Hi everyone!
I’m facing a security challenge regarding Account Restriction in Liferay Objects (7.4).
Context: I have an object (e.g., Payroll) with “Account Restriction” enabled. This correctly isolates data between different accounts. However, inside a single account, I have two types of users: Admins and Employees.
The Problem:
-
Admins should see all payrolls for the account.
-
Employees should ONLY see their own payroll entries.
-
Currently, an employee can call /o/c/payrolls and see every payroll in the account because they all share the same accountEntryId.
What I’ve considered:
- Client-side filtering: Not secure (anyone can bypass it via DevTools/API).
Question: What is the “Liferay-way” to enforce row-level security within an account-restricted object ?
Thanks for your insights!