An attacker was able to use a `field_id` from a "secret" field
and use if on any even the default public select2 view and
receive the data without authentication.