When setting EntityOptions.apiPrefilter to a function, the filter is not applied to API requests for a resource by Id

Main / When setting EntityOptions.apiPrefilter to a function, the filter is not applied to API requests for a resource by Id

Discription

### Impact
If you used the [apiPrefilter](https://remult.dev/docs/ref_entity.html#apiprefilter) option of the `@Entity` decorator, by setting it to a function that returns a filter that prevents unauthorized access to data, an attacker who knows the `id` of an entity instance she is not authorized to access, can gain read, update and delete access to it.

### Patches
The issue is fixed in version 0.20.6

### Workarounds
Set the `apiPrefilter` option to a filter object instead of a function.

### References
If you’re using a minor version Read More

References

Back to Main

Subscribe for the latest news: