myfaces-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Matthias Wronka (JIRA)" <...@myfaces.apache.org>
Subject [jira] [Created] (TOBAGO-1576) Commands with unauthorized method-bindins should by default not be rendered
Date Tue, 12 Jul 2016 10:32:20 GMT
Matthias Wronka created TOBAGO-1576:
---------------------------------------

             Summary: Commands with unauthorized method-bindins should by default not be rendered
                 Key: TOBAGO-1576
                 URL: https://issues.apache.org/jira/browse/TOBAGO-1576
             Project: MyFaces Tobago
          Issue Type: Improvement
          Components: Core
            Reporter: Matthias Wronka


Tobago inspects the @RolesAllowed-Annotations of method-bindings, which is a great feature!

But I think the default-behaviour is not intuitive, as methods, that cannot be executed by
the current user because of missing roles are only disabled. They should be not rendered!

Why? If an action has to be secured it is related to some kind of functionality a user might
not only be not allowed to execute but not even to see that it is there (thus forcing the
programmers not to rely on this feature but implement the rendered-attribute themselves).
Furthermore the user might ask hisself / herself what to do to execute this method (which
of course is never possible because of the missing role-assignment he/she cannot control).
This is not intuitive.

If an an command is rendered disabled it should be a matter of state. E.g. some date cannot
be validated right now, because it has not been saved yet, but in a second it will be. These
are commands a user is authorized to execute but something else must be done before.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message