[
https://issues.apache.org/jira/browse/CAUSEWAY-3220?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17737515#comment-17737515
]
Andi Huber commented on CAUSEWAY-3220:
--------------------------------------
As I see it, sven has full permissions on SimpleObject, hence also sees all
associated mixins. Not sure what to fix.
> in simpleapp, as sven, we "recentAuditTrail" mixin action (and similar) even
> though have no perms to return type.
> ------------------------------------------------------------------------------------------------------------------
>
> Key: CAUSEWAY-3220
> URL: https://issues.apache.org/jira/browse/CAUSEWAY-3220
> Project: Causeway
> Issue Type: Bug
> Components: Core
> Affects Versions: 2.0.0-M8
> Reporter: Daniel Keir Haywood
> Assignee: Andi Huber
> Priority: Major
> Fix For: 2.0.0-RC2
>
>
> Instead, we should have a facet that surpresses the visibliity of the action
> if the user has no perms to view it.
> Believe we do this for properties and collections already; so it's either a
> matter of extending this logic to actions, or to tracking down a bug if we
> already have it implemented.
> To reproduce:
> - log on to simpleapp sven, who has no perms to view AuditLogEntry, but does
> have access to 'recentAuditTrailEntries' mixin action.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
