In the screen widgets, you can check permissions with the
<if-has-permission> or <if-service-permission> elements. That's fine if
you only need to check a single permission to control access to the
entire screen.
Things get complicated when a screen's elements are controlled by more
than one permission. Let's say you have a typical Edit Item screen. The
screen should be viewable only to users who have the VIEW permission.
Users who have the UPDATE permission can edit the item. Users who have
the CREATE permission see a "New Item" button. Users who have DELETE
permission see a "Delete Item" button. Users who have the ADMIN
permission have unrestricted access to the screen. Wow. Five permission
elements (and five service calls) are needed to control one screen.
Here's my idea: have a permission service that returns ALL of the user's
permissions in a Map. You call the service with the permission to check
- "ACCOUNTING" for example. The service returns a Map containing all of
the user's ACCOUNTING permissions stored as Boolean objects. Let's say
the returned Map is called permissionsMap and the user has
ACCOUNTING_VIEW and ACCOUNTING_UPDATE permissions, then the Map would
contain these elements:
CREATE=false
UPDATE=true
DELETE=false
VIEW=true
ADMIN=false
If the service call is put in the screen's <actions> element, then the
Map elements could be used to control the display of screen widget
sections, menu items, and form fields.
Freemarker code would be simpler too:
<#if permissionsMap.CREATE>
<!-- Render a Create New button -->
</#if>
<#if permissionsMap.DELETE>
<!-- Render a Delete button -->
</#if>
What do you think?
-Adrian