struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Cam Morris (JIRA)" <>
Subject [jira] [Commented] (WW-4117) RolesInterceptor ignores disallowedRoles when allowedRoles are configured
Date Wed, 19 Jun 2013 18:45:21 GMT


Cam Morris commented on WW-4117:

I also want to use it on a portion of the site that is restricted to "shopper".  A newly created
role "restricted-shopper" needs to do most of what a shopper can do.  Yes, there are other
ways of doing this, but having both white-list and blacklist lets me do this fairly simply.
 Regardless, I've got my own implementation and I'm happy with it.  I thought I'd offer up
what I've done.  

If you decide against this change, I'd recommend clarifying the comments, because I did configure
both and the doc lead me to think it would work.  

Let me try to persuade you on the hidden knowledge concern. I can't think of another acceptable
way to do both whitelist and blacklist.  IMO, if a user has a role in that is prohibited in
the blacklist, then it doesn't shouldn't matter what's in the whitelist.  And we don't have
to hide that logic, the patch adds to the documentation to clarify what happens if both are
> RolesInterceptor ignores disallowedRoles when allowedRoles are configured
> -------------------------------------------------------------------------
>                 Key: WW-4117
>                 URL:
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Core Interceptors
>            Reporter: Cam Morris
>         Attachments: patch.txt
> The isAllowed method of RolesInterceptor does not enforce the disallowedRoles when allowedRoles
are configured.  ex:
> {code}    
> <interceptor-ref name="roles">
>   <param name="allowedRoles">authenticated</param>
>   <param name="disallowedRoles">restrictedUser</param>
> </interceptor-ref>
> {code}
> With the above configuration a user with the roles "authenticated", and "restrictedUser"
would be granted access.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see:

View raw message