Matthias Wronka created TOBAGO-1576:
---------------------------------------
Summary: Commands with unauthorized method-bindins should by
default not be rendered
Key: TOBAGO-1576
URL: https://issues.apache.org/jira/browse/TOBAGO-1576
Project: MyFaces Tobago
Issue Type: Improvement
Components: Core
Reporter: Matthias Wronka
Tobago inspects the @RolesAllowed-Annotations of method-bindings, which is a
great feature!
But I think the default-behaviour is not intuitive, as methods, that cannot be
executed by the current user because of missing roles are only disabled. They
should be not rendered!
Why? If an action has to be secured it is related to some kind of functionality
a user might not only be not allowed to execute but not even to see that it is
there (thus forcing the programmers not to rely on this feature but implement
the rendered-attribute themselves). Furthermore the user might ask hisself /
herself what to do to execute this method (which of course is never possible
because of the missing role-assignment he/she cannot control). This is not
intuitive.
If an an command is rendered disabled it should be a matter of state. E.g. some
date cannot be validated right now, because it has not been saved yet, but in a
second it will be. These are commands a user is authorized to execute but
something else must be done before.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
