[
https://issues.apache.org/jira/browse/ISIS-2700?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andi Huber reassigned ISIS-2700:
--------------------------------
Assignee: (was: Andi Huber)
> Veto Viewing permission for Type not honored
> --------------------------------------------
>
> Key: ISIS-2700
> URL: https://issues.apache.org/jira/browse/ISIS-2700
> Project: Isis
> Issue Type: Bug
> Components: Isis Extensions SecMan, Isis Viewer Wicket
> Affects Versions: 2.0.0-M5
> Reporter: Martin Hesse
> Priority: Major
> Fix For: 2.0.0-M6
>
> Attachments: image-2021-05-26-15-18-02-115.png,
> image-2021-05-26-15-20-31-139.png
>
>
> A permission that vetoes the viewing of a type (such as in the example below)
> is not fully honored. In this concrete case a user that is being assigned a
> role with this permission (and no other roles with any permission that would
> contradict this permission) could still navigate to an entity page of a
> ApplicationUser and would see the title and the the icon and perhaps an empty
> metadata tab.
> The expected behavior would be the display of an error message saying "Not
> authorized or no such object".
>
> !image-2021-05-26-15-18-02-115.png!
>
> This is a screenshot of how the vetoed entity page presents to the user:
> !image-2021-05-26-15-20-31-139.png!
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
