If an ALLOW rule in GeoFence does not specify an access type for any attribute (i.e. the attribute list is empty), the access will be "writable" for all attributes.
This is where the attribute list is created:
This is how the Query is generated using the attribute list:
As a first security fix, we may change the GeoFenceAccessManager so to made read only the access to attributes, if the attribute list is empty.
Then, as an improvement to this, we may add a property in GeoFence that tells how to deal with the missing attributes access type.
Also note that at the moment, if an attribute is missing in the rule details, it will not be visibile at all.
All in all, this is the current behaviour:
no attribute access set for an ALLOWed layer (attribute list is null/empty) --> readwrite access is granted to every attribute
A,B,C are the attributes for which an access type is assigned, but the attibute D is not assigned. D will not be visibile in GeoServer since it is not in the attribute list provided by the GeoFence engine to the GeoFenceAccessManager.