Re: Hackable?
I don't really think so. If you consider GitHub, there is a pretty clear chain of SQL statements that get generated for each click on the website. In principle, there is no particular reason it would be difficult to expose the relevant tables and relations, subject to the existing access controls for the users. You just have to make it a policy to always do so.
The security issues are the same for the API as for the website, if you assume basic competence for the dev team.
Biting the hand that feeds IT
