feature request #7972

Updated by Andreas Kohlbecker over 1 year ago

Users can always see any data in the Taxeditor, this can be problematic for projects in which private data must not be un-disclosed to arbitrary users.

The must straight forward approach is to use Spring Security to configure the `MultiWebSecurityConfiguration#RemotingWebSecurityConfigurationAdapter` accordingly.
This involves implementing one of the following rules:

* ~~All All users can always access `/remoting/**` unless they have the role `ROLE_REMOTING_DENIED~~ rejected `ROLE_REMOTING_DENIED`
* Users need to be assigned with the `ROLE_REMOTING` to access `/remoting/**` **agreed**

If the role is missing in the db it will be created and added to the Groups `Editor` and `EditorExtendedCreate` by the `FirstDataInserter`.
The role will however not be added to the editor groups in case the role exist but is missing from one of these groups. This allows removal of the role from the editor groups to withdraw the remote editing permission from editors in general for a project.


Add picture from clipboard (Maximum size: 40 MB)