Glide List fields do not honour read ACLs set on the table they are based on.
Steps to Reproduce
1. Login as admin to any Istanbul or Jakarta instance
2. Open an Incident form
3. Configure the Form Layout
4. Select the "Self service" view for editing
5. Add the "Company" reference field in the form view layout
6. Create a new field of type "List" based on "core_company" table
7. Open an active incident which has an ESS role-less caller user (such as "Joe employee")
8. Fill-in the Company field and the new list field
9. Impersonate the ESS user set as caller for the selected incident in step 7
10. Open the same incident record in step 7
Observe the following:
The Company reference field will not be visible on the Incident form, due to the read ACL on the core_company table:
The list field based on core_company is instead visible.
Hovering over the reference icon on the list field, or selecting a new company, will trigger the security error due to the ACL.
Related Problem: PRB1238484