From b4dd5f1c255d019989b953d438df7fd300b1ca89 Mon Sep 17 00:00:00 2001 From: Adrian Hall Date: Mon, 16 Feb 2026 17:59:59 +0000 Subject: [PATCH] (#407) Added docs warning about data leakage prevention. --- docs/in-depth/server/index.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/docs/in-depth/server/index.md b/docs/in-depth/server/index.md index 95ad755..d5210d9 100644 --- a/docs/in-depth/server/index.md +++ b/docs/in-depth/server/index.md @@ -200,6 +200,11 @@ To use this access control provider, update your `TableController` as follows: If you want to allow both unauthenticated and authenticated access to a table, decorate the controller with `[AllowAnonymous]` instead of `[Authorize]`. +!!! warning + It is very easy to accidentally leak data for a different user when using access control providers to limit the data. If the operation is create and the entity that exists is for another user, the response will contain the information for the other user. + + To prevent this data leakage case, it is important to add a filtering that ensures the data being returned is for the same user. + ## Configure logging Logging is handled through [the normal logging mechanism](https://learn.microsoft.com/aspnet/core/fundamentals/logging/?view=aspnetcore-10.0) for ASP.NET Core. Assign the `ILogger` object to the `Logger` property: