MongoDB: is it safe to use document's ID “in public”?

Question

I really like MongoDB\'s automatically generated ids. They are really useful.

However, is it save to use them publicly?

Let\'s say there is a posts collecti

Answer 1

let say we have order 1 by user a order 2 by user b

it's safe to expose the docid for order 1 or 2 for both users ( your code should expose 1 for a and 2 for b though )

but what important is validating

if the user is allowed to read it only and you have like /api/modifyorder/:docid you must validate that the user is an admin

if user B have order 1 ( user A ) docid you need to check the order user id before serving the respond ( and log a security log if he try to do that )