How is pagination logic handled with security checks?

[StephenOTT]

Consider the following:

There are 1000 rows in the DB. The user queries for the most recent (using some date field) 50 rows (limit is set at 50 per page). But the security check is preventing 25 of the items to be returned. Does the api return 25 items for page 1? Or does it re-query for additional until the 50 are reached?

Thanks!

[aklish]

If the filter check is executed in memory on each record returned (not a FilterExpressionCheck), you will get 25 records for page 1. When you ask for page 2, you'll get the next block of up to 50 that the client can see.

The best approach is to use filterExpression checks for collection reads. In that case, the client will always get 50 records per page - limited to only what the client can see.