NocoDB: Hidden LTAR Column Exposure in Public Shared-View Relation Endpoints

Summary

The public shared-view relation endpoints accepted a caller-supplied column
ID without verifying that the column was visible in the shared view, so
anyone holding a share UUID could read links from any LTAR column on the
view's table — including columns the view owner had hidden.

Details

publicMmList, publicHmList, and relDataList already ensured that the
requested column belonged to the view's model, but did not check the
view-column entry's show flag. All three handlers now also fetch the
shared view's column entries and reject the request unless the matching
entry has show=true. The four public relation routes covered by the fix
are:

• GET /api/v2/public/shared-view/:uuid/rows/:rowId/mm/:columnId (many-to-many)
• GET /api/v2/public/shared-view/:uuid/rows/:rowId/hm/:columnId (has-many)
• GET /api/v2/public/shared-view/:uuid/rows/:rowId/{ln,om}/:columnId
  (links / one-to-many — both share the many-to-many handler)
• GET /api/v2/public/shared-view/:uuid/nested/:columnId (form/gallery
  picker)

Impact

Anyone holding a share UUID could enumerate the full set of linked records
for any hidden LTAR column on the view's table by calling the relation
endpoint directly, even when the same column was correctly omitted from the
public /rows response.

Credit

This issue was reported by @leduckhuong.