Privacy rules semi-circumvented

Small, maybe insignificant bug - I don’t know how much someone can do with a unique ID.

When I use privacy rules to set availability for data correctly, the entire item becomes unavailable in searches and that’s expected behavior. However, when I link to the data in the database, the unique id gets sent and all other fields are masked. Example:

Schedule has children, one of the children should be hidden by privacy rules.

When I use “do a search for” with filters (as seen on right) it works as expected. When I say display parent group’s children (left) I get the extra circle showing that there’s an entry (the hidden entry).
When I inspect it I get this:


I assume this means that anytime I send data with linked data inside, the unique IDs will potentially be visible. Is this actually a security issue or is it insignificant?

This topic was automatically closed after 14 days. New replies are no longer allowed.