[
https://issues.apache.org/jira/browse/ISIS-2700?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Daniel Keir Haywood updated ISIS-2700:
--------------------------------------
Description:
To summarise what's to be done here:
* implement a general tenancy evaluator (to filter out "rows" based on the
fact that no "columns" are visible) should be provided out-of-the-box by the
framework.
* In order to support this, we will need to cache or compute efficiently for a
user whether they have access to any columns ... these are in effect the
"effective type permissions".
* so, similar to the work done in ISIS-2701, we'll should also introduce an
`ApplicationUser_effectiveTypePermissions` mixin to surface this computed set.
Only secman admins should be able to see this collection.
discussion leading to this outcome below...
~~~~~~~~~~~~~~~
A permission that vetoes the viewing of a type (such as in the example below)
is not fully honored. In this concrete case a user that is being assigned a
role with this permission (and no other roles with any permission that would
contradict this permission) could still navigate to an entity page of a
ApplicationUser and would see the title and the the icon and perhaps an empty
metadata tab.
The desired behavior would be the display of an error message saying "Not
authorized or no such object".
!image-2021-05-26-15-18-02-115.png!
This is a screenshot of how the vetoed entity page presents to the user:
!image-2021-05-26-15-20-31-139.png!
was:
A permission that vetoes the viewing of a type (such as in the example below)
is not fully honored. In this concrete case a user that is being assigned a
role with this permission (and no other roles with any permission that would
contradict this permission) could still navigate to an entity page of a
ApplicationUser and would see the title and the the icon and perhaps an empty
metadata tab.
The desired behavior would be the display of an error message saying "Not
authorized or no such object".
!image-2021-05-26-15-18-02-115.png!
This is a screenshot of how the vetoed entity page presents to the user:
!image-2021-05-26-15-20-31-139.png!
> If no members visible for type, then veto viewing of _instances_ of that type.
> ------------------------------------------------------------------------------
>
> Key: ISIS-2700
> URL: https://issues.apache.org/jira/browse/ISIS-2700
> Project: Isis
> Issue Type: Improvement
> Components: Isis Extensions SecMan, Isis Viewer Wicket
> Affects Versions: 2.0.0-M5
> Reporter: Martin Hesse
> Priority: Major
> Fix For: 2.0.0-M6
>
> Attachments: image-2021-05-26-15-18-02-115.png,
> image-2021-05-26-15-20-31-139.png
>
>
> To summarise what's to be done here:
> * implement a general tenancy evaluator (to filter out "rows" based on the
> fact that no "columns" are visible) should be provided out-of-the-box by the
> framework.
> * In order to support this, we will need to cache or compute efficiently for
> a user whether they have access to any columns ... these are in effect the
> "effective type permissions".
> * so, similar to the work done in ISIS-2701, we'll should also introduce an
> `ApplicationUser_effectiveTypePermissions` mixin to surface this computed
> set. Only secman admins should be able to see this collection.
>
> discussion leading to this outcome below...
> ~~~~~~~~~~~~~~~
> A permission that vetoes the viewing of a type (such as in the example below)
> is not fully honored. In this concrete case a user that is being assigned a
> role with this permission (and no other roles with any permission that would
> contradict this permission) could still navigate to an entity page of a
> ApplicationUser and would see the title and the the icon and perhaps an empty
> metadata tab.
> The desired behavior would be the display of an error message saying "Not
> authorized or no such object".
>
> !image-2021-05-26-15-18-02-115.png!
>
> This is a screenshot of how the vetoed entity page presents to the user:
> !image-2021-05-26-15-20-31-139.png!
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
