I have a REST API query1, e.g.:
api/user with a bearer token as authorisation header
This query returns a list of IDs of "things" this user is allowed to see.
Then I have another SQL query2, e.g.
SELECT * FROM things WHERE id = ANY({{ query1.data.thingIDs }})
Now it looks like, that from a security point of view, the user is able to change the input parameters for query2 in the browser, because it looks like Retool runtime does a POST query?queryName=query2 with the array in the request body (queryParams). So the user could run the query with a totally different list of IDs.
So I was always under the impression that all this happens in the backend of Retool, and not in the frontend. Is there any way to prevent this? The way it is, is a big security issue in my opinion.