Config option to disable Breeze.js extensions to OData syntax
Breeze mentions extensions to the OData query syntax when used with the WebAPI controllers. However, I would like to use the STANDARD syntax and not allow these extensions, without having to revert to the OData provider (which doesn't support saves currently). I have some existing code to validate OData queries for security purposes, and this code has to be aware of the full syntax tree, and makes assumptions based on the standard spec on how the query is fullfilled by the OData Provider.
These assumptions are broken by Breeze's extensions and shortcuts to the OData query language. The extensions are also a moving target, which is untenable for security-related validation code.
I suggest a configuration option for both the client and server side, whereby the client-side code submits queries using only the standard syntax, and where the server side WebAPI provider code only serves query results based on the standard syntax and handling according to the official spec.
Note: I am, in this instance, limiting this suggestion to queries only. I am fine with the non-standard batch changeset request format via a json bundle sent to the SaveChanges action.
Closing this request as it can be done today (see comments for instructions) (i.e. Remove the [BreezeController] attribute, add the JsonFormatter option, and go.)
AdminAdmin (Product Manager, Breeze.js) commented
We will have new guidance on this topic soon, but for now you can create your own FooControllerAttribute that looks just like our BreezeControllerAttribute but with the IFilterProvider code removed.
Use your new FooControllerAttribute anywhere you would have used the BreezeControllerAttribute.
The new FooControllerAttribute will basically only be configuring the JSON formatter.