ASP.Net Web API OData - Consumers have free reign to query whatever and however they want?

Question

I\'ve just been reading about the ASP.Net Web API support for OData queries and I\'m having trouble reconciling the external exposure for query filtering, which essentially prov

Answer 1

Web API has special handlers mechanism. So you can check and process queries that are going from user.

http://www.asp.net/web-api/overview/working-with-http/http-message-handlers

But for OData queries it's not common to expose IQueryable from database. Common approach is to make general query, "pre-queried" on server and than give user ability to query or filter this prequeried result. And than you will be sure that user wasn't able to make query "wider" than prequeried result.

And as a note: WebAPI has only support for filter, top, skip, orderby. So very limited. For normal OData support - use WCF Data Services

When you want to hide from user filtering/querying some columns, than one way is writing custom handler that will parse URI from user and return e.g. 403 error, or as a variant to make DTOs objects without these columns and expose them for "pre-query" to user.