The 'Read-only' permission does not work for TokenList in legacy screens

Question

The 'Read-only' permission does not work for TokenList in legacy screens

volyanskiy opened this issue 2 years ago · 0 comments

Platform version: 7.2.19

Code which checks this security rule - com.haulmont.cuba.gui.components.data.value.ValueBinder#bind

This check works only if valueSource instanceof EntityValueSource and in Legacy screens TokenList's valueSource = com.haulmont.cuba.gui.components.data.value.LegacyCollectionDsValueSource which is not the EntityValueSource and it can be the root cause of the issue.

TC:

Create two entities with ManyToMany relation between them.
Create the legacy screen with legacy datasource and TokenList linked with it.
Create the Role with Read-only attribute's permission on ManyToMany attribute.

ER: TokenList should not be editable.
AR: TokenList is editable.