Gleydson S. Tavares
Reputation: 600
how to prevent a logged in user to edit another using Spring Security ACL in Grails?
I own the role student in my Spring Security Core. The role student can edit your information. But if he wants to edit another user's information that's also possible.
@Secured(['ROLE_ADMIN','ROLE_STUDENT'])
@PreAuthorize('isAuthenticated() and principal?.id == #studentInstance.id')
def edit(Student studentInstance) {
respond studentInstance
}
I used the ACL plugin, but it did not work. You can still edit another student.
Upvotes: 0
Views: 65
Answers (1)
Burt Beckwith
Reputation: 75671
You can use @Secured in controllers because the core plugin looks for them and builds the corresponding access rule checks for you, but none of the other Spring Security annotations are supported in controllers.
Instead, annotate a service method and call it from the controller. Spring Security wraps annotated Spring beans (e.g. services) in proxies that perform the checks and only call the bean methods if the checks succeed.
Upvotes: 1
Related Questions
- Grails 3 Spring Security Core: grant access only when user not logged in
- Grails: Disable form input depending on the user
- Grails and spring security core plugin - editing user
- Prevent access to another user using Grails SpringSecutiryCore
- Giving access to only User with USER_ROLE Permission
- Allowing only the current user to the edit page in grails
- How to edit user (even password) with SpringSecurity Core and UI in grails
- Spring security - grails restrict with in role
- How to restrict editing to the user who created with Grails
- Grails - access only for object's owner