Quantcast

Tapestry-security/shiro check for 'any' permission

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Tapestry-security/shiro check for 'any' permission

Robin Garner
I've just about finished adding my first feature that uses object
permissions to a tapestry app (tapestry-security 0.5.1, tapestry 5.3.8).
  Users are given permissions to the objects they are allowed to
maintain, when they go to the new page, only the objects they have
permission to maintain appear on the list of objects, and when they try
to POST a change, shiro ensure they have rights to the object.  All
works, no problems.

This new feature is functionality that not all users have access to, so
on the front page I want to add a link that only appears for users who
have access.  This is where I run into a problem - it doesn't seem
possible to ask whether a user has a certain access to <any> object,
instead of access to all objects or to one particular object.


Using Shiro's favorite example, the problem is this:

Users have permissions of the form 'printer:print:laserjet3440',
'printer:view:canonb2'.  If I say

<t:security.hasAnyPermissions permissions="printer:view:*"> ...

the option only appears for users who have the wildcard permission, not
the real users who may have rights to one or several printers.  What I
think we need is an existential wildcard ('printer:view:?' maybe) that
matches any object.


 From what I can tell, the Shiro simply doesn't have this functionality
in its permissions.

The workaround I've used for now is to grant every user who has one of
these object-based permissions an 'any' permission,
e.g. 'printer:view:-any-', and to base the page permissions on this.


Have I missed anything obvious ?  What do other people do ?

Regards,
Robin

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Tapestry-security/shiro check for 'any' permission

trsvax
It's been a while but I think you are correct about how Shiro works. I
would use a role to solve this. You can make a role like "maintainer" and
assign that role to anyone that can maintain objects. Then you can protect
any pages after the url /maintain



On Wednesday, April 19, 2017, Robin Garner <[hidden email]> wrote:

> I've just about finished adding my first feature that uses object
> permissions to a tapestry app (tapestry-security 0.5.1, tapestry 5.3.8).
> Users are given permissions to the objects they are allowed to maintain,
> when they go to the new page, only the objects they have permission to
> maintain appear on the list of objects, and when they try to POST a change,
> shiro ensure they have rights to the object.  All works, no problems.
>
> This new feature is functionality that not all users have access to, so on
> the front page I want to add a link that only appears for users who have
> access.  This is where I run into a problem - it doesn't seem possible to
> ask whether a user has a certain access to <any> object, instead of access
> to all objects or to one particular object.
>
>
> Using Shiro's favorite example, the problem is this:
>
> Users have permissions of the form 'printer:print:laserjet3440',
> 'printer:view:canonb2'.  If I say
>
> <t:security.hasAnyPermissions permissions="printer:view:*"> ...
>
> the option only appears for users who have the wildcard permission, not
> the real users who may have rights to one or several printers.  What I
> think we need is an existential wildcard ('printer:view:?' maybe) that
> matches any object.
>
>
> From what I can tell, the Shiro simply doesn't have this functionality in
> its permissions.
>
> The workaround I've used for now is to grant every user who has one of
> these object-based permissions an 'any' permission,
> e.g. 'printer:view:-any-', and to base the page permissions on this.
>
>
> Have I missed anything obvious ?  What do other people do ?
>
> Regards,
> Robin
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
Loading...