This looks like a great library, but with such a powerful interface, I think it should be used extremely carefully. It’s a very easy way to expose serious security vulnerabilities in your application by exposing to the client data that shouldn’t be exposed - a naive example could be a password_hash field on some User or Account schema that could be requested either directly or going through some association. I believe there should be at least a whitelist defining what fields the function is allowed to act upon, exposing just anything seems rather reckless to me.
7 Likes
