search

cult-of-coders / grapher

Grapher: Meteor Collection Joins + Reactive GraphQL like queries
https://atmospherejs.com/cultofcoders/grapher
MIT License
275 stars 53 forks source link

Result include `text` field, but should not #413

Open MaxmaxmaximusGitHub opened 4 years ago

MaxmaxmaximusGitHub commented 4 years ago

This query fetch non include text field:

Messages.createQuery('messages', {
  text: 0
})

But this query fetch include text field:

Messages.createQuery('messages', {

  text: 0

  $filters: {
    text: {$ne: 'lol'}
  }

})

Result include text field, but should not. I just use filter, i not want send text field to users.

Example:

Users.createQuery('messages', {

  $filters: {
    pass: {$exists: true}
  }

})

This query not sould incluse pass field, i just FILTER by pass field. This is a very dangerous bug, and extremely unreasonable behavior. Your documentation DIRECTLY SAY: we are obliged to list all fields explicitly. Here I did not list the pass field, but it will get to the user in the browser. moreover, even if I specify pass: 0, the password will still go to the user browser.