As per entity-definition-1.0.xsd, @authorize-skip is not a valid attribute for
view-entity. However, at some places (like EntityFindImpl:535), authorization
check is being performed using this attribute even for ViewEntities. So, my
understanding is @authorize-skip should probably be applicable to view
entities as well and should be included in xsd for better reference.
In my opinion, a more secure approach would be - to check the @authorize-skip
on each of the member entities and assume LCD among them, as @authorize-skip
value for the current view entity. I know that this would make authorize-skip
check more complex, but would make it more intuitive.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
As per entity-definition-1.0.xsd, @authorize-skip is not a valid attribute for
view-entity. However, at some places (like EntityFindImpl:535), authorization
check is being performed using this attribute even for ViewEntities. So, my
understanding is @authorize-skip should probably be applicable to view
entities as well and should be included in xsd for better reference.
In my opinion, a more secure approach would be - to check the @authorize-skip
on each of the member entities and assume LCD among them, as @authorize-skip
value for the current view entity. I know that this would make authorize-skip
check more complex, but would make it more intuitive.
Update: I added @authorize-skip for view entities and now I am not getting
auth failed exception for these views.
Thanks Vasanth, this is a good idea. I've updated the XSD in commit 55efec0.