I was asked to add a module to existing system. While studying the structure, I found something 'weird'. The system is struts1 based.
In some jsp, I found there are some DAO call to return entity object.
In most JSP pages, there is a <app:validate> tag, which would make call to DAO to check access rights, and would redirect to the login page if not permitted.
There is an accessDA object, but it does more than data fetching, it also does some access right checking.
My questions are:
1) IMO yes, but: it's not a leaky abstraction as such, precisely because it's in a tag. Tags exist to abstract implementation details from the view. It's also arguable that doing the access lookup in the action makes the action responsible for something that's relevant only to the view layer.
Another issue with encapsulating the data access in the tag itself is that if there are many uses of the tag on the page there may be more data access than necessary, slowing response time. A clever tag could mitigate this by caching values, or caching may be implemented at a deeper level.
2) A tag like that should be acting against the current user object, which should have encapsulated the user's rights already (probably on login). That said, it may not be sufficient to use cached values to determine access rights if those rights may change during a user's session.
3) I don't know; without knowing more details IMO that's impossible to answer.
4) Depends. Doing the same thing multiple ways can lead maintenance nightmares.
If there's an effort to re-structure the application according to best practices, then yes, new development should follow better patterns. If there isn't, IMO it's more confusing to introduce multiple ways of doing the same thing, and makes it more difficult for those who follow because they then need to decide which way to do something, determine if there's a functional difference between the different ways, and so on.