Enforce new Object ACLs in object logs
The new Object ACLs needs to be enforced in object logs (REST API, UI). If a user has READ access to an object, he/she should also have access to the logs of that objects.
and have tested the following:
Edited, Deleted, Newly created objects are filtered according to the ACLS.
Existing Object Logs -> OK
Deleted object logs -> OK
Direct URL calls -> OK (shows empty values)
That does not really seem to work:
Viewing “Object Logs” page from the menu: Logs of restricted objects are filtered correctly
Direct access to a specific log of a restricted object via URL is possible:
Also the correct data were shown on that page. This should already been filtered by the backend.