Currently, the API forbid users to use a storage power sensor that doesn't belong to them. Nonetheless, we are not checking that the entities within the flex-context and flex-model are readable by the user.

This fact could be used in a malicious way:

I think someone could exploit this fact to leak data, specially, inflexible device power. I would follow these steps:

1. Create a battery that is own by the "attacker" with an very large capacity with initial SOC = 100%
2. Set a site capacity constraint of 0 which forces the battery to supply the same energy to the inflexible device.
3. Set an efficiency to 1, constant price and prefer_charge_sooner = False
4. Add the target device as an inflexible device
5. Run a storage scheduler

This would make the battery track the power of the inflexible device and would get the data from any sensor.

Adapted from #897 (comment)

I suggest to create a utility function that checks if a user has the right access the data that is being used.