The current whitelist mechanism validates clients when they register by looking up their IP/Role.
However, clients can connect directly to Dali via MP without registering as a client and bypass this session registration mechanism, and access (and alter) meta data directly.
NB: unregistered clients connect to foreign Dali's to pull meta data without registering as a client, because a client can't be a registered session of >1 Dali.
(Perhaps they should be able to, but that would involve a lot of work/changes).
To prevent unregistered sessions communicating with Dali, I propose that the whitelist check is performed at a lower level with Dali.
When Dali receives any message, if it's the 1st it has seen on a connection, it should 1st check to see if it is a session request, if it is, it should let it through so that the session registration can validate it's authorization - since by then be able to able to see additional context (i.e. role).
If it is any other message, it should validated against the whitelist in the same way, but with a generic 'External' role client.
Any external clients needing to connect to Dali will need a WhiteList entry too, with a "External" role.