[KULRICE-10439] AttributeSecurity hide attribute is not handled correctly Created: 10/Sep/13  Updated: 21/Apr/14  Resolved: 16/Sep/13

Status: Closed
Project: Kuali Rice Development
Component/s: Development, KNS Equivalency, Roadmap
Affects Version/s: None
Fix Version/s: 2.4
Security Level: Public (Public: Anyone can view)

Type: Bug Fix Priority: Critical
Reporter: Kristina Taylor (Inactive) Assignee: Kristina Taylor (Inactive)
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: 0 minutes
Time Spent: 1 day, 6 hours
Original Estimate: 3 days

Similar issues:
KULRICE-5339Finish integration with presentation controller/authorizer/AttributeSecurity checking KIM
KULRICE-10434modify BusinessObjectBase.toString to hide sensitive information
KULRICE-4442Person service does not handle extension objects properly
KULRICE-4021CustomerTypeHamdler doesn't handle CustomerType Annoation correctly
KULRICE-4243Responsibility document does not handle blank qualifier resolver correctly
KULRICE-3179Document Configuration screen Show/Hide buttons not working correctly
KULRICE-7637show inactive / hide inactive button on subtab is not working correctly.
KULRICE-6414Label for collection field does not show/hide correctly with progressive disclosure or refresh
KULRICE-12549Focus and jumping not working correctly
KULRICE-10891Width attributes for sequence and action columns not correct
Epic Link: Inquiry Equivalence
KRAD Feature Area:
Inquiry
Sprint: 2.4.0-m2 Sprint 2, 2.4.0-m2 KRAD Sprint 3
KAI Review Status: Not Required
KTI Review Status: Not Required
Code Review Status: Not Required
Include in Release Notes?:
Yes

 Description   

In the KNS, you could hide an entire field in the Inquiry based on KIM permissions by adding AttributeSecurity to the DD

<property name="attributeSecurity">
  <bean parent="AttributeSecurity" p:hide="true"/>
</property>

This would have the effect of removing the entire row (description and value) from the interface if a permission based on the KR-NS / View Inquiry or Maintenance Document Field template was not assigned to the current user. In KRAD, there are several issues that prevent this from working.

  • DataField.hasSecureValue incorrectly calls isHidden() to check for a secure field. Confirmed with Jerry that it should not do this.
  • The permissions are not consulted for AttributeSecurity.isHide. The field should only be displayed if a permission based on the KR-KRAD / View Field template is assigned to the current user.
  • KRAD does not completely eliminate this field from the interface. It only encrypts the value and shows the description. It needs to completely remove this from the interface, just as if the field had p:render="false" and p:hidden="true".

I believe the additional check for AttributeSecurity should just be added to ViewAuthorizerBase.canViewField. Then, the p:render="false" and p:hidden="true" attributes will be set correctly. I will update the KNS2KRAD guide separately to reflect what this should be.



 Comments   
Comment by Kristina Taylor (Inactive) [ 12/Sep/13 ]

There are some inconsistencies in the KNS that make this one a bit more difficult to solve. Even though this issue is for Inquiry, the places that we need to change will affect Inquiry, Lookup, and Maintenance. If we set attribute security to hide, this is how the KNS acts:

  • Inquiry
    • Field in base class is completely removed from the interface
    • Field in collection is blanked out but the cell remains
  • Lookup
    • Field in base class appears in lookup
    • Field in base class appears in results
  • Maintenance
    • Field in base class is completely removed from the interface
    • Field in collection is able to be added but not edited

This is how KRAD acts with my fixes:

  • Inquiry
    • Field in base class is completely removed from the interface
    • Field in collection is blanked out but the cell remains
  • Lookup
    • Field in base class is completely removed from the lookup
    • Field in base class is blanked out in results but the column remains
  • Maintenance
    • Field in base class is completely removed from the interface
    • Field in collection is blanked out but the cell remains

The represent either features I am unaware of or bugs. The way I got these changes was to add the following four lines to copyFromAttributeDefinition in both DataField and LookupInputField:

getDataFieldSecurity().setViewAuthz(getDataFieldSecurity().getAttributeSecurity().isHide());
getDataFieldSecurity().setEditAuthz(getDataFieldSecurity().getAttributeSecurity().isHide());
getDataFieldSecurity().setViewInLineAuthz(getDataFieldSecurity().getAttributeSecurity().isHide());
getDataFieldSecurity().setEditInLineAuthz(getDataFieldSecurity().getAttributeSecurity().isHide());

The one other thing I will probably have to do is convert all of the Authz fields from boolean to Boolean and prevent them from initializing at first so the overrides are done correctly. Not quite sure what effects this will have, as the ComponentSecurity objects are all automatically initialized, so perhaps we should have a lazy init and default to false?

Generated at Fri Jan 24 17:43:10 CST 2020 using JIRA 6.1.5#6160-sha1:a61a0fc278117a0da0ec9b89167b8f29b6afdab2.