Grails › Grails Dev Discuss

prevent the logged in user to see other users data in Spring security plugin

_‹ Previous Topic Next Topic _›

Classic

List

Threaded

6 messages Options

sshehab

prevent the logged in user to see other users data in Spring security plugin

Hi,

i'm using Spring security UI plugin for Grails , is there a way to prevent the logged in user to see other users data for instance the user may write in the URL

/show/3

to make my self clear , the logged in user's ID in the DB is 2 ,but when that user goes to this http://localhost/users/show/3 , he can see this user's details and vice versa same for edit and delete actions.

So how i can prevent this breach

Thanks

--
You received this message because you are subscribed to the Google Groups "Grails Dev Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/grails-dev-discuss/050ab209-eda7-47ba-be31-859c86f735e9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Thanks Sherif

Claes Svensson

Re: prevent the logged in user to see other users data in Spring security plugin

Hi,

I think you got a good answer at:

http://stackoverflow.com/questions/33225757/prevent-the-logged-in-user-to-see-other-users-data-in-spring-security-plugin

Unfortunate that it was put on hold, but I think you have something to work with from that single answer. Another alternative would be to restrict access at the DB-layer, for instance by using the Hibernate Filter plugin:

https://grails.org/plugin/hibernate-filter

This is a more coarse-grained approach that would behave as if each user has his/her own database. The simplest approach would of course be to just have an if-statement in each action that checks if the currently logged in user has an id equal to the parameter.

Regards Claes

Den tisdag 20 oktober 2015 kl. 15:15:31 UTC+2 skrev Sherif Shehab:

Hi,

i'm using Spring security UI plugin for Grails , is there a way to prevent the logged in user to see other users data for instance the user may write in the URL
/show/3
to make my self clear , the logged in user's ID in the DB is 2 ,but when that user goes to this <a href="http://localhost/users/show/3" rel="nofollow" style="color:rgb(12,101,165)" target="_blank" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2Flocalhost%2Fusers%2Fshow%2F3\46sa\75D\46sntz\0751\46usg\75AFQjCNHstSfKUxlFvYsIwRH7NlbI_O8LUw';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2Flocalhost%2Fusers%2Fshow%2F3\46sa\75D\46sntz\0751\46usg\75AFQjCNHstSfKUxlFvYsIwRH7NlbI_O8LUw';return true;">http://localhost/users/show/3 , he can see this user's details and vice versa same for edit and delete actions.

So how i can prevent this breach

Thanks

--
You received this message because you are subscribed to the Google Groups "Grails Dev Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/grails-dev-discuss/5c8c1826-925d-4fb7-abe4-47113c03674d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

sshehab

Re: prevent the logged in user to see other users data in Spring security plugin

Hi ,

Thanks for your reply , so in the Spring security plugin nothing can help me in achieving this ?

Thanks

On Tuesday, October 20, 2015 at 6:28:01 PM UTC+2, Claes Svensson wrote:

Hi,

I think you got a good answer at:

<a href="http://stackoverflow.com/questions/33225757/prevent-the-logged-in-user-to-see-other-users-data-in-spring-security-plugin" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2Fstackoverflow.com%2Fquestions%2F33225757%2Fprevent-the-logged-in-user-to-see-other-users-data-in-spring-security-plugin\46sa\75D\46sntz\0751\46usg\75AFQjCNGxIjZ4VhN1lCeW1jz6HMdpxCqr4g';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2Fstackoverflow.com%2Fquestions%2F33225757%2Fprevent-the-logged-in-user-to-see-other-users-data-in-spring-security-plugin\46sa\75D\46sntz\0751\46usg\75AFQjCNGxIjZ4VhN1lCeW1jz6HMdpxCqr4g';return true;">http://stackoverflow.com/questions/33225757/prevent-the-logged-in-user-to-see-other-users-data-in-spring-security-plugin

Unfortunate that it was put on hold, but I think you have something to work with from that single answer. Another alternative would be to restrict access at the DB-layer, for instance by using the Hibernate Filter plugin:

<a href="https://grails.org/plugin/hibernate-filter" target="_blank" rel="nofollow" onmousedown="this.href='https://www.google.com/url?q\75https%3A%2F%2Fgrails.org%2Fplugin%2Fhibernate-filter\46sa\75D\46sntz\0751\46usg\75AFQjCNEKlqXtk1x6ZfRhws0nVBpqhI3F5A';return true;" onclick="this.href='https://www.google.com/url?q\75https%3A%2F%2Fgrails.org%2Fplugin%2Fhibernate-filter\46sa\75D\46sntz\0751\46usg\75AFQjCNEKlqXtk1x6ZfRhws0nVBpqhI3F5A';return true;">https://grails.org/plugin/hibernate-filter

This is a more coarse-grained approach that would behave as if each user has his/her own database. The simplest approach would of course be to just have an if-statement in each action that checks if the currently logged in user has an id equal to the parameter.
Regards Claes

Den tisdag 20 oktober 2015 kl. 15:15:31 UTC+2 skrev Sherif Shehab:
Hi,

i'm using Spring security UI plugin for Grails , is there a way to prevent the logged in user to see other users data for instance the user may write in the URL
/show/3
to make my self clear , the logged in user's ID in the DB is 2 ,but when that user goes to this <a href="http://localhost/users/show/3" rel="nofollow" style="color:rgb(12,101,165)" target="_blank" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2Flocalhost%2Fusers%2Fshow%2F3\46sa\75D\46sntz\0751\46usg\75AFQjCNHstSfKUxlFvYsIwRH7NlbI_O8LUw';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2Flocalhost%2Fusers%2Fshow%2F3\46sa\75D\46sntz\0751\46usg\75AFQjCNHstSfKUxlFvYsIwRH7NlbI_O8LUw';return true;">http://localhost/users/show/3 , he can see this user's details and vice versa same for edit and delete actions.

So how i can prevent this breach

Thanks

--
You received this message because you are subscribed to the Google Groups "Grails Dev Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/grails-dev-discuss/a2b98156-fe0c-4734-8f67-94ef924bb27d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Thanks Sherif

Claes Svensson

Re: prevent the logged in user to see other users data in Spring security plugin

I think the Spring Security plugin can help you out as well. See for instance this blog:

http://www.mscharhag.com/grails/using-spring-security-method-security

My application mainly divides between organisations, so I have gone done the Hibernate Filter plugin route - but I might as well have use for a few checks with SpEL now that I think of it...

Regards Claes

2015-10-20 20:59 GMT+02:00 Sherif Shehab <[hidden email]>:

Hi ,
Thanks for your reply , so in the Spring security plugin nothing can help me in achieving this ?
Thanks

On Tuesday, October 20, 2015 at 6:28:01 PM UTC+2, Claes Svensson wrote:
Hi,

I think you got a good answer at:

http://stackoverflow.com/questions/33225757/prevent-the-logged-in-user-to-see-other-users-data-in-spring-security-plugin

Unfortunate that it was put on hold, but I think you have something to work with from that single answer. Another alternative would be to restrict access at the DB-layer, for instance by using the Hibernate Filter plugin:

https://grails.org/plugin/hibernate-filter

This is a more coarse-grained approach that would behave as if each user has his/her own database. The simplest approach would of course be to just have an if-statement in each action that checks if the currently logged in user has an id equal to the parameter.
Regards Claes

Den tisdag 20 oktober 2015 kl. 15:15:31 UTC+2 skrev Sherif Shehab:
Hi,

i'm using Spring security UI plugin for Grails , is there a way to prevent the logged in user to see other users data for instance the user may write in the URL
/show/3
to make my self clear , the logged in user's ID in the DB is 2 ,but when that user goes to this http://localhost/users/show/3 , he can see this user's details and vice versa same for edit and delete actions.

So how i can prevent this breach

Thanks
--
You received this message because you are subscribed to a topic in the Google Groups "Grails Dev Discuss" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/grails-dev-discuss/v21Xpvo6QFQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/grails-dev-discuss/a2b98156-fe0c-4734-8f67-94ef924bb27d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Grails Dev Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/grails-dev-discuss/CAFY59ev%3Ddz9%3DmvRm-BHz1rbxpiVj-_9yOBXVMAbpdYkVgu5Giw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

sbglasius

Re: prevent the logged in user to see other users data in Spring security plugin

In reply to this post by sshehab

You might want to check out the Spring Security ACL plugin: http://grails.org/plugin/spring-security-acl

From the read-me:

The ACL plugin adds Domain Object Security support to a Grails application that uses Spring Security. It depends on the Spring Security Core plugin. The core plugin and other extension plugins support restricting access to URLs via rules that include checking a user's authentication status, roles, etc. and the ACL plugin extends this by adding support for restricting access to individual domain class instances. The access can be very fine-grained and can define which actions can be taken on an object - these typically include Read, Create, Write, Delete, and Administer but you're free to define whatever actions you like.

Best regards / Med venlig hilsen,
Søren Berg Glasius

Hedevej 1, Gl. Rye, 8680 Ry, Denmark
Mobile: +45 40 44 91 88, Skype: sbglasius
--- Press ESC once to quit - twice to save the changes.

On 20 October 2015 at 20:59, Sherif Shehab <[hidden email]> wrote:

Hi ,
Thanks for your reply , so in the Spring security plugin nothing can help me in achieving this ?
Thanks

On Tuesday, October 20, 2015 at 6:28:01 PM UTC+2, Claes Svensson wrote:
Hi,

I think you got a good answer at:

http://stackoverflow.com/questions/33225757/prevent-the-logged-in-user-to-see-other-users-data-in-spring-security-plugin

Unfortunate that it was put on hold, but I think you have something to work with from that single answer. Another alternative would be to restrict access at the DB-layer, for instance by using the Hibernate Filter plugin:

https://grails.org/plugin/hibernate-filter

This is a more coarse-grained approach that would behave as if each user has his/her own database. The simplest approach would of course be to just have an if-statement in each action that checks if the currently logged in user has an id equal to the parameter.

Regards Claes

Den tisdag 20 oktober 2015 kl. 15:15:31 UTC+2 skrev Sherif Shehab:
Hi,

i'm using Spring security UI plugin for Grails , is there a way to prevent the logged in user to see other users data for instance the user may write in the URL
/show/3
to make my self clear , the logged in user's ID in the DB is 2 ,but when that user goes to this http://localhost/users/show/3 , he can see this user's details and vice versa same for edit and delete actions.

So how i can prevent this breach

Thanks
--
You received this message because you are subscribed to the Google Groups "Grails Dev Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/grails-dev-discuss/a2b98156-fe0c-4734-8f67-94ef924bb27d%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Grails Dev Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/grails-dev-discuss/CAGY%2BWWQrXjzE31DbNUaqa406%3DUg_%2B8C%3D60xqWQpvv0XGynBrMA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Chris Malan

Re: prevent the logged in user to see other users data in Spring security plugin

In reply to this post by sshehab

Yes, this is very doable. You want this for users in certain roles. What you now do in your index action is SpringSecurityUtils.ifAnyGranted('ROLE_RESTRICTED') Then, if he's in this role, get the logged in user using springSecurityService. Then just show him. Same for show, edit, update and delete. If he somehow ends up there and wants to see, edit or delete someone else, see if this someone else is him. If not, redirect to show with his own user and a message saying, 'sorry bud, you cannot do that.'

On Wednesday, October 21, 2015 at 12:15:31 AM UTC+11, Sherif Shehab wrote:

Hi,

i'm using Spring security UI plugin for Grails , is there a way to prevent the logged in user to see other users data for instance the user may write in the URL
/show/3
to make my self clear , the logged in user's ID in the DB is 2 ,but when that user goes to this <a href="http://localhost/users/show/3" rel="nofollow" style="color:rgb(12,101,165)" target="_blank" onmousedown="this.href='http://www.google.com/url?q\x3dhttp%3A%2F%2Flocalhost%2Fusers%2Fshow%2F3\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHstSfKUxlFvYsIwRH7NlbI_O8LUw';return true;" onclick="this.href='http://www.google.com/url?q\x3dhttp%3A%2F%2Flocalhost%2Fusers%2Fshow%2F3\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHstSfKUxlFvYsIwRH7NlbI_O8LUw';return true;">http://localhost/users/show/3 , he can see this user's details and vice versa same for edit and delete actions.

So how i can prevent this breach

Thanks

--
You received this message because you are subscribed to the Google Groups "Grails Dev Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/grails-dev-discuss/910a2d0f-e76c-4b39-ad30-7b32d58948f4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.