Announcement Announcement Module
No announcement yet.
Bug in accesscontrollist tag Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Bug in accesscontrollist tag

    Description of the tag says :

    Allows inclusion of a tag body if the current Authentication
    has one of the specified permissions to the presented
    domain object instance.
    The code is :
            List<Object> requiredPermissions = parseHasPermission(hasPermission);
            for(Object requiredPermission : requiredPermissions) {
                if (!permissionEvaluator.hasPermission(authentication, domainObject, requiredPermission)) {
                    return skipBody();
            return evalBody();
    This makes the tag skip the body unless the current Authentication has all permissions rather than one.

    I tried looking around for this issue but only found this thread from 2012 ( and this commit ( which seems to be the mentionned fix in that thread.

    Since we're in the process of upgrading from Acegi to Spring Security 3, I would like to know if this behavior is correct or if a fix is planned in the coming days before we change all our security tags.