Hi Jeffery,
On 10.11.16 20:51, Jeffery Painter wrote:
> You had a comment:
>
> Talking of which - wouldn't it be cleaner to remove the isAuthorized()
> method from screens and actions and create separate pipeline valves for
> them? WDYT?
>
>
> I had a thought about this, and I am not sure how to do it, but it would
> be fantastic if we could make resources such as screens/actions secure
> by using annotations like:
>
> @SecureAction("group:global")
> public class MyAction extends SecureAction {
>
> public void doPerform()
> {
> // add logic here
> }
>
> }
>
> @SecureScreen("role:admin,sales,finance")
> public class SecureScreen extends VelocitySecureScreen
> {
> public void doBuildTemplate();
> }
>
>
> I think this might make it a lot easier to both maintain from a code
> perspective and immediately know what security restrictions apply to
> actions and screens.
I consider this a *brilliant* idea and I gave it a try immediately. My
suggestion would be to annotate the methods directly with something in
the lines of
@TurbineRequiredRoles( { "admin", "sales", "finance" }, "global")
or
@TurbineRequiredPermissions( { "read_customer", "write_customer",
"delete_customer" }, "group_crm")
Basically we need to provide everything that acl.has* provides. We need
to refactor the AnnotationProcessor accordingly.
WDYT?
Bye, Thomas.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
