Start a new topic

Why do COUNT requests not get funneled through the "fetch" hook?

You mention on your documentation that a "fetch" hook can be used to deny access to a collection, but a COUNT request can still get information about the collection even if access is denied, can't it?

I am restricting access to the collection using business logic, but COUNT does not get filtered through the fetch hook. Isn't this a big security risk? How am I supposed to restrict access correctly using business logic?
Hey. `Fetch` is another name for a `Get` HTTP request. The `Count` operation is technically an `aggregate`, and does not use the same pipeline as a GetEntity or Get request from the java/android libraries.

I would recommend using access control lists `_acl`, which is a provided GenericJson class you can add to your entities. Take a look at Caroline's post here to get some more info on how to set them up:
Hi James, I think this relates back to another [thread]( "thread"). I'll copy paste the answer here, too.

If you use ACL's instead of restricting through BL, then _count would respect that. The best way to do that is via the REST API. I put up a post about usergroups and permissions here, which may help:
Login or Signup to post a comment