From 8587c5eeb24110e0270380cfb48d31bdc3691fc3 Mon Sep 17 00:00:00 2001
From: Seb Duggan <seb@sebduggan.com>
Date: Thu, 6 Apr 2023 09:54:59 +0100
Subject: [PATCH 1/3] [twgit] Init hotfix 'hotfix-3.5.3'.


From 120b88e1081dd515ed1321bb58becf06fd20e8af Mon Sep 17 00:00:00 2001
From: Vivien Wong <vivien.wong@pixl8.co.uk>
Date: Wed, 5 Apr 2023 17:04:34 +0100
Subject: [PATCH 2/3] DATAAPI-19 Throw invalid select field to prevent further
 exposure of all fields from select

---
 services/DataApiService.cfc | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/services/DataApiService.cfc b/services/DataApiService.cfc
index 3c276eb..0cbc3a2 100644
--- a/services/DataApiService.cfc
+++ b/services/DataApiService.cfc
@@ -284,6 +284,10 @@ component {
 			return dao.selectData( argumentCollection=args );
 		}
 
+		if ( !ArrayLen( args.selectFields ) ) {
+			throw( "Invaid select field" );
+		}
+
 		var records   = dao.selectData( argumentCollection=args );
 		var processed = [];
 

From 86c688f054160721733e3de1f789cb0ea229b09e Mon Sep 17 00:00:00 2001
From: Seb Duggan <seb@sebduggan.com>
Date: Thu, 6 Apr 2023 10:05:09 +0100
Subject: [PATCH 3/3] Changelog

---
 CHANGELOG.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index dd197e3..92be88a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Changelog
 
+## v3.5.3
+
+* [#70](https://github.com/pixl8/preside-ext-data-api/issues/70) API call returns all fields when only invalid fields provided in fields parameter
+
 ## v3.5.2
 
 * [#68](https://github.com/pixl8/preside-ext-data-api/issues/68) Fix for issue where background errors recorded when deleting records without an id field