Quantcast
Grails Grails - user

Spring Security - Determin if a user (not current user) has access to a controller

classic Classic list List threaded Threaded
2 messages Options
eisnerj
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Spring Security - Determin if a user (not current user) has access to a controller

eisnerj
I am trying to write a method that will tell if a user has access to a certain controller and action.  Here is what I have below.  It currently does not work.  Can you tell me what I am doing wrong?


package test

import test.account.*

import org.codehaus.groovy.grails.plugins.springsecurity.SpringSecurityUtils

/**
 * This class adds additional functionality that SpringSecurityService doesn't offer out of the box
 */
class SecurityService {
        static transactional = false
       
        def webInvocationPrivilegeEvaluator
        def springSecurityService
       
        // Checks if currently logged in user has access to the given controller and action
        public boolean hasAccess(String controller, String action = null) {
                if (!springSecurityService.isLoggedIn()) {
                        return false
                }
               
                return userHasAccess(springSecurityService.currentUser, controller, action)
        }
       
        // Checks if given user has access to the given controller and action
        public boolean userHasAccess(User user, String controller, String action = null) {
                if (!controller) {
                        return false
                }
               
                def isAllowed = false
                SpringSecurityUtils.doWithAuth(user.username) {
                        def url = "/cltve/${controller}" + (action ? "/${action}" : "")
                        def auth = springSecurityService.authentication
                        log.info auth.dump()
                        isAllowed = webInvocationPrivilegeEvaluator.isAllowed(url, auth)
                }
               
                return isAllowed
        }
}
Ryan Vanderwerf
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

RE: Spring Security - Determin if a user (not current user) has access to a controller

Ryan Vanderwerf
Why not use the Annotations on your controlling using SpEL??


I could look like this:
@Secured(["isAuthenticated() and hasRole('ROLE_SOMETHING')"]
def edit = {
    // do something more secure

}

You can even add your own classes to evaluate new things, my last place they added a 'hasPermission()' and a 'isOwner()' to the mix.


Ryan Vanderwerf
Chief Architect / Director of Products
ReachForce
9020-I Capital of TX Hwy N, Ste. 270
Austin, TX 78759
(512) 279-6256 direct
________________________________________
From: eisnerj [[hidden email]]
Sent: Friday, June 29, 2012 2:57 PM
To: [hidden email]
Subject: [grails-user] Spring Security - Determin if a user (not current user) has access to a controller

I am trying to write a method that will tell if a user has access to a
certain controller and action.  Here is what I have below.  It currently
does not work.  Can you tell me what I am doing wrong?


package test

import test.account.*

import org.codehaus.groovy.grails.plugins.springsecurity.SpringSecurityUtils

/**
 * This class adds additional functionality that SpringSecurityService
doesn't offer out of the box
 */
class SecurityService {
        static transactional = false

        def webInvocationPrivilegeEvaluator
        def springSecurityService

        // Checks if currently logged in user has access to the given controller
and action
        public boolean hasAccess(String controller, String action = null) {
                if (!springSecurityService.isLoggedIn()) {
                        return false
                }

                return userHasAccess(springSecurityService.currentUser, controller,
action)
        }

        // Checks if given user has access to the given controller and action
        public boolean userHasAccess(User user, String controller, String action =
null) {
                if (!controller) {
                        return false
                }

                def isAllowed = false
                SpringSecurityUtils.doWithAuth(user.username) {
                        def url = "/cltve/${controller}" + (action ? "/${action}" : "")
                        def auth = springSecurityService.authentication
                        log.info auth.dump()
                        isAllowed = webInvocationPrivilegeEvaluator.isAllowed(url, auth)
                }

                return isAllowed
        }
}

--
View this message in context: http://grails.1312388.n4.nabble.com/Spring-Security-Determin-if-a-user-not-current-user-has-access-to-a-controller-tp4630892.html
Sent from the Grails - user mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email



---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email
Loading...
Powered by Nabble Edit this page