Do not list related field choices in OPTIONS requests.

[charettes]

Listing related fields can leak sensitive data and result in poor performance
when dealing with large result sets.

Large result sets should be exposed by a dedicated endpoint instead.

[xordoquy]

I'm tempted to move this through the deprecation path.
The alternative would be to consider this a security improvement and go through in which case I'd probably add an option to turn this off and keep compatibility.

[charettes]

I have deprecation path in mind, I'll submit it in a few moment.

[xordoquy]

Thanks !

[lovelydinosaur]

I'd probably be okay with us simply dropping this in a median version, so long as we call it out.
We don't have any strict contract around what to expect from OPTIONS responses, so...

[craigds]

Could this be merged? This fixes #3751 which is a security (and major performance) issue so seems important to get it in.

[lovelydinosaur]

Great stuff, thank you!

[silviogutierrez]

Hey guys,

Fantastic library and great work overall. For those that actually do use this feature, will there be an opt-in workaround[1]? I looked at the merge commit and it seems like a blanket check for all related fields.

It's pretty convenient to build a form off a single OPTIONS request.

Thanks for all your work,

Silvio

[1]: Mandatory: https://xkcd.com/1172/

[lovelydinosaur]

You'd need to use a custom metadata class, overriding get_field_info so that you have the 3.3.x behavior, not the 3.4.x behavior. We should include that in the release notes.

[wimglenn]

Related example of overriding get_field_info: http://stackoverflow.com/q/35564784/674039