[jira] [Commented] (TOBAGO-1576) Commands with unauthorized method-bindings (e.g. @RolesAllowed) should by default not be rendered

Fri, 18 Nov 2016 06:20:14 -0800 

    [ 
https://issues.apache.org/jira/browse/TOBAGO-1576?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15676810#comment-15676810
 ] 

Hudson commented on TOBAGO-1576:
--------------------------------

SUCCESS: Integrated in Jenkins build Tobago 3.0.x #612 (See 
[https://builds.apache.org/job/Tobago%203.0.x/612/])
TOBAGO-1576: Commands with unauthorized method-bindins should by default not be 
rendered
[developed with hnoeth] (lofwyr: 
[http://svn.apache.org/viewvc/?view=rev&rev=1770382])
* (edit) 
tobago-3.0.x/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/component/AbstractUICommandBase.java
* (edit) 
tobago-3.0.x/tobago-example/tobago-example-demo/src/main/webapp/script/demo.js


> Commands with unauthorized method-bindings (e.g. @RolesAllowed) should by 
> default not be rendered
> -------------------------------------------------------------------------------------------------
>
>                 Key: TOBAGO-1576
>                 URL: https://issues.apache.org/jira/browse/TOBAGO-1576
>             Project: MyFaces Tobago
>          Issue Type: Improvement
>          Components: Core
>            Reporter: Matthias Wronka
>            Assignee: Udo Schnurpfeil
>             Fix For: 3.0.0-alpha-8, 3.0.0
>
>
> Tobago inspects the @RolesAllowed-Annotations of method-bindings, which is a 
> great feature!
> But I think the default-behaviour is not intuitive, as methods, that cannot 
> be executed by the current user because of missing roles are only disabled. 
> They should be not rendered!
> Why? If an action has to be secured it is related to some kind of 
> functionality a user might not only be not allowed to execute but not even to 
> see that it is there (thus forcing the programmers not to rely on this 
> feature but implement the rendered-attribute themselves). Furthermore the 
> user might ask hisself / herself what to do to execute this method (which of 
> course is never possible because of the missing role-assignment he/she cannot 
> control). This is not intuitive.
> If an an command is rendered disabled it should be a matter of state. E.g. 
> some date cannot be validated right now, because it has not been saved yet, 
> but in a second it will be. These are commands a user is authorized to 
> execute but something else must be done before.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to