[jira] [Commented] (ISIS-2700) Veto Viewing permission for Type not honored

Wed, 26 May 2021 04:41:05 -0700 


    [ 
https://issues.apache.org/jira/browse/ISIS-2700?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17351729#comment-17351729
 ] 

Daniel Keir Haywood commented on ISIS-2700:
-------------------------------------------

I don't think this is correct, at least not as per the original design.

The permissions relate to the type system, not to instances.  Thus, vetoing at 
the domain type level is a short hand to veto all of the object members of that 
type.  And the same for namespaces that sit above the domain type.

To prevent access to instances is the responsibility of the TenancyEvaluator 
SPI.

Put another way: if thinking about how these entities are stored in tables, 
then the permissions define which columns you can see, while the 
TenancyEvaluator define which rows.

Now, all that said - what you are asking for is reasonable ... if a user has no 
access to any of an object's members, then we should infer a tenancy rule that 
they shouldn't be able to see any instances of that object.  So it may not be 
difficult to implement.   But it is a change in design.

> Veto Viewing permission for Type not honored
> --------------------------------------------
>
>                 Key: ISIS-2700
>                 URL: https://issues.apache.org/jira/browse/ISIS-2700
>             Project: Isis
>          Issue Type: Bug
>          Components: Isis Extensions SecMan, Isis Viewer Wicket
>    Affects Versions: 2.0.0-M5
>            Reporter: Martin Hesse
>            Assignee: Andi Huber
>            Priority: Major
>             Fix For: 2.0.0-M6
>
>         Attachments: image-2021-05-26-15-18-02-115.png, 
> image-2021-05-26-15-20-31-139.png
>
>
> A permission that vetoes the viewing of a type (such as in the example below) 
> is not fully honored. In this concrete case a user that is being assigned a 
> role with this permission (and no other roles with any permission that would 
> contradict this permission) could still navigate to an entity page of a 
> ApplicationUser and would see the title and the the icon and perhaps an empty 
> metadata tab.
> The expected behavior would be the display of an error message saying "Not 
> authorized or no such object".
>  
> !image-2021-05-26-15-18-02-115.png!
>  
> This is a screenshot of how the vetoed entity page presents to the user:
> !image-2021-05-26-15-20-31-139.png!
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to