Grails w/ Spring Security Core only allowing owner to update in GSP

This question has some code to add to the controller closure, which is fine, but what if I want to use the grails default scaffolding views but only have the edit/up开发者_如何学JAVAdate buttons appear if the user is a manager, or the domain object is owned by the user? Reading the documentation, I've tried:

<sec:access expression="hasRole('ROLE_MANAGER') || (projectInstance.owner == springSecurityService.currentUser)">
   <span class="button"><g:actionSubmit class="save" action="update" value="${message(code: 'default.button.update.label', default: 'Update')}" /></span>
</sec:access>

But the access class doesn't seem to allow ORs:

Error processing GroovyPageView: Error executing tag <g:form>: Error executing tag <sec:access>: Cannot handle (124) '|' 

Anyone done something similar?

I've decided that would be stupid. A better approach is to do it in the controller as:

 def edit = {
    def projectInstance = Project.get(params.id)
    def managerOrAdmin = SpringSecurityUtils.ifAnyGranted('ROLE_ADMIN,ROLE_MANAGER')
    def editable = (projectInstance.owner == springSecurityService.currentUser
                   || managerOrAdmin)
    if (!projectInstance) {
        flash.message = "${message(code: 'default.not.found.message', args: [message(code: 'project.label', default: 'Project'), params.id])}"
        redirect(action: "list")
    }
    else {
        return [projectInstance: projectInstance, editable:editable]
    }
}

and then in the gsp do

<g:if test="${editable}">
  <span class="button"><g:actionSubmit class="save" action="update" value="${message(code: 'default.button.update.label', default: 'Update')}" /></span>
</g:if>

which makes sense, if we follow the good programming mantra of "views should do as little processing logic as possible in MVC"