HackerOne: Private information exposed through GraphQL filters

Summary: secure schema can be circumvented for graphql where filters by using or operator. Description: When passing a where clause to a collection in the graphql endpoint, like teamswhere: state: eq: softlaunched it queries the state through the secure schema - so it will not return any teams...