Improve Entity access rules
Currently there are quite a few situations where I need to give users access rights that they don't really need, simply because the Entity Access Rule options are too limited. This is an issue because it makes the application less safe. The problem is that it's not possible to give a user access to an entity without giving them access to any of the members/attributes. Also the GUID, createdDate, changedDate, owner and changedBy don't show up in the access rules.
Examples:
- Retrieve objects via multiple associations: user needs access to all entities in between. Because it's impossible to give the user access to the entity without any of the members, I need to give user access to at least one member
- Using "/p/SomePage/{Id}", the user is not able to see the page if he has no access rights to the entity. Logical, but it's impossible to limit the users access to the GUID, which means users who are able to see the page are also able to retrieve more data of the object.
- Entity A only meant to create/save a list of Entity B. As the default association would exist on Entity B, it's required to add a bogus attribute to Entity A otherwise the user can't view a list of Entity B, based on Entity A.
Nice Idea
Any comment on whether improvements to the access rules are planned (for 2019)??
Another improvement suggestion, add the option to allow/disallow the committing of objects. When this is unchecked the user should be able to send changes of the object to the server, but the user should not be able to directly commit to the database.
This ensures that users can't bypass validation microflows by sending JSON requests directly to the server.