[
https://issues.apache.org/jira/browse/TOBAGO-1576?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Udo Schnurpfeil resolved TOBAGO-1576.
-------------------------------------
Resolution: Fixed
Fix Version/s: 3.0.0
3.0.0-alpha-8
> Commands with unauthorized method-bindings (e.g. @RolesAllowed) should by
> default not be rendered
> -------------------------------------------------------------------------------------------------
>
> Key: TOBAGO-1576
> URL: https://issues.apache.org/jira/browse/TOBAGO-1576
> Project: MyFaces Tobago
> Issue Type: Improvement
> Components: Core
> Reporter: Matthias Wronka
> Assignee: Udo Schnurpfeil
> Fix For: 3.0.0-alpha-8, 3.0.0
>
>
> Tobago inspects the @RolesAllowed-Annotations of method-bindings, which is a
> great feature!
> But I think the default-behaviour is not intuitive, as methods, that cannot
> be executed by the current user because of missing roles are only disabled.
> They should be not rendered!
> Why? If an action has to be secured it is related to some kind of
> functionality a user might not only be not allowed to execute but not even to
> see that it is there (thus forcing the programmers not to rely on this
> feature but implement the rendered-attribute themselves). Furthermore the
> user might ask hisself / herself what to do to execute this method (which of
> course is never possible because of the missing role-assignment he/she cannot
> control). This is not intuitive.
> If an an command is rendered disabled it should be a matter of state. E.g.
> some date cannot be validated right now, because it has not been saved yet,
> but in a second it will be. These are commands a user is authorized to
> execute but something else must be done before.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
