Comments (4)
Hey @mckinley — this is an interesting find. We do indeed restrict querying on fields unless you have public access to the field because this prevents security vulnerabilities. But I guess that if field queries are passed via access control, querying on those fields does not present a security vuln because your backend code is what's responsible for filtering on them and you define them.
It's possible that we could resolve this. @kendelljoseph let's look into this!
from payload.
@mckinley we've dug into this a bit and here is what we're thinking.
We don't want to introduce any security risks by adding a flag that would allow for a field that is hidden
to behave differently via the API and the local API. Any flag that partially change access behavior is too subtle and could have catastrophic behaviors.
Options we think could be used as an alternative to this approach:
- use an afterRead hook.
- the
doc
is available in theread
access function where data can be passed and used by the to determine access conditions.
from payload.
Thanks so much @kendelljoseph. Ok I had put my payload project on hold for a bit, but when I jump back in Ill continue to see if there is anything I can do to work around the problem.
Thanks again!
from payload.
This issue has been automatically locked.
Please open a new issue if this issue persists with any additional detail.
from payload.
Related Issues (20)
- Can not get updated generated HTML on beforeChange hook for field type ('richText') in lexical editor
- Unnecessary `isEnabled` computations on Toolbar items HOT 1
- GraphQL collection `id` field should be non-nullable HOT 3
- Row fields misaligned vertically when labels occupy different number of lines due to their length
- Cannot add custom logo HOT 3
- Admin Panel: exists filter does not work for number fields
- "id" and "data" parameters are undefined in access read function. HOT 2
- RichText upload media value is null HOT 2
- Forgot password route crashes HOT 4
- Adding custom cell to a field makes default filter component to render as TextFilter HOT 2
- Error: No files were uploaded HOT 1
- Can't open document from list view if first column is rich text field / rich text cell is not clickable HOT 3
- Filtering in any collection crush the app after navigating to another colleciton HOT 4
- Error when accessing the Versions page HOT 2
- useTableColumns.setActiveColumns doesn't allow column order to be set
- Wrong props passed to custom cell
- Cannot update the page collection with the web template when changing the Docker host port to something other than 3000.
- GeneratePreviewURL doc does not return draft data HOT 4
- hasMany relation error when choosing multiple files HOT 2
- `args.id` in a access callback is of type `string` at load and `number` at save
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from payload.