Restricting access to records when using XSLT in Custom Web Publishing

I have recently needed to start making part of a solution available to the web via XSLT. I have used IWP for ages but it has limitations for this application that meant it cannot be used. So I used the Site Assistant and got a simple record list XSL template (displaying an HTML table of data), edited it a bit and got everything working very nicely (God bless Filemaker).

Anyway, after some basic use I needed to start displaying more data, some of which is commercially sensitive so I needed to start using more record-level access privileges so I did a simple limited access rule that said that if get(username) equals a creator field in the record, then the user has privileges to see the record.

However, CWP and the XML/XSLT have a strange way of enforcing this. In FMP client, if you find all records, it actually just finds those that you have record level access to, i.e. those that you don't have access to do not come up in the found set. Slightly annoyingly, invoking the &-findall argument at the end of the XSLT URL shows a row for every record regardless of access - it just does not show any data for those that you don't have record level access to.

This is a bit of a problem as it could be disclosing too much info to, for example, show, "we have taken 20 orders today and 12 of them are from you!".

Could anyone suggest how this behaviour can be prevented or worked around?

Many thanks in advance for all assistance.

Michael