[
https://issues.apache.org/jira/browse/ISIS-2700?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17351731#comment-17351731
]
Martin Hesse commented on ISIS-2700:
------------------------------------
But wasn't it like this before, that when a user didn't have the permission to
view a type, (irrespective of whether through tenancy or roles) then an error
message would be displayed, saying "Not authorized or not such object"?
It did make sense to me, more than if I would have to implement a Tenancy
Evaluator for each entity type and re-implement the permission voting in there.
> Veto Viewing permission for Type not honored
> --------------------------------------------
>
> Key: ISIS-2700
> URL: https://issues.apache.org/jira/browse/ISIS-2700
> Project: Isis
> Issue Type: Bug
> Components: Isis Extensions SecMan, Isis Viewer Wicket
> Affects Versions: 2.0.0-M5
> Reporter: Martin Hesse
> Assignee: Andi Huber
> Priority: Major
> Fix For: 2.0.0-M6
>
> Attachments: image-2021-05-26-15-18-02-115.png,
> image-2021-05-26-15-20-31-139.png
>
>
> A permission that vetoes the viewing of a type (such as in the example below)
> is not fully honored. In this concrete case a user that is being assigned a
> role with this permission (and no other roles with any permission that would
> contradict this permission) could still navigate to an entity page of a
> ApplicationUser and would see the title and the the icon and perhaps an empty
> metadata tab.
> The expected behavior would be the display of an error message saying "Not
> authorized or no such object".
>
> !image-2021-05-26-15-18-02-115.png!
>
> This is a screenshot of how the vetoed entity page presents to the user:
> !image-2021-05-26-15-20-31-139.png!
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
