[jira] [Commented] (ISIS-2700) If no members visible for type, then veto viewing of _instances_ of that type.

Wed, 26 May 2021 08:08:03 -0700 


    [ 
https://issues.apache.org/jira/browse/ISIS-2700?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17351851#comment-17351851
 ] 

Daniel Keir Haywood commented on ISIS-2700:
-------------------------------------------

It's uncertain (to me) if the framework used to have this behaviour, if it did 
then it wasn't by design, and perhaps a change made elsewhere "corrected" that.

Notwithstanding, what's being asked for DOES make sense, and would be 
worthwhile.

As noted, a general tenancy evaluator (to filter out "rows" based on the fact 
that no "columns" are visible) should be provided out-of-the-box by the 
framework.

In order to support this, we will need to cache or compute efficiently for a 
user whether they have access to any columns ... these are in effect the 
"effective type permissions".  so, similar to the work done in ISIS-2701, we'll 
should also introduce an `ApplicationUser_effectiveTypePermissions` mixin to 
surface this computed set.   Only secman admins should be able to see this 
collection.

> If no members visible for type, then veto viewing of _instances_ of that type.
> ------------------------------------------------------------------------------
>
>                 Key: ISIS-2700
>                 URL: https://issues.apache.org/jira/browse/ISIS-2700
>             Project: Isis
>          Issue Type: Improvement
>          Components: Isis Extensions SecMan, Isis Viewer Wicket
>    Affects Versions: 2.0.0-M5
>            Reporter: Martin Hesse
>            Priority: Major
>             Fix For: 2.0.0-M6
>
>         Attachments: image-2021-05-26-15-18-02-115.png, 
> image-2021-05-26-15-20-31-139.png
>
>
> A permission that vetoes the viewing of a type (such as in the example below) 
> is not fully honored. In this concrete case a user that is being assigned a 
> role with this permission (and no other roles with any permission that would 
> contradict this permission) could still navigate to an entity page of a 
> ApplicationUser and would see the title and the the icon and perhaps an empty 
> metadata tab.
> The desired behavior would be the display of an error message saying "Not 
> authorized or no such object".
>  
> !image-2021-05-26-15-18-02-115.png!
>  
> This is a screenshot of how the vetoed entity page presents to the user:
> !image-2021-05-26-15-20-31-139.png!
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to