05 Apr 2013
Link to this post
When I create a content type and restrict its permissions (view, create, etc) to a certain role, or set of roles, users not in those roles can still see all of them. Also, since the related data field is pulling from an api, this seems like a bad security hole. There's nothing preventing users from making those api calls themselves.