prevent the logged in user to see other users data in Spring security plugin

[Sherif Shehab]

Hi,

i'm using Spring security UI plugin for Grails , is there a way to prevent the logged in user to see other users data for instance the user may write in the URL

/show/3

to make my self clear , the logged in user's ID in the DB is 2 ,but when that user goes to this http://localhost/users/show/3 , he can see this user's details and vice versa same for edit and delete actions.

So how i can prevent this breach

Thanks

[Claes Svensson]

Hi,

I think you got a good answer at:

http://stackoverflow.com/questions/33225757/prevent-the-logged-in-user-to-see-other-users-data-in-spring-security-plugin

Unfortunate that it was put on hold, but I think you have something to work with from that single answer. Another alternative would be to restrict access at the DB-layer, for instance by using the Hibernate Filter plugin:

https://grails.org/plugin/hibernate-filter

This is a more coarse-grained approach that would behave as if each user has his/her own database. The simplest approach would of course be to just have an if-statement in each action that checks if the currently logged in user has an id equal to the parameter.

Regards Claes

[Sherif Shehab]

Hi , 

Thanks for your reply , so in the Spring security plugin nothing can help me in achieving this ?

Thanks

[Claes Svensson]

I think the Spring Security plugin can help you out as well. See for instance this blog:

http://www.mscharhag.com/grails/using-spring-security-method-security

My application mainly divides between organisations, so I have gone done the Hibernate Filter plugin route - but I might as well have use for a few checks with SpEL now that I think of it...

Regards Claes

--
You received this message because you are subscribed to a topic in the Google Groups "Grails Dev Discuss" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/grails-dev-discuss/v21Xpvo6QFQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to grails-dev-disc...@googlegroups.com.
To post to this group, send email to grails-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/grails-dev-discuss/a2b98156-fe0c-4734-8f67-94ef924bb27d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Søren Berg Glasius]

You might want to check out the Spring Security ACL plugin: http://grails.org/plugin/spring-security-acl

From the read-me: 

The ACL plugin adds Domain Object Security support to a Grails application that uses Spring Security. It depends on the Spring Security Core plugin. The core plugin and other extension plugins support restricting access to URLs via rules that include checking a user's authentication status, roles, etc. and the ACL plugin extends this by adding support for restricting access to individual domain class instances. The access can be very fine-grained and can define which actions can be taken on an object - these typically include Read, Create, Write, Delete, and Administer but you're free to define whatever actions you like.

Best regards / Med venlig hilsen,
Søren Berg Glasius

Hedevej 1, Gl. Rye, 8680 Ry, Denmark
Mobile: +45 40 44 91 88, Skype: sbglasius
--- Press ESC once to quit - twice to save the changes.

--
You received this message because you are subscribed to the Google Groups "Grails Dev Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to grails-dev-disc...@googlegroups.com.

To post to this group, send email to grails-de...@googlegroups.com.

[Chris Malan]

Yes, this is very doable.  You want this for users in certain roles.  What you now do in your index action is SpringSecurityUtils.ifAnyGranted('ROLE_RESTRICTED')  Then, if he's in this role, get the logged in user using springSecurityService.  Then just show him.  Same for show, edit,  update and delete.  If he somehow ends up there and wants to see, edit or delete someone else, see if this someone else is him.  If not, redirect to show with his own user and a message saying, 'sorry bud, you cannot do that.'