Hi, I've got a question regarding the current implementation of WildcardPermission.
Currently, the following holds true: thing:read:foo implies thing:read:foo:bar Which basically means that if you can "read" the "foo" "thing", you can also "read" the "bar" "thing" in the "foo" "thing". But the reverse statement does not hold true: thing:read:foo:bar does NOT imply thing:read:foo Meaning that if you can read "bar" you can't read "foo". Now, at first I thought that it made sense, but after thinking about it, I can't figure out what's a valid use case for this. My reasoning is based on the fact that "bar" in this situation is something that belongs to "foo" (otherwise, I would have a separate permission domain, ie: otherthing:read:bar). So if "bar" only exists if "foo" also does, what is the valid use case of allowing access to "bar" but not to "foo"? Note that saying that the "longer" permission implies the "shorter" DOES NOT imply other longer permissions. That is, thing:read:foo:bar implies thing:read:foo --> true thing:read:foo:bar implies thing:read:foo:foobar --> false Is my reasoning valid? I've created my own Permission implementation that does exactly that and it behaves as expected (I can read foo, bar, but not foobar). I'm wondering what is a valid use-case for NOT wanting this behaviour? Thanks! Philippe -- View this message in context: http://shiro-user.582556.n2.nabble.com/Question-regarding-WildcardPermission-tp5728829p5728829.html Sent from the Shiro User mailing list archive at Nabble.com.
