myfaces-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Udo Schnurpfeil (JIRA)" <...@myfaces.apache.org>
Subject [jira] [Resolved] (TOBAGO-1576) Commands with unauthorized method-bindings (e.g. @RolesAllowed) should by default not be rendered
Date Fri, 18 Nov 2016 13:49:58 GMT

     [ https://issues.apache.org/jira/browse/TOBAGO-1576?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Udo Schnurpfeil resolved TOBAGO-1576.
-------------------------------------
       Resolution: Fixed
    Fix Version/s: 3.0.0
                   3.0.0-alpha-8

> Commands with unauthorized method-bindings (e.g. @RolesAllowed) should by default not
be rendered
> -------------------------------------------------------------------------------------------------
>
>                 Key: TOBAGO-1576
>                 URL: https://issues.apache.org/jira/browse/TOBAGO-1576
>             Project: MyFaces Tobago
>          Issue Type: Improvement
>          Components: Core
>            Reporter: Matthias Wronka
>            Assignee: Udo Schnurpfeil
>             Fix For: 3.0.0-alpha-8, 3.0.0
>
>
> Tobago inspects the @RolesAllowed-Annotations of method-bindings, which is a great feature!
> But I think the default-behaviour is not intuitive, as methods, that cannot be executed
by the current user because of missing roles are only disabled. They should be not rendered!
> Why? If an action has to be secured it is related to some kind of functionality a user
might not only be not allowed to execute but not even to see that it is there (thus forcing
the programmers not to rely on this feature but implement the rendered-attribute themselves).
Furthermore the user might ask hisself / herself what to do to execute this method (which
of course is never possible because of the missing role-assignment he/she cannot control).
This is not intuitive.
> If an an command is rendered disabled it should be a matter of state. E.g. some date
cannot be validated right now, because it has not been saved yet, but in a second it will
be. These are commands a user is authorized to execute but something else must be done before.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message