On 16/10/2010 05:42, Roy Bailey wrote:
>
> public boolean isUserInRoles() {
>
...
> return false;
> }
>
> This is all expected behavior, my bad. Just one of those scenarios where you
> spend a lot of time
> finding out the state of your settings is out-of-sync. The combination of
> having role checking
> active without defining any roles on each menu item quietly suppresses the
> entire menu. Maybe this
> method could/should throw an exception if called when getRoles().size() == 0
> ? Not sure if this
> would be undesirable but it would alert a user the menu item will never be
> accessed.
>
You bring up a good point. #isUserInRoles doesn't support unprotected menu
items (items without
roles). Instead of raising an exception the method could invoke
AcessController#hasAccess with
either a null or empty string. That way unprotected (public) menu items can be
handled in a central
place.
But does it make sense to ask if the user has access to nothing (null or "")? I
can see arguments
for both. The servlet spec isn't explicit about how to handle nulls[1] either.
Testing in Tomcat 6,
request.isUserInRole(null) returned false, similar to Click's current behavior.
Bob
[1]:
http://download.oracle.com/javaee/1.2.1/api/javax/servlet/http/HttpServletRequest.html#isUserInRole%28java.lang.String%29
