If a game/tag is shared with a user (or publicly), the owner's complete model is accessible too using include=owner. Right now this is only the email address but in the future there might be more sensitive information.
Too fix such problems permanently, I propose to authorize every include request using policies.
If a game/tag is shared with a user (or publicly), the owner's complete model is accessible too using include=owner. Right now this is only the email address but in the future there might be more sensitive information.
Too fix such problems permanently, I propose to authorize every include request using policies.