Non-readable attributes in NPE (Mendix 7 / stateless server)

While checking the release notes for Mendix 6.9.0 I stumbled over this section: We have also deprecated the NPE attribute-level security for attributes that do not have at least read access. This will also be prohibited in Mendix 7. The reason for this is that non-readable attributes cannot be sent to the client. Now I wonder why NPE can't have non-readable attributes while a PE still can? And does this also hold for non-readable associations? (there's at least no deprecation warning for this in 6.9.0) I can only guess that's related to this: In Mendix 7, the server state will move to the client so that the server will be stateless and can be scaled horizontally and that's where I expect more to be coming up in Mendix 7 with respect to security. Does someone have more insight on that topic?
1 answers

Your guess is correct: this has to do with the stateless server. All state available on the server will be removed at the end of a request: it will be sent to the client or it will be stored in the database. As NPEs cannot be stored in the database, they have to be sent to the client. However, since everything sent to the client is accessible through javascript, we can only sent attributes that the user is allowed to see. This means that we cannot support non-readable NPE attributes as of Mendix 7.