It's been a while but I think you are correct about how Shiro works. I
would use a role to solve this. You can make a role like "maintainer" and
assign that role to anyone that can maintain objects. Then you can protect
any pages after the url /maintain
On Wednesday, April 19, 2017, Robin Garner <robin.gar...@scu.edu.au> wrote:
> I've just about finished adding my first feature that uses object
> permissions to a tapestry app (tapestry-security 0.5.1, tapestry 5.3.8).
> Users are given permissions to the objects they are allowed to maintain,
> when they go to the new page, only the objects they have permission to
> maintain appear on the list of objects, and when they try to POST a change,
> shiro ensure they have rights to the object. All works, no problems.
>
> This new feature is functionality that not all users have access to, so on
> the front page I want to add a link that only appears for users who have
> access. This is where I run into a problem - it doesn't seem possible to
> ask whether a user has a certain access to <any> object, instead of access
> to all objects or to one particular object.
>
>
> Using Shiro's favorite example, the problem is this:
>
> Users have permissions of the form 'printer:print:laserjet3440',
> 'printer:view:canonb2'. If I say
>
> <t:security.hasAnyPermissions permissions="printer:view:*"> ...
>
> the option only appears for users who have the wildcard permission, not
> the real users who may have rights to one or several printers. What I
> think we need is an existential wildcard ('printer:view:?' maybe) that
> matches any object.
>
>
> From what I can tell, the Shiro simply doesn't have this functionality in
> its permissions.
>
> The workaround I've used for now is to grant every user who has one of
> these object-based permissions an 'any' permission,
> e.g. 'printer:view:-any-', and to base the page permissions on this.
>
>
> Have I missed anything obvious ? What do other people do ?
>
> Regards,
> Robin
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
> For additional commands, e-mail: users-h...@tapestry.apache.org
>
>
