Hello, I’m actually using proxies to GET/POST information into Airtable from a mobile app.
Proxies use the “&field” filter, so the GET response only contains a limited number of fields in the response. This is the approach I have seen suggested around the forum to return a limited number of fields.
It comes to my surprise, that if “?id=record_id” is added to a proxied endpoint, no matter what “field” filters are included in the proxy internals they are bypassed and all fields from the record are returned.
With all the fields returned, there are dozens of linked records from other tables. It comes again, to my surprise, that, if any of the linked record id’s from other tables are appended to the proxied url ?id=linked_record_id, then the linked record is fully returned (with all its fields).
This creates a huge security issue on my app if exploited and I have seen no documentation, comments or security practices about it anywhere or ways to solve this situation. Any clue? Is anyone having the same problem?
As a live example:
Returns only the filtered fields I set up in the proxy from that example record id.
Returns filtered fields and all the records from the table.