcurrencyToken = o.ConcurrencyToken,
+                OwnerId = o.OwnerId,
+                Active = o.Active,
+                Name = o.Name,
+                Roles = o.Roles,
+                LocaleId = o.LocaleId,
+                UserType = o.UserType,
+                EmployeeNumber = o.EmployeeNumber,
+                Notes = o.Notes,
+                ClientId = o.ClientId,
+                HeadOfficeId = o.HeadOfficeId,
+                SubVendorId = o.SubVendorId
+            };
+        }
+
+
 
         ////////////////////////////////////////////////////////////////////////////////////////////////
-        //JOB / OPERATIONS
+        // JOB / OPERATIONS
         //
         public async Task HandleJobAsync(OpsJob job)
         {