Restrict resource access to only owners
8 views
Skip to first unread message
Dominic Fui Dodzi-Nusenu
Apr 28, 2015, 4:59:27 AM4/28/15
to gra...@googlegroups.com
Can anyone point me in the right direction to restrict resource access to only accounts that own the data?
I am currently doing this in a resource filter with some dynamic groovy class code, where I access the owner id on the object.
But my real problem comes from the objects that have an indirect relationship with the owner object. Makes me feel like there could be a better way to do this.
I welcome any suggestions.
Sample:
class Agency {
String name
String address
}
class Job{
String name
Agency agency
}
class JobDetails {
String key
String value
Job job
}
Problem: Have a lot of classes like the job class and I can't add each one of them to the filter, since I want it to be very dynamic
Sample filter code:
//Was gonna paste the whole filter code, but its too messy
PS: I really just want a higher architecture point of view on the matter. Should I be putting the owner id on all the data ? Isn't that too cumbersome? Isn't there are more elegant way to write the filter code?
Again any help is greatly appreciated
I am currently doing this in a resource filter with some dynamic groovy class code, where I access the owner id on the object.
But my real problem comes from the objects that have an indirect relationship with the owner object. Makes me feel like there could be a better way to do this.
I welcome any suggestions.
Sample:
class Agency {
String name
String address
}
class Job{
String name
Agency agency
}
class JobDetails {
String key
String value
Job job
}
Problem: Have a lot of classes like the job class and I can't add each one of them to the filter, since I want it to be very dynamic
Sample filter code:
if(domainInstance && domainInstance.hasProperty("agency") && !(domainInstance instanceof Agency) && !(domainInstance instanceof RestrictedClassName)){
if(!(domainInstance.agency?.id == springSecurityService.currentUser.agency?.id
|| domainInstance.agency?.id == Agency.findByOwner(springSecurityService.currentUser)?.id
|| domainInstance.agency?.id == Agent.findByUser(springSecurityService.currentUser)?.agency.id)
&& !(springSecurityService.currentUser?.jobs?.collect().find {it.agency?.id == domainInstance.agency?.id}) //This line is for collaborator user access to data
&& !(springSecurityService.currentUser?.clients?.collect().find {it.agency.id == domainInstance.agency?.id})// This line is for client user access to data
){
def root = errorMessage.error {
status "403"
message "Content does not belong to this account"
}
render(status: 403, text: errorMessage.toPrettyString())
return false
}
}
//Was gonna paste the whole filter code, but its too messy
PS: I really just want a higher architecture point of view on the matter. Should I be putting the owner id on all the data ? Isn't that too cumbersome? Isn't there are more elegant way to write the filter code?
Again any help is greatly appreciated
David Spies
Apr 29, 2015, 9:08:28 AM4/29/15
to gra...@googlegroups.com
This sounds like a use case for ACLs. If you have not already, I would look the Spring Security ACL plugin (https://grails.org/plugin/spring-security-acl).
Dominic Fui Dodzi-Nusenu
Apr 29, 2015, 9:13:55 AM4/29/15
to gra...@googlegroups.com
Really, had no idea.. Access control list, of course.... Didn't know
thats what the ACL plugin referred to.
Thanks
On 04/29/2015 01:08 PM, David Spies wrote:
> This sounds like a use case for ACLs. If you have not already, I would look the Spring Security ACL plugin (https://grails.org/plugin/spring-security-acl).
>
--
Fui Nusenu
twitter: @daptordarattler
thats what the ACL plugin referred to.
Thanks
On 04/29/2015 01:08 PM, David Spies wrote:
> This sounds like a use case for ACLs. If you have not already, I would look the Spring Security ACL plugin (https://grails.org/plugin/spring-security-acl).
>
Fui Nusenu
twitter: @daptordarattler
Reply all
Reply to author
Forward
0 new messages