Darran Lofthouse [
https://community.jboss.org/people/dlofthouse] commented on the
document
"Access control notes"
To view all comments on this document, visit:
https://community.jboss.org/docs/DOC-48596#comment-11935
--------------------------------------------------
Two more thoughts to add: -
1 - Operations that go on to other things i.e. if an operation updates other attributes or
calls other operations does it automatically have access or still perform access control
check as the user?
i.e. May want to stop a user from modifying indivudal attributes but let them call an
operation that updates multiple at once.
2 - Pre-flight checks will be good but still need to consider the request may still fail
authorization.
A users group membership may not be static.
Permissions on the server could be updated.
--------------------------------------------------