Hi James, I think this relates back to another [thread](https://support.kinvey.com/discussion/201272251/how-do-i-offer-access-of-a-private-collection-to-another-user "thread"). I'll copy paste the answer here, too.
If you use ACL's instead of restricting through BL, then _count would respect that. The best way to do that is via the REST API. I put up a post about usergroups and permissions here, which may help: https://support.kinvey.com/discussion/comment/201904552
almost 8 years ago
Hey. `Fetch` is another name for a `Get` HTTP request. The `Count` operation is technically an `aggregate`, and does not use the same pipeline as a GetEntity or Get request from the java/android libraries.
I would recommend using access control lists `_acl`, which is a provided GenericJson class you can add to your entities. Take a look at Caroline's post here to get some more info on how to set them up: https://support.kinvey.com/discussion/comment/201904552
about 8 years ago
I am restricting access to the collection using business logic, but COUNT does not get filtered through the fetch hook. Isn't this a big security risk? How am I supposed to restrict access correctly using business logic?