GraphQL introspection queries return the full database schema (table names, columns, relationships) without authentication. Data queries are correctly gated behind HasProjectPermissions, but introspection bypasses it.
curl -X POST -H "Content-Type: application/json" \
-d '{"query":"{ __schema { queryType { fields { name } } } }"}' \
https://your-jet-bridge/api/graphql/
# Returns all table names, column types, relationships, no token needed
Fix would be adding HasProjectPermissions to GraphQLView for introspection queries.
GraphQL introspection queries return the full database schema (table names, columns, relationships) without authentication. Data queries are correctly gated behind
HasProjectPermissions, but introspection bypasses it.Fix would be adding
HasProjectPermissionstoGraphQLViewfor introspection queries.