You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@myfaces.apache.org by "Hudson (JIRA)" <de...@myfaces.apache.org> on 2016/11/18 14:18:58 UTC

[jira] [Commented] (TOBAGO-1576) Commands with unauthorized method-bindings (e.g. @RolesAllowed) should by default not be rendered

    [ https://issues.apache.org/jira/browse/TOBAGO-1576?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15676810#comment-15676810 ] 

Hudson commented on TOBAGO-1576:
--------------------------------

SUCCESS: Integrated in Jenkins build Tobago 3.0.x #612 (See [https://builds.apache.org/job/Tobago%203.0.x/612/])
TOBAGO-1576: Commands with unauthorized method-bindins should by default not be rendered
[developed with hnoeth] (lofwyr: [http://svn.apache.org/viewvc/?view=rev&rev=1770382])
* (edit) tobago-3.0.x/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/component/AbstractUICommandBase.java
* (edit) tobago-3.0.x/tobago-example/tobago-example-demo/src/main/webapp/script/demo.js


> Commands with unauthorized method-bindings (e.g. @RolesAllowed) should by default not be rendered
> -------------------------------------------------------------------------------------------------
>
>                 Key: TOBAGO-1576
>                 URL: https://issues.apache.org/jira/browse/TOBAGO-1576
>             Project: MyFaces Tobago
>          Issue Type: Improvement
>          Components: Core
>            Reporter: Matthias Wronka
>            Assignee: Udo Schnurpfeil
>             Fix For: 3.0.0-alpha-8, 3.0.0
>
>
> Tobago inspects the @RolesAllowed-Annotations of method-bindings, which is a great feature!
> But I think the default-behaviour is not intuitive, as methods, that cannot be executed by the current user because of missing roles are only disabled. They should be not rendered!
> Why? If an action has to be secured it is related to some kind of functionality a user might not only be not allowed to execute but not even to see that it is there (thus forcing the programmers not to rely on this feature but implement the rendered-attribute themselves). Furthermore the user might ask hisself / herself what to do to execute this method (which of course is never possible because of the missing role-assignment he/she cannot control). This is not intuitive.
> If an an command is rendered disabled it should be a matter of state. E.g. some date cannot be validated right now, because it has not been saved yet, but in a second it will be. These are commands a user is authorized to execute but something else must be done before.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)