[jira] [Commented] (CAUSEWAY-3220) in simpleapp, as sven, we "recentAuditTrail" mixin action (and similar) even though have no perms to return type.

Tue, 27 Jun 2023 01:48:04 -0700 


    [ 
https://issues.apache.org/jira/browse/CAUSEWAY-3220?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17737532#comment-17737532
 ] 

Daniel Keir Haywood commented on CAUSEWAY-3220:
-----------------------------------------------

What this relates to is not the perms on the contributed "recentAuditTrail" 
action of the mixee, instead it is for the permissinos of the returned objects, 
which is `List<AuditTrailEntry>`.  When I tried to run this action, I think I 
saw a list with no results, even though there were persisted `AuditTrailEntry` 
instances in the DB.  The reason for that is that sven doesn't have perms to 
view these `AuditTrailEntry` objects, and so they are all effectively 
suppressed in the UI layer.

By way of comparison, if we have a property or a collection whose return type 
is an object that the end user cannot see, then what we do is we have infer the 
fact that there's no point in showing the property or collection either.  
Similarly, I think we should infer a hidden facet of this mixin if the current 
user has no perms to its return type (AuditTrailEntry>).

~~~
Of course, in the simpleapp one easy fix is that sven should just have these 
perms; but that's not what I'm flagging as an issue here.

 

> in simpleapp, as sven, we  "recentAuditTrail" mixin action (and similar) even 
> though have no perms to return type.
> ------------------------------------------------------------------------------------------------------------------
>
>                 Key: CAUSEWAY-3220
>                 URL: https://issues.apache.org/jira/browse/CAUSEWAY-3220
>             Project: Causeway
>          Issue Type: Bug
>          Components: Core
>    Affects Versions: 2.0.0-M8
>            Reporter: Daniel Keir Haywood
>            Assignee: Andi Huber
>            Priority: Major
>             Fix For: 2.0.0-RC2
>
>
> Instead, we should have a facet that surpresses the visibliity of the action 
> if the user has no perms to view it.
> Believe we do this for properties and collections already; so it's either a 
> matter of extending this logic to actions, or to tracking down a bug if we 
> already have it implemented.
> To reproduce:
> - log on to simpleapp sven, who has no perms to view AuditLogEntry, but does 
> have access to 'recentAuditTrailEntries' mixin action.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to