Why this matters
LGPD grants access/portability rights but prohibits excessive disclosure.
Data subject export endpoints must whitelist fields and redact internal notes, tokens, and third-party IDs. Generate machine-readable output and log the lawful basis for the export.
LGPD grants access/portability rights but prohibits excessive disclosure.
Side-by-side examples engineers can pattern-match during review.
$data = $user->toArray(); return response()->json($data);$allowed = ['id','name','email','created_at'];\n$out = Arr::only($user->toArray(), $allowed);\n$out['notes'] = '[REDACTED]';\nreturn response()->json($out);$out = Arr::only($user->toArray(), ['id','email'])return response()->json($user->toArray())From the same buckets as this rule.