From 8191552352875a020582f018da734eee5a55f53d Mon Sep 17 00:00:00 2001
From: Adria Navarro <adria@budibase.com>
Date: Wed, 7 Aug 2024 12:36:51 +0200
Subject: [PATCH] Bypass view

---
 .../src/api/routes/tests/viewV2.spec.ts       | 37 +++++++++++++++++++
 1 file changed, 37 insertions(+)

diff --git a/packages/server/src/api/routes/tests/viewV2.spec.ts b/packages/server/src/api/routes/tests/viewV2.spec.ts
index 8c0bc39234..b2ac580f6c 100644
--- a/packages/server/src/api/routes/tests/viewV2.spec.ts
+++ b/packages/server/src/api/routes/tests/viewV2.spec.ts
@@ -1485,6 +1485,43 @@ describe.each([
           }
         )
       })
+
+      it("cannot bypass a view filter", async () => {
+        await config.api.row.save(table._id!, {
+          one: "foo",
+          two: "bar",
+        })
+        await config.api.row.save(table._id!, {
+          one: "foo2",
+          two: "bar2",
+        })
+
+        const view = await config.api.viewV2.create({
+          tableId: table._id!,
+          name: generator.guid(),
+          query: [
+            {
+              operator: BasicOperator.EQUAL,
+              field: "two",
+              value: "bar2",
+            },
+          ],
+          schema: {
+            id: { visible: true },
+            one: { visible: false },
+            two: { visible: true },
+          },
+        })
+
+        const response = await config.api.viewV2.search(view.id, {
+          query: {
+            equal: {
+              two: "bar",
+            },
+          },
+        })
+        expect(response.rows).toHaveLength(0)
+      })
     })
 
     describe("permissions", () => {