This isn't fool-proof, though, right? Since anyone could add a "cid" arg to the URL?
I just ran into a security problem where a component is revealing a whole auth_user record! See: http://pricetack.com/components/order_summary/1 How do I close up this problem? Do I need to specify the only fields I need in the select()? Other solution?
