gahabeen
commented
4 years ago To fix it I've added a new branch to the factory api called proxy. The methods inside are in fact only meant to be used through UDFs as they provide specific role capacities. Proxy meaning that it proxies a usual method through a given role.
The path proxy.public.document.get gives access to a public document by its collection and id through a new role public_access. The resulting UDFs can be called by the user and public roles.
First implementation of public access added this flaw.