CODEWITHSUNDEEP
grailsspring-security
chelder
chelder

Reputation: 3987

How to restrict editing to the user who created with Grails

Any user can create his/her own robot. A robot should be edited only by the creator or an administrator.

The next code works perfectly and it is an easy and simple solution:

import org.codehaus.groovy.grails.plugins.springsecurity.SpringSecurityUtils

class RobotController {

    def springSecurityService

    def edit() {

        if (Robot.get(params.id).usuario.username == springSecurityService.authentication.name
         || SpringSecurityUtils.ifAnyGranted("ROL_ADMIN,ROL_SUPERADMIN"))               
            println "editing allowed"
        else
            println "editing denied"

    }
}

But my teacher recommended me to secure the web using Config.groovy. The next code does not work:

grails.plugins.springsecurity.interceptUrlMap = [
    '/index.gsp': ["isAuthenticated()"],
    '/robot/edit/**': ["Robot.get(params.id).usuario.username == springSecurityService.authentication.name
                        || hasAnyRole('ROL_ADMIN','ROL_SUPERADMIN')"],
    '/robot/**': ["isAuthenticated()"]
]

It does not work because different reasons:

  1. It is not possible to call the domain class Robot in Config.groovy
  2. params.id has no sense in this place
  3. The Java "or" (||) is not valid here. I tried other ways with not luck. The Groovy documentation is not clear for me.

Is possible to do it in Config.groovy? If not, the correct way would be using <sec:access> ... </sec:access> somehow?

Upvotes: 0

Views: 106

Answers (1)

Elias Dorneles
Elias Dorneles

Reputation: 23806

I don't think you can do that kind of thing with plain Spring Security core.

Your teacher is right in the sense that you probably shouldn't implement the security in an ad-hoc manner, but you don't necessarily should do it in the Config.groovy -- that is a bit limiting.

You probably want to use the Spring Security ACL plugin, it adds some more domain classes and allows you to set up the access control with much more fine grained detail.

Check out the official docs. It may take a little while for you to learn it, but it is much better than rolling out your own ACL mechanism.

Upvotes: 2

Related Questions