Datasource projection is not respected for POST requests

[Kobzol]

Expected Behavior

When I specify a datasource with a projection on a domain, I expect that it would also be respected for inserting new items (POST requests).

I have an endpoint for users and I don't want to return one of their attributes (password) after a POST request that creates a new user. With bandwidth saver it wouldn't be returned, however I'm using BANDWIDTH_SAVER = False globally and thus Eve returns the attribute, even though it's not whitelisted in the datasource projection.

My scenario could be solved by allowing to set BANDWIDTH_SAVER per each endpoint individually, however I think that the datasource projection should be respected in POST requests.

BANDWIDTH_SAVER = False

'users': {
        'schema': user_schema,
        'resource_methods': ['GET', 'POST'],
        'authentication': AdminAuthenticator,
        'datasource': {
            'projection': {
                'username': 1
            }
        }
    }

POST /users returns { _id: ..., username: ..., password: ... }
GET /users doesn't return the password attribute (that is the correct behaviour)

Actual Behavior

The password field is returned after a POST request.

Environment

• Python version: 3.6.5
• Eve version: 0.8.1

[nicolaiarocci]

Yes, I agree, that would be ideal.

For the time being, you can probably circumvent the issue by resorting to a post-insert event hook in which you strip the password field before the response is returned to the client.

[Kobzol]

Thanks, I resorted to that. If you could give me a pointer on where the datasource is applied, I could try to add this feature and send a PR.

[nicolaiarocci]

Should be fixed now.