prevent the logged in user to see other users data in Spring security plugin
Locked
 
|
Hi, i'm using Spring security UI plugin for Grails , is there a way to prevent the logged in user to see other users data for instance the user may write in the URL to make my self clear , the logged in user's ID in the DB is 2 ,but when that user goes to this http://localhost/users/show/3 , he can see this user's details and vice versa same for edit and delete actions. So how i can prevent this breach Thanks You received this message because you are subscribed to the Google Groups "Grails Dev Discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email]. To post to this group, send email to [hidden email]. To view this discussion on the web visit https://groups.google.com/d/msgid/grails-dev-discuss/050ab209-eda7-47ba-be31-859c86f735e9%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Thanks
Sherif
|
Re: prevent the logged in user to see other users data in Spring security plugin
|
|
Hi,
-- I think you got a good answer at: http://stackoverflow.com/questions/33225757/prevent-the-logged-in-user-to-see-other-users-data-in-spring-security-plugin Unfortunate that it was put on hold, but I think you have something to work with from that single answer. Another alternative would be to restrict access at the DB-layer, for instance by using the Hibernate Filter plugin: https://grails.org/plugin/hibernate-filter This is a more coarse-grained approach that would behave as if each user has his/her own database. The simplest approach would of course be to just have an if-statement in each action that checks if the currently logged in user has an id equal to the parameter. Regards Claes Den tisdag 20 oktober 2015 kl. 15:15:31 UTC+2 skrev Sherif Shehab:
You received this message because you are subscribed to the Google Groups "Grails Dev Discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email]. To post to this group, send email to [hidden email]. To view this discussion on the web visit https://groups.google.com/d/msgid/grails-dev-discuss/5c8c1826-925d-4fb7-abe4-47113c03674d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout. |
|
|
Hi ,
-- Thanks for your reply , so in the Spring security plugin nothing can help me in achieving this ? Thanks On Tuesday, October 20, 2015 at 6:28:01 PM UTC+2, Claes Svensson wrote:
You received this message because you are subscribed to the Google Groups "Grails Dev Discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email]. To post to this group, send email to [hidden email]. To view this discussion on the web visit https://groups.google.com/d/msgid/grails-dev-discuss/a2b98156-fe0c-4734-8f67-94ef924bb27d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Thanks
Sherif
|
Re: prevent the logged in user to see other users data in Spring security plugin
|
|
I think the Spring Security plugin can help you out as well. See for instance this blog:
-- My application mainly divides between organisations, so I have gone done the Hibernate Filter plugin route - but I might as well have use for a few checks with SpEL now that I think of it... Regards Claes 2015-10-20 20:59 GMT+02:00 Sherif Shehab <[hidden email]>:
You received this message because you are subscribed to the Google Groups "Grails Dev Discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email]. To post to this group, send email to [hidden email]. To view this discussion on the web visit https://groups.google.com/d/msgid/grails-dev-discuss/CAFY59ev%3Ddz9%3DmvRm-BHz1rbxpiVj-_9yOBXVMAbpdYkVgu5Giw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout. |
|
|
In reply to this post by sshehab
You might want to check out the Spring Security ACL plugin: http://grails.org/plugin/spring-security-acl From the read-me: The ACL plugin adds Domain Object Security support to a Grails application that uses Spring Security. It depends on the Spring Security Core plugin. The core plugin and other extension plugins support restricting access to URLs via rules that include checking a user's authentication status, roles, etc. and the ACL plugin extends this by adding support for restricting access to individual domain class instances. The access can be very fine-grained and can define which actions can be taken on an object - these typically include Read, Create, Write, Delete, and Administer but you're free to define whatever actions you like. Best regards / Med venlig hilsen, Søren Berg Glasius Hedevej 1, Gl. Rye, 8680 Ry, Denmark Mobile: +45 40 44 91 88, Skype: sbglasius --- Press ESC once to quit - twice to save the changes. On 20 October 2015 at 20:59, Sherif Shehab <[hidden email]> wrote:
You received this message because you are subscribed to the Google Groups "Grails Dev Discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email]. To post to this group, send email to [hidden email]. To view this discussion on the web visit https://groups.google.com/d/msgid/grails-dev-discuss/CAGY%2BWWQrXjzE31DbNUaqa406%3DUg_%2B8C%3D60xqWQpvv0XGynBrMA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout. |
Re: prevent the logged in user to see other users data in Spring security plugin
|
|
In reply to this post by sshehab
Yes, this is very doable. You want this for users in certain roles. What you now do in your index action is SpringSecurityUtils.ifAnyGranted('ROLE_RESTRICTED') Then, if he's in this role, get the logged in user using springSecurityService. Then just show him. Same for show, edit, update and delete. If he somehow ends up there and wants to see, edit or delete someone else, see if this someone else is him. If not, redirect to show with his own user and a message saying, 'sorry bud, you cannot do that.'
-- On Wednesday, October 21, 2015 at 12:15:31 AM UTC+11, Sherif Shehab wrote:
You received this message because you are subscribed to the Google Groups "Grails Dev Discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email]. To post to this group, send email to [hidden email]. To view this discussion on the web visit https://groups.google.com/d/msgid/grails-dev-discuss/910a2d0f-e76c-4b39-ad30-7b32d58948f4%40googlegroups.com. For more options, visit https://groups.google.com/d/optout. |
| Free forum by Nabble | Edit this page |