- Hiding columns for a VL is stored in session upon defining the VL. However, VLs can be loaded independently of being defined first, for the External Viewer.
- To allow for the External Viewer to hide columns, VLs could be told to hide additional columns. However, this was overwriting the current list of hidden columns, allowing special requests that would columns previously hidden.
- For the Users VL, which was opened up to Submitters due to the Colleagues feature, overwriting the ColsToSkip was prevented in the VL code specifically, to hide sensitive data.
- Added a global solution that makes sure for other VLs the list doesn't get overwritten either, but merged instead. This prevents pre-defined VLs to lose their ColsToSkip using specially crafted requests.
- However, as the External Viewer just loads undefined VLs, it can be configured to show all columns in these VLs. As such, if the ColsToSkip feature is ever used to hide sensitive data, these columns need to be defined in the VL code itself.