|
|
|
|
Hi,
I think you got a good answer at:
http://stackoverflow.com/questions/33225757/prevent-the-logged-in-user-to-see-other-users-data-in-spring-security-plugin
Unfortunate that it was put on hold, but I think you have something to work with from that single answer. Another alternative would be to restrict access at the DB-layer, for instance by using the Hibernate Filter plugin:
https://grails.org/plugin/hibernate-filter
This is a more coarse-grained approach that would behave as if each user has his/her own database. The simplest approach would of course be to just have an if-statement in each action that checks if the currently logged in user has an id equal to the parameter.
Regards Claes Den tisdag 20 oktober 2015 kl. 15:15:31 UTC+2 skrev Sherif Shehab: Hi,
i'm using Spring security UI plugin for Grails , is there a way to prevent the logged in user to see other users data for instance the user may write in the URL /show/3
to make my self clear , the logged in user's ID in the DB is 2 ,but when that user goes to this <a href="http://localhost/users/show/3" rel="nofollow" style="color:rgb(12,101,165)" target="_blank" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2Flocalhost%2Fusers%2Fshow%2F3\46sa\75D\46sntz\0751\46usg\75AFQjCNHstSfKUxlFvYsIwRH7NlbI_O8LUw';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2Flocalhost%2Fusers%2Fshow%2F3\46sa\75D\46sntz\0751\46usg\75AFQjCNHstSfKUxlFvYsIwRH7NlbI_O8LUw';return true;">http://localhost/users/show/3 , he can see this user's details and vice versa same for edit and delete actions.
So how i can prevent this breach
Thanks
--
You received this message because you are subscribed to the Google Groups "Grails Dev Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/grails-dev-discuss/5c8c1826-925d-4fb7-abe4-47113c03674d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
|
|
|
Hi , Thanks for your reply , so in the Spring security plugin nothing can help me in achieving this ?
Thanks On Tuesday, October 20, 2015 at 6:28:01 PM UTC+2, Claes Svensson wrote: Hi,
I think you got a good answer at:
<a href="http://stackoverflow.com/questions/33225757/prevent-the-logged-in-user-to-see-other-users-data-in-spring-security-plugin" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2Fstackoverflow.com%2Fquestions%2F33225757%2Fprevent-the-logged-in-user-to-see-other-users-data-in-spring-security-plugin\46sa\75D\46sntz\0751\46usg\75AFQjCNGxIjZ4VhN1lCeW1jz6HMdpxCqr4g';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2Fstackoverflow.com%2Fquestions%2F33225757%2Fprevent-the-logged-in-user-to-see-other-users-data-in-spring-security-plugin\46sa\75D\46sntz\0751\46usg\75AFQjCNGxIjZ4VhN1lCeW1jz6HMdpxCqr4g';return true;">http://stackoverflow.com/questions/33225757/prevent-the-logged-in-user-to-see-other-users-data-in-spring-security-plugin
Unfortunate that it was put on hold, but I think you have something to work with from that single answer. Another alternative would be to restrict access at the DB-layer, for instance by using the Hibernate Filter plugin:
<a href="https://grails.org/plugin/hibernate-filter" target="_blank" rel="nofollow" onmousedown="this.href='https://www.google.com/url?q\75https%3A%2F%2Fgrails.org%2Fplugin%2Fhibernate-filter\46sa\75D\46sntz\0751\46usg\75AFQjCNEKlqXtk1x6ZfRhws0nVBpqhI3F5A';return true;" onclick="this.href='https://www.google.com/url?q\75https%3A%2F%2Fgrails.org%2Fplugin%2Fhibernate-filter\46sa\75D\46sntz\0751\46usg\75AFQjCNEKlqXtk1x6ZfRhws0nVBpqhI3F5A';return true;">https://grails.org/plugin/hibernate-filter
This is a more coarse-grained approach that would behave as if each user has his/her own database. The simplest approach would of course be to just have an if-statement in each action that checks if the currently logged in user has an id equal to the parameter.
Regards Claes Den tisdag 20 oktober 2015 kl. 15:15:31 UTC+2 skrev Sherif Shehab: Hi,
i'm using Spring security UI plugin for Grails , is there a way to prevent the logged in user to see other users data for instance the user may write in the URL /show/3
to make my self clear , the logged in user's ID in the DB is 2 ,but when that user goes to this <a href="http://localhost/users/show/3" rel="nofollow" style="color:rgb(12,101,165)" target="_blank" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2Flocalhost%2Fusers%2Fshow%2F3\46sa\75D\46sntz\0751\46usg\75AFQjCNHstSfKUxlFvYsIwRH7NlbI_O8LUw';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2Flocalhost%2Fusers%2Fshow%2F3\46sa\75D\46sntz\0751\46usg\75AFQjCNHstSfKUxlFvYsIwRH7NlbI_O8LUw';return true;">http://localhost/users/show/3 , he can see this user's details and vice versa same for edit and delete actions.
So how i can prevent this breach
Thanks
--
You received this message because you are subscribed to the Google Groups "Grails Dev Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/grails-dev-discuss/a2b98156-fe0c-4734-8f67-94ef924bb27d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Thanks
Sherif
|
|
|
From the read-me: The ACL plugin adds Domain Object Security support to a Grails application that uses Spring Security. It depends on the Spring Security Core plugin. The core plugin and other extension plugins support restricting access to URLs via rules that include checking a user's authentication status, roles, etc. and the ACL plugin extends this by adding support for restricting access to individual domain class instances. The access can be very fine-grained and can define which actions can be taken on an object - these typically include Read, Create, Write, Delete, and Administer but you're free to define whatever actions you like.
--
You received this message because you are subscribed to the Google Groups "Grails Dev Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/grails-dev-discuss/CAGY%2BWWQrXjzE31DbNUaqa406%3DUg_%2B8C%3D60xqWQpvv0XGynBrMA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
|
|
|
Yes, this is very doable. You want this for users in certain roles. What you now do in your index action is SpringSecurityUtils.ifAnyGranted('ROLE_RESTRICTED') Then, if he's in this role, get the logged in user using springSecurityService. Then just show him. Same for show, edit, update and delete. If he somehow ends up there and wants to see, edit or delete someone else, see if this someone else is him. If not, redirect to show with his own user and a message saying, 'sorry bud, you cannot do that.' On Wednesday, October 21, 2015 at 12:15:31 AM UTC+11, Sherif Shehab wrote: Hi,
i'm using Spring security UI plugin for Grails , is there a way to prevent the logged in user to see other users data for instance the user may write in the URL /show/3
to make my self clear , the logged in user's ID in the DB is 2 ,but when that user goes to this <a href="http://localhost/users/show/3" rel="nofollow" style="color:rgb(12,101,165)" target="_blank" onmousedown="this.href='http://www.google.com/url?q\x3dhttp%3A%2F%2Flocalhost%2Fusers%2Fshow%2F3\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHstSfKUxlFvYsIwRH7NlbI_O8LUw';return true;" onclick="this.href='http://www.google.com/url?q\x3dhttp%3A%2F%2Flocalhost%2Fusers%2Fshow%2F3\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHstSfKUxlFvYsIwRH7NlbI_O8LUw';return true;">http://localhost/users/show/3 , he can see this user's details and vice versa same for edit and delete actions.
So how i can prevent this breach
Thanks
--
You received this message because you are subscribed to the Google Groups "Grails Dev Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/grails-dev-discuss/910a2d0f-e76c-4b39-ad30-7b32d58948f4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
|
|
Locked
