amcclain
commented
2 months ago I would argue this would be the more useful / expected default behavior, given that the annotation takes a collection. I more commonly think of "adding roles to an ACL" where each role is granted access, vs. "specifying a list of roles where you must have all of them".
Not saying we should go and change the default, but we could consider it. I highly doubt there are many (any?) examples out there with multiple roles. We could provide a new way to spec the "AND" case and then release with a big changelog banner to call out the need for a quick code search.
We have a convenient
@Accessannotation, powered byAccessInterceptor.groovy, which supports a list of role names and requires a user to have all of those roles in order to get access to the tagged class or endpoint method.We are missing a way of easily annotating an OR permission, where a user would be required to have at least one of the roles listed to access an endpoint.