[jira] [Commented] (WW-4117) RolesInterceptor ignores disallowedRoles when allowedRoles are configured

Wed, 19 Jun 2013 11:45:22 -0700 

    [ 
https://issues.apache.org/jira/browse/WW-4117?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13688297#comment-13688297
 ] 

Cam Morris commented on WW-4117:
--------------------------------

I also want to use it on a portion of the site that is restricted to "shopper". 
 A newly created role "restricted-shopper" needs to do most of what a shopper 
can do.  Yes, there are other ways of doing this, but having both white-list 
and blacklist lets me do this fairly simply.  Regardless, I've got my own 
implementation and I'm happy with it.  I thought I'd offer up what I've done.  

If you decide against this change, I'd recommend clarifying the comments, 
because I did configure both and the doc lead me to think it would work.  

Let me try to persuade you on the hidden knowledge concern. I can't think of 
another acceptable way to do both whitelist and blacklist.  IMO, if a user has 
a role in that is prohibited in the blacklist, then it doesn't shouldn't matter 
what's in the whitelist.  And we don't have to hide that logic, the patch adds 
to the documentation to clarify what happens if both are configured.
                
> RolesInterceptor ignores disallowedRoles when allowedRoles are configured
> -------------------------------------------------------------------------
>
>                 Key: WW-4117
>                 URL: https://issues.apache.org/jira/browse/WW-4117
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Core Interceptors
>            Reporter: Cam Morris
>         Attachments: patch.txt
>
>
> The isAllowed method of RolesInterceptor does not enforce the disallowedRoles 
> when allowedRoles are configured.  ex:
> {code}    
> <interceptor-ref name="roles">
>   <param name="allowedRoles">authenticated</param>
>   <param name="disallowedRoles">restrictedUser</param>
> </interceptor-ref>
> {code}
> With the above configuration a user with the roles "authenticated", and 
> "restrictedUser" would be granted access.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to