Security constraints are not applied for load values

michael.renaud · March 5, 2019, 10:30am

Hi

In our application, we use security constraints to filter rows seeable by users, and it works quite well.

However when we started developing all our financial reports some time ago, I was surprised to discover that they are not applied on load values queries.

e.g : “select e from Customer e” will apply security constraints, while “select e.name, SUM(e.orderAmount) from Customer e group by e.name” will not. Same for load value queries without group by.

That’s quite a hole imho. We had to develop a system ourselves, with our own parser, but I would be much more comfortable if the platform provides a genuine solution at some point in time.

Best Regards
Michael

krivopustov · March 7, 2019, 2:00pm

Hi Michael,

I assume you are talking about the reporting add-on.

When you create a JPQL dataset, the query is executed via EntityManager and security is not applied. If you need it, you have to write Groovy code which invokes DataManager.loadValues(). In this case, security constraints will take effect.

Regards,
Konstantin