wixData.query is only working on front end, not on backend

As having said, I could just only use wixData.query to query the collection on front-end, not on backend, when I use this query on backend, there is no result returned. This poses a critical vulnerability that when the query code appears on the client side on javascript file, an attacker could modify the code to query all the collections on the database, for example:

wixData.query(“myCollection”) .find() .then( (results) => { let firstItem = results.items[0]; //see item below } ) .catch( (err) => { let errorMsg = err; } );

if this code appears on the javascript file on front end, a malicious user could change collection named “myCollection” to another collection, or he/she queries the data belonged to another user, etc. He/she forces the client side query the data that he/she wants.

On our website project built on Wix, we avoid using query, insert, etc,… any database-related function on client side to mitigate the risk of being attack, but seems like the wixData.query is not applicable on the back end, so we stuck here. Please inform us that Wix Code Team understands the risk that I have pointed above and give solution to tackle problems. Thanks

Hay, you are talking here about two issues - access to collections and getting different results from client or backend.

For the first, the wix data APIs allow access to your data from both the frontend and the backend. To mitigate risks with users accessing data they should not see, we have a permissions system that governs who had access to what collection.

Checkout CMS: Collection Permissions Overview | Help Center | Wix.com and https://support.wix.com/en/article/how-to-set-permissions-for-a-database-collection

Regarding the second issue, it sounds like a sandbox vs love database issue, or a permissions issue.