Merge pull request #1 from inonshk/feature/move-filter-manipulation

Add an example for EDE

Author: PauloASilva

2019/en/src/0xa3-excessive-data-exposure.md

@@ -23,6 +23,16 @@ comment’s author, is also returned. The endpoint implementation uses a generic
 `toJSON()` method on the `User` model, which contains PII, to serialize the
 object.
 
+### Scenario #2
+
+An IOT-based surveillance system allows administrators to create users with different permissions.
+An admin created a user for a new security guard that should have access only to specific buildings in the site.
+Once the security guard uses his mobile app, an API call is triggered to:
+`"/api/sites/111/cameras"` in order to receive data about the available cameras and show them on the dashboard.
+The response contains a list with details about cameras in the following format:
+`{"id":"xxx","live_access_token":"xxxx-bbbbb","building_id":"yyy"}`
+While the client GUI shows only cameras which the security guard should have access to, the actual API response contains a full list of all the cameras in the site.
+
 ## How To Prevent
 
 * Never rely on the client side to perform sensitive data filtering.