Support of permission-based access to Flow views

[mshabarov]

Description of the bug / feature

Flow views can be protected by @RolesAllowed annotation and that gives an opportunity to list the roles of users allowed to see a single view, like SUPER-ADMIN, ADMIN, USER etc.

In a complex applications it might be required and more convenient to use a permissions for accessing the views, instead of just roles. 'Permission' in this context stands for any authority differs from role (having a 'ROLE_' prefix). The following example shows how it might look like:

@PermissionsAllowed("PERM_PERSON_WRITE")
@Route(value = "edit", layout = PersonView.class)
public class PersonEditView extends VerticalLayout {
   public PersonEditView() {
     add(new Div("You can only see this if your role has a PERM_PERSON_WRITE permission"));
  }
}

Default implementation of view-based access control in Vaadin uses the roles approach. And if a security configuration (for example, Spring Security) will be changed to work with something else than the ROLE_, e.g. PERM_, then the view access wouldn't work with it out-of-the-box.

Acceptance criteria

• [ ] It should be possible to restrict a view access to a certain permission(s) granted to the authenticated user.
• [ ] It should be possible to customise Vaadin security configuration to choose what will be used for protecting the views: roles or permissions.
• [ ] this feature should be available in both Spring and non-Spring Vaadin applications.

[Artur-]

Surely using @RolesAllowed in the example code is a typo?

[mshabarov]

It's not a typo, but a mistake: it's better to use a separate annotation if we talk about permissions. A new one, let's say @PermissionsAllowed should be created. Example code will be updated.

[peholmst]

Some background explaining why this feature is useful (and when): https://youtu.be/U6CeaA-Phqo?t=2183

[igorbljahhin]

So, any plans for this feature?