Hello,

I've got some unexpected behaviour with a hibernate filter in my seam application.

As long as the application is used normally the filter acts as expected. It seems as though all queries conducted through EntityQuery objects (for lists etc.) get the where clause set correctly by the filter. Therefore only elements that match the filter criteria are displayed to the user.

But for queries triggered by EntityHome objects the filter where clause is not set!

This means, by simply changing a request parameter id for an EntityHome object manually in the URL, the user gets a view of the object even though the filter parameter would not allow that.

I would have expected the filter to be more rigorous... I would actually consider that as a serious security flaw as I've read that quite a few applications use filters for separating data in multi tenant applications.

Is there any way to restrict these queries to the filter values? Or is this really a bug?

- Chris