@authorize-skip for ViewEntities

  • As per entity-definition-1.0.xsd, @authorize-skip is not a valid attribute for
    view-entity. However, at some places (like EntityFindImpl:535), authorization
    check is being performed using this attribute even for ViewEntities. So, my
    understanding is @authorize-skip should probably be applicable to view
    entities as well and should be included in xsd for better reference.

    In my opinion, a more secure approach would be - to check the @authorize-skip
    on each of the member entities and assume LCD among them, as @authorize-skip
    value for the current view entity. I know that this would make authorize-skip
    check more complex, but would make it more intuitive.

  • Update: I added @authorize-skip for view entities and now I am not getting
    auth failed exception for these views.

  • David E. Jones
    David E. Jones

    Thanks Vasanth, this is a good idea. I've updated the XSD in commit 55efec0.