Re: Tapestry-security/shiro check for 'any' permission

2017-04-20 Thread Barry Books 
It's been a while but I think you are correct about how Shiro works. I
would use a role to solve this. You can make a role like "maintainer" and
assign that role to anyone that can maintain objects. Then you can protect
any pages after the url /maintain



On Wednesday, April 19, 2017, Robin Garner  wrote:

> I've just about finished adding my first feature that uses object
> permissions to a tapestry app (tapestry-security 0.5.1, tapestry 5.3.8).
> Users are given permissions to the objects they are allowed to maintain,
> when they go to the new page, only the objects they have permission to
> maintain appear on the list of objects, and when they try to POST a change,
> shiro ensure they have rights to the object.  All works, no problems.
>
> This new feature is functionality that not all users have access to, so on
> the front page I want to add a link that only appears for users who have
> access.  This is where I run into a problem - it doesn't seem possible to
> ask whether a user has a certain access to  object, instead of access
> to all objects or to one particular object.
>
>
> Using Shiro's favorite example, the problem is this:
>
> Users have permissions of the form 'printer:print:laserjet3440',
> 'printer:view:canonb2'.  If I say
>
>  ...
>
> the option only appears for users who have the wildcard permission, not
> the real users who may have rights to one or several printers.  What I
> think we need is an existential wildcard ('printer:view:?' maybe) that
> matches any object.
>
>
> From what I can tell, the Shiro simply doesn't have this functionality in
> its permissions.
>
> The workaround I've used for now is to grant every user who has one of
> these object-based permissions an 'any' permission,
> e.g. 'printer:view:-any-', and to base the page permissions on this.
>
>
> Have I missed anything obvious ?  What do other people do ?
>
> Regards,
> Robin
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
> For additional commands, e-mail: users-h...@tapestry.apache.org
>
>

Tapestry-security/shiro check for 'any' permission

2017-04-19 Thread Robin Garner 
I've just about finished adding my first feature that uses object 
permissions to a tapestry app (tapestry-security 0.5.1, tapestry 5.3.8). 
 Users are given permissions to the objects they are allowed to 
maintain, when they go to the new page, only the objects they have 
permission to maintain appear on the list of objects, and when they try 
to POST a change, shiro ensure they have rights to the object.  All 
works, no problems.


This new feature is functionality that not all users have access to, so 
on the front page I want to add a link that only appears for users who 
have access.  This is where I run into a problem - it doesn't seem 
possible to ask whether a user has a certain access to  object, 
instead of access to all objects or to one particular object.



Using Shiro's favorite example, the problem is this:

Users have permissions of the form 'printer:print:laserjet3440', 
'printer:view:canonb2'.  If I say


 ...

the option only appears for users who have the wildcard permission, not 
the real users who may have rights to one or several printers.  What I 
think we need is an existential wildcard ('printer:view:?' maybe) that 
matches any object.



From what I can tell, the Shiro simply doesn't have this functionality 
in its permissions.


The workaround I've used for now is to grant every user who has one of 
these object-based permissions an 'any' permission,

e.g. 'printer:view:-any-', and to base the page permissions on this.


Have I missed anything obvious ?  What do other people do ?

Regards,
Robin

-
To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
For additional commands, e-mail: users-h...@tapestry.apache.org