I’m following the multitenant paradigm (https://www.cuba-platform.com/discuss/t/implement-multitenancy-through-access-groups) to segregate data so I set a session Attribute (companySession) and a corresponding Entity Attribute (companySessionId), which is supposed to be shown to top level administrators only.
Everything works fine for sub-tenants having all permissions on those Entities. Hitting Edit button, they get redirected to an edit page where they cannot see the hidden session Attribute.
Strange enough, though, Role Users with read-only permissions can go to the relevant Entity browser, hit the view button and be redirected to an “editor” (they cannot edit anything) showing the session Attribute which should be hidden from them.
Besides, if the same is done for platform attributes (e.g. createTs) (fetched and shown for top admins while hidden for sub-Roles) everything works as expected…
Why is it so?