search

formio / formio.js

JavaScript powered Forms with JSON Form Builder
https://formio.github.io/formio.js
MIT License
1.83k stars 1.04k forks source link

Protected Data Fields are rendered via Populate. #5562

Open tkalmar opened 2 months ago

tkalmar commented 2 months ago

Describe the bug

Protected Components should not be rendered in GET Requests (like Password). But when i use:

https://formio.form.io/user/login?populate=owner

i clearly see the password field of the owner

Version/Branch Latest

To Reproduce Steps to reproduce the behavior: call: https://formio.form.io/user/login?populate=owner the owner property gets populated including protected fields.

Expected behavior protected fields are not populated

Screenshots image

Additional context Similar Bug was https://github.com/formio/formio.js/issues/531 but marked as closed

lane-formio commented 2 months ago

Thanks for reporting this. We will investigate this further.

For internal reference I have created a ticket: FIO-8231