ProductReview exposes Customer to the public API
Closed this issue · 1 comments
Draykee commented
Everyone could see the orders of a customer via product -> reviews -> customer
. I think this should be restricted.
michaelbromley commented
Yes, good point. There should be an Allow decorator on the entity resolver, or maybe a different type for the public API.