18.104.22.168.3. Security in DataManager
getCount() methods check user’s READ permission for entities being loaded. Additionally, loading entities from the database is subject for access group constraints.
commit() method checks CREATE permissions for new entities, UPDATE for the updated entities and DELETE for the deleted ones.
DataManager checks permissions on entity operations (READ/CREATE/UPDATE/DELETE) when invoked from a client, and ignores them when invoked from a middleware code. Attribute permissions are not enforced by default.
If you want to check entity operation permissions when using
DataManager in your middleware code, obtain a wrapper via
DataManager.secure() method and call its methods. Alternatively, you can set the cuba.dataManagerChecksSecurityOnMiddleware application property to turn on security check for the whole application.
Attribute permissions will be enforced on the middleware only if you additionally set the cuba.entityAttributePermissionChecking application property to true. It makes sense if Middleware serves remote clients that theoretically can be hacked, like a desktop client. In this case, set also the cuba.keyForSecurityTokenEncryption application property to a unique value. If your application uses only Web or Portal clients, you can safely keep default values of these properties.
Note that access group constraints (row-level security) are always applied regardless of the above conditions.
See also the Data Access Checks section for the whole picture of how security permissions and constraints are used by different mechanisms of the framework.