Giter Club home page Giter Club logo

Comments (4)

jmikrut avatar jmikrut commented on September 27, 2024 1

Hey @mckinley — this is an interesting find. We do indeed restrict querying on fields unless you have public access to the field because this prevents security vulnerabilities. But I guess that if field queries are passed via access control, querying on those fields does not present a security vuln because your backend code is what's responsible for filtering on them and you define them.

It's possible that we could resolve this. @kendelljoseph let's look into this!

from payload.

kendelljoseph avatar kendelljoseph commented on September 27, 2024

@mckinley we've dug into this a bit and here is what we're thinking.

We don't want to introduce any security risks by adding a flag that would allow for a field that is hidden to behave differently via the API and the local API. Any flag that partially change access behavior is too subtle and could have catastrophic behaviors.

Options we think could be used as an alternative to this approach:

  • use an afterRead hook.
  • the doc is available in the read access function where data can be passed and used by the to determine access conditions.

from payload.

mckinley avatar mckinley commented on September 27, 2024

Thanks so much @kendelljoseph. Ok I had put my payload project on hold for a bit, but when I jump back in Ill continue to see if there is anything I can do to work around the problem.

Thanks again!

from payload.

github-actions avatar github-actions commented on September 27, 2024

This issue has been automatically locked.
Please open a new issue if this issue persists with any additional detail.

from payload.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.