Exposure is used to allow a certain collection as an Entry Point for your query. Exposing is done server side.
NamedQuery is not affected by exposure at all. It has it’s own firewall.
This is for global configuration. It will apply to all exposures unless overriden.
If you specify any parameters used in the global configuration, they will be overridden.
If you have exposed your Collection and provided a firewall. Then the find() method will be extended, allowing an additional userId field.
If userId is undefined. Firewall will not be called and applied. Use null or false for non-logged-in users.
Restrict certain fields, and remove them from filters and options deeply and securely. It will even clean-out filters with $and, $or, $nor, $not.
If you specify a body to your exposures, in that case firewalls will not be linked, they will be bypassed.
If comments‘s collection is exposed. The firewall of comments will be applied.
Then this query:
Will only return posts and comments for which userId is the current logged in user.
When exposure rules become too complex, the best solution is to use Named Query