Thank you, it make sense; so a CREATE permission check will be sufficient for the CREATE button rendering. -Bruno
2008/6/6 Adrian Crum <[EMAIL PROTECTED]>: > The pattern used so far is that the ADMIN permission is checked first, then > the other permissions. So if a user has the ADMIN permission, they don't > need the additional permissions. > > I'll probably have all of the permissions Map elements set to true if the > user has the ADMIN permission. > > -Adrian > > > Bruno Busco wrote: > >> Adrian, >> may be a newbie question but... >> ...in the example you give what will happen if a user has the ADMIN >> permission but not the CREATE one? >> Will the Create New button be rendered? >> >> In other words who is responsible for the permission hierarchy ? >> In order to display the CREATE button, should a user be given with the >> CREATE permission explicitly or the ADMIN is sufficient? >> >> Thank you >> -Bruno >> >> >> >> 2008/6/6 Adrian Crum <[EMAIL PROTECTED]>: >> >> I'll work on it this weekend. >>> >>> -Adrian >>> >>> >>> Ashish Vijaywargiya wrote: >>> >>> +1 >>>> Adrian I liked your idea. >>>> >>>> On Thu, Jun 5, 2008 at 12:46 AM, Sumit Pandit < >>>> [EMAIL PROTECTED]> >>>> wrote: >>>> >>>> +1 >>>> >>>>> -- >>>>> Sumit Pandit >>>>> >>>>> >>>>> On Jun 5, 2008, at 3:04 AM, Jacques Le Roux wrote: >>>>> >>>>> Yes this sounds good to me too >>>>> >>>>> Jacques >>>>>> >>>>>> From: "Bruno Busco" <[EMAIL PROTECTED]> >>>>>> >>>>>> Wonderfull !!!! >>>>>> >>>>>>> Looking forward to having it !!! ;-) >>>>>>> This will let me also define a more granular permissions to simplify >>>>>>> the >>>>>>> interface for not-so-skilled users. >>>>>>> -Bruno >>>>>>> 2008/6/4 Adrian Crum <[EMAIL PROTECTED]>: >>>>>>> >>>>>>> In the screen widgets, you can check permissions with the >>>>>>> >>>>>>>> <if-has-permission> or <if-service-permission> elements. That's fine >>>>>>>> if >>>>>>>> you >>>>>>>> only need to check a single permission to control access to the >>>>>>>> entire >>>>>>>> screen. >>>>>>>> >>>>>>>> Things get complicated when a screen's elements are controlled by >>>>>>>> more >>>>>>>> than >>>>>>>> one permission. Let's say you have a typical Edit Item screen. The >>>>>>>> screen >>>>>>>> should be viewable only to users who have the VIEW permission. Users >>>>>>>> who >>>>>>>> have the UPDATE permission can edit the item. Users who have the >>>>>>>> CREATE >>>>>>>> permission see a "New Item" button. Users who have DELETE permission >>>>>>>> see >>>>>>>> a >>>>>>>> "Delete Item" button. Users who have the ADMIN permission have >>>>>>>> unrestricted >>>>>>>> access to the screen. Wow. Five permission elements (and five >>>>>>>> service >>>>>>>> calls) >>>>>>>> are needed to control one screen. >>>>>>>> >>>>>>>> >>>>>>>> Here's my idea: have a permission service that returns ALL of the >>>>>>>> user's >>>>>>>> permissions in a Map. You call the service with the permission to >>>>>>>> check >>>>>>>> - >>>>>>>> "ACCOUNTING" for example. The service returns a Map containing all >>>>>>>> of >>>>>>>> the >>>>>>>> user's ACCOUNTING permissions stored as Boolean objects. Let's say >>>>>>>> the >>>>>>>> returned Map is called permissionsMap and the user has >>>>>>>> ACCOUNTING_VIEW >>>>>>>> and >>>>>>>> ACCOUNTING_UPDATE permissions, then the Map would contain these >>>>>>>> elements: >>>>>>>> >>>>>>>> CREATE=false >>>>>>>> UPDATE=true >>>>>>>> DELETE=false >>>>>>>> VIEW=true >>>>>>>> ADMIN=false >>>>>>>> >>>>>>>> If the service call is put in the screen's <actions> element, then >>>>>>>> the >>>>>>>> Map >>>>>>>> elements could be used to control the display of screen widget >>>>>>>> sections, >>>>>>>> menu items, and form fields. >>>>>>>> >>>>>>>> Freemarker code would be simpler too: >>>>>>>> >>>>>>>> <#if permissionsMap.CREATE> >>>>>>>> <!-- Render a Create New button --> >>>>>>>> </#if> >>>>>>>> <#if permissionsMap.DELETE> >>>>>>>> <!-- Render a Delete button --> >>>>>>>> </#if> >>>>>>>> >>>>>>>> What do you think? >>>>>>>> >>>>>>>> -Adrian >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>
