> you are correct that there is an underlying assumption that a user's roles > cannot change within a session. to solve that problem right now, you would > have to manually call Session.clear(), clearing all pagemaps in the user's > session. why do you think that would not work? (aside from whatever's > broken in head right now) Yes, Session.clear() will work, but you must know when to call it... When user's roles are changed for instance by some external administration tool, there must be a way to trigger Session.clear(). But I admit that this is a rather special case...
> if you really > want to be sure about checking access to a component, the best way is to > check on rendering. you can already do that now. just don't let your > component > perform the RENDER action unless the users is authorized to do it. When it comes to security, you should by always *really* sure :-) And if that means that every component secured by isInstantiationAuthorized should be also secured by isActionAuthorized (ENABLE or RENDER) just to be sure, isn't isInstantiationAuthorized redundant? This was the original idea that led me to start this thread... Regards, Bendis
