[IMPLEMENTED] Provide some request context - Script to remove field from response if GET request has no id param

CK-LaGgY · October 25, 2023, 12:31pm

I have…

[ x ] Read the following guideline: Troubleshooting and Support | Squidex. I understand that my support request might get deleted if I do not follow the guideline.
[ x ] Used code blocks with ``` to format my code examples like JSON or logs properly.

I’m submitting a…

[ x ] Documentation issue or request

Current behavior

The main idea is to stop bad actors from collecting information in bulk.
/api/content/<appName>/schemaA?fields=question,answer
bad actor could just remove the params and have access to all data.

Expected behavior

We want to only return certain fields when a GET request is done.

The client site makes a GET request to: /api/content/<appName>/schemaA
We want to hide a field, lets say the category field from being returned in the batch.

Another GET Request with id is done but it should return the full object from the schema:
/api/content/<appName>/schemaA?q={filter... || /api/content/<appName>/schemaA/{id}

We aren’t too sure how to achieve this with Scripts or Field Rules?
Schema > <schemaA> > scripts
or
Schema > <schemaA> > more > field rules
or is there another way ?

Minimal reproduction of the problem

Environment

App Name:

Self hosted with docker
Self hosted with IIS
[ X ] Self hosted with other version
Cloud version

Version: [7.5]

Browser:

Chrome (desktop)
Chrome (Android)
Chrome (iOS)
Firefox
Safari (desktop)
Safari (iOS)
IE
Edge

Others:

Example:

"SchemaA": {
  "fields": [{
    "name": "question",
    "properties": { ... },
    "isLocked": false,
    "isHidden": false,
    "isDisabled": false,
    "partitioning": "invariant"
  }, {
    "name": "category",
    "properties": { ... },
    "isLocked": false,
    "isHidden": false,
    "isDisabled": false,
    "partitioning": "invariant"
  }, {
    "name": "answer",
    "properties": { ... },
    "isLocked": false,
    "isHidden": false,
    "isDisabled": false,
    "partitioning": "invariant"
  }],
}

/schemaA
example of returned object:

{
  "total": 19,
  "items": [{
    "id": "abc",
    "data": {
      "question": {"iv": "1?"},
      "category": {"iv": ["e308"]},//<-- should be hidden/removed from response
      "answer": {"iv": "abc"}
    },
    ...
  }, {
  "id": "def",
    "data": {
      "question": {"iv": "2?"},
      "category": {"iv": ["e302"]},//<-- should be hidden/removed from response
      "answer": {"iv": "def"}
    },
    ...
  }]

/schemaA/def

{
  "id": "def",
    "data": {
      "question": {"iv": "2?"},
      "category": {"iv": ["e302"]},
      "answer": {"iv": "def"}
    },
    ...
  }

Sebastian · October 25, 2023, 12:43pm

Is your field list static? If this is the case, you could just remove the list from the response in a query script. Just use a normal delete.

delete ctx.data.myProtectedField;
replace();

CK-LaGgY · October 25, 2023, 1:02pm

Yes, it is static, Thanks but this removes the field in both requests
GET:
/schemaA (should be removed)
/schemaA/{id} (should not be removed)

Sebastian · October 25, 2023, 1:23pm

Right now there is no solution for that.

Sebastian · October 25, 2023, 1:35pm

I would change it to a feature request …