hyper-mesh icon indicating copy to clipboard operation
hyper-mesh copied to clipboard
verified publisher icon ruby-hyperloop

send_only ignored on create

Open sfcgeorge opened this issue 7 years ago • 1 comments

I have a policy specifying send_only. It works as expected on fetch, execute_remote returns only the specified attributes.

But on creating a new record, execute_remote returns the full record with all attributes - ignoring send_only.

Potential security issue depending what the other attributes are, and wastes data transfer.

sfcgeorge avatar Feb 09 '18 09:02 sfcgeorge

good catch... point being that if you have some before_save hook that computes some field values that should not be seen by the client they will be exposed. Is that the only case that this could happen on?

catmando avatar Feb 09 '18 13:02 catmando