Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
core-1.5.0
-
None
Description
Per docs [1]
user_role = !reg/org.estatio.api,\
!reg/org.estatio.webapp.services.admin,\
reg/* ;
admin_role = adm/*
then a user with both user_role and admin_role should have access to everything, because the two vetos in the "reg" group do not veto the permission provided in the "adm" group.
~~~
Tracking this down showed the issue to be a reliance on equals() implementation in IsisPermission.
[1] http://isis.apache.org/components/security/shiro/format-of-permissions.html