Andy wrote:
So the agent has to check the filters to see if they can ever
match a data model that the subscriber is not allowed to see,
and reject the subscription request with an access-denied error.
Or does the agent silently omit notifications which don't resolve
to access-granted for that receiver?
Actually, both statements are true:
1. When the subscription-request comes in, the system must authenticate
that the request only subscribes to events the client is authorized to
receive
2. However, when each notification is generated by the system, the
system only forwards it to the client if it already has a subscription
in place for that kind of event
In case you think that I'm contradicting my earlier statement
"eliminates the system from having to apply filters to the responses",
what I meant to say is that it eliminates *access control* from having
to apply filters to the responses. This is true since any notification
matching the subscription request, which was authorized, is also
implicitly authorized to be sent to the client