Admin options visible when not logged in

[nickdos]

Admin drop-down menu and edit/example/copy buttons are visible when user is not logged in. These should only be displayed if user is logged in and user has appropriate role.

[sbearcsiro]

It turns out this was caused by a line in the external config file, which was:

security.cas.bypass=false

It turns out grails doesn't coerce "false" into a bool from an external config file, it comes out as a string. Then in the auth service the isUserInRole doesn't check that the security.cas.bypass value is a bool and just accepts its truthy value (the truthy value of the String "false" being true).

Something snarky about dynamic typing.

[nickdos]

You have to do a toBoolean() on any config vars that you are expecting to be a Boolean (where apps use an external properties file)...

E.g. from biocache-hubs - ${grailsApplication.config.skin.useAlaBie?.toBoolean()}

The alternative is we move away from external properties files and use external groovy files (where types are preserved)...

[sbearcsiro]

IMO the alternative is to use Scala... ;)