I’m using Omeka S in the last version and some of the fields I use are private while all the other fields are public.
On the public website, I can use the advanced search engine. On the admin side, I checked the setting
Restrict to templates so that the drop-down menu only displays used fields.
The problem is that private field are also displayed. The second problem is that searching using these private fields is possible.
The conclusion of this is that private fields are only partially private. They should not be displayed on the search engin, and it should not be possible to search using these fields as criteria (event when dealing with http request parameters).
This seems to be a serious security issue. Don’t you think?