Access control filter
"I've set up shop scoping for editingRules using an access control filter (accessControl/filters/shopify/editingRules.gelly) that filters by Shop.id == $session.shopId, and I'm using preventCrossShopDataAccess in the create/update actions.
Can you confirm:
Is the Gelly filter syntax correct for a belongsTo relationship?
Does this automatically apply to all API queries, or do I need additional configuration?
Is it safe to use simple useFindMany(api.editingRules) in the frontend without explicit filtering, or should I add frontend filters as well?
Are there any security considerations or edge cases I should be aware of?"
0 Replies