Listing objects should check ACL on attributes
When using objects::ls ACL can be checked by sending a parameter but it only does basic acl check, it does not check asked attributes are allowed (this is done in webservice since fd-plugins#5704 (closed) but should be moved to objects::) Also all attributes are allowed in the filter which can lead to information leak as well
Steps to Reproduce
- Use objects::ls through code or webservice
- You can see more info than you should
ACL should be respected for returned attributes and filter
Too much information is available
We should somehow still allow the use of attributes which are not in the ACL system when the caller has all rights on the given objectType. Operational attributes are also a complicated case.