I’m doing FTS tests, I’ve noticed that when a user who does not have permissions to certain views shows information from those views. Is this behavior correct? Is it possible to restrict this behavior?
Regards,
Nelson F.
Which permissions are you talking about? Can you please provide an example?
For example, I have a user that does not have access to any of the options in the administration menu, but if I look for a special data like 98637214 then it allows me access to the users of the system.
By “user does not have access to any of the options in the administration menu” you mean that you forbid some menu item in the security role, right? Security role just hides the menu. It doesn’t forbid user to read entities, say, in some other screen. If you want to restrict a list of entities the user can fetch, you should use access groups.
Thx Max, for my particular case could you give me an example, restricting access to the user entity?
I don’t exactly know what is your case, but the constraint for the security should look similar to this:
Just change the condition in accordance with your needs