Quote:
But as a developer, I can pass the different username during debug mode and I can fetch PDF of any user.
True but developer
should not access usernames from production users (that's common sense).
Debugging shouldn't be done in production environments. If you are working on a real development that involves sensitive data then your team should have a different sets of environments and databases where you can move application code from development to production. For example:
Dev/Test Environment - this is where you would test your application logic, including fetching PDFs based on usernames. This also where you fix code and add features to the app.
Stage Environment - this is where you push changes from Test environment. This is where integration testing is done. No development should be done here aside application specific configurations.
Production Environment - this is the final product which real users used. No debugging and development should be used.
And you can't hide business logic to developers, however you can add restriction to some source code that only authorize developers can have access to it. Do a research on source/version controls for your code repositories.