You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When I specify a datasource with a projection on a domain, I expect that it would also be respected for inserting new items (POST requests).
I have an endpoint for users and I don't want to return one of their attributes (password) after a POST request that creates a new user. With bandwidth saver it wouldn't be returned, however I'm using BANDWIDTH_SAVER = False globally and thus Eve returns the attribute, even though it's not whitelisted in the datasource projection.
My scenario could be solved by allowing to set BANDWIDTH_SAVER per each endpoint individually, however I think that the datasource projection should be respected in POST requests.
For the time being, you can probably circumvent the issue by resorting to a post-insert event hook in which you strip the password field before the response is returned to the client.
Expected Behavior
When I specify a datasource with a projection on a domain, I expect that it would also be respected for inserting new items (POST requests).
I have an endpoint for users and I don't want to return one of their attributes (password) after a POST request that creates a new user. With bandwidth saver it wouldn't be returned, however I'm using
BANDWIDTH_SAVER = False
globally and thus Eve returns the attribute, even though it's not whitelisted in the datasource projection.My scenario could be solved by allowing to set BANDWIDTH_SAVER per each endpoint individually, however I think that the datasource projection should be respected in POST requests.
POST /users returns
{ _id: ..., username: ..., password: ... }
GET /users doesn't return the
password
attribute (that is the correct behaviour)Actual Behavior
The password field is returned after a POST request.
Environment
The text was updated successfully, but these errors were encountered: