[jira] [Updated] (ISIS-2700) Veto Viewing permission for Type not honored

Wed, 26 May 2021 01:19:47 -0700 


     [ 
https://issues.apache.org/jira/browse/ISIS-2700?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Martin Hesse updated ISIS-2700:
-------------------------------
     Attachment: image-2021-05-26-15-18-02-115.png
    Description: 
A permission that vetoes the viewing of a type (such as in the example below) 
is not fully honored. In this concrete case a user that is being assigned a 
role with this permission (and no other roles with any permission that would 
contradict this permission) could still navigate to an entity page of a 
ApplicationUser and would see the title and the the icon and perhaps an empty 
metadata tab.

The expected behavior would be the display of an error message saying "Not 
authorized or no such object".

 

!image-2021-05-26-15-18-02-115.png!

  was:
A permission that vetoes the viewing of a type (such as in the example below) 
is not fully honored. In this concrete case a user that is being assigned a 
role with this permission (and no other roles with any permission that would 
contradict this permission) could still navigate to an entity page of a 
ApplicationUser and would see the title and the the icon and perhaps an empty 
metadata tab.

The expected behavior would be the display of an error message saying "Not 
authorized or no such object".

!image-2021-05-26-15-12-23-848.png|width=720,height=144!


> Veto Viewing permission for Type not honored
> --------------------------------------------
>
>                 Key: ISIS-2700
>                 URL: https://issues.apache.org/jira/browse/ISIS-2700
>             Project: Isis
>          Issue Type: Bug
>          Components: Isis Extensions SecMan, Isis Viewer Wicket
>    Affects Versions: 2.0.0-M5
>            Reporter: Martin Hesse
>            Priority: Major
>         Attachments: image-2021-05-26-15-18-02-115.png
>
>
> A permission that vetoes the viewing of a type (such as in the example below) 
> is not fully honored. In this concrete case a user that is being assigned a 
> role with this permission (and no other roles with any permission that would 
> contradict this permission) could still navigate to an entity page of a 
> ApplicationUser and would see the title and the the icon and perhaps an empty 
> metadata tab.
> The expected behavior would be the display of an error message saying "Not 
> authorized or no such object".
>  
> !image-2021-05-26-15-18-02-115.png!



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to