I’ve read online in a few places that liquid applies entity permissions before displaying data to users all the time. This is only the case in Dynamics Portal not ADX Portal. So anyway, if you’re in a situation where you are planning on displaying data to a user and you find entity permissions are not being adhered to here’s an easy way to keep everything in order.
In the below example I’m pulling up an entity form based on a custom entity called role, there is an entity reference field on the role pointing to a contact record. I am presenting that contact records information within this entity form but first ensuring it is secure. I am wrapping any data I want secured into an IF statement which only fires if the user has permission to view those details using the permissions object.
//Assign the ID of the role
{% assign roleString = request.params['id'] %}
// Assign the custom role entity so I can access the entity reference field gg_role
{% assign role = entities.gg_role.[roleString] %}
//Assign the contact entity using the entity reference field gg_role
{% assign contact = entities.contact.[role.gg_contact.Id] %}
//Run code if the user;s entity permissions would allow them to
{% if contact.permissions.can_read == true %}
/// All assigning of variables and personal information goes here
{% endif %}
// Thats it