I started learning Outsystems by using the class where you create a Movie Database application. In this application, there is a module that handles UI and a module that handles the core data.
The data module shares its data by simply marking all entities Public and and False on "Expose Read-only".
Now that I am creating an application where I need more usage control and security than a Movie Database would, is this a secure way of transferring data between modules? Is filtering in a preparation a secure way to only show data the given user is supposed to see?
What are the best practices here for making sure a user is only getting their prepared data, and can't simply modify POST messages to get others' data? How should I transfer data between modules?
Setting expose read-only to False is very bad practive imho, and should be avoided at (almost) all costs. We have some company-internal guidelines that state that for every entity that's meant to be modified a modification action should be present (typically named EntityNameSave or the like) that checks the data for validity and raises an exception if there's something wrong.
Data security, i.e. prevent unauthorized views of data, should be handled by the code. Never allow anonymous page access, and use Privileges where applicable (both on screens and in logic), and test them (using the built-in actions) to check whether a request is valid.