Spring Roo
  1. Spring Roo
  2. ROO-1759

Spring-Security pattern to limit user view to only their properties

    Details

    • Type: New Feature New Feature
    • Status: Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: SECURITY
    • Labels:
      None

      Description

      A very common pattern in CRUD with user is the following

      Provided you have installed spring-security and created user and role entity properly binded with the spring-security you often have a user that has many other entity in a one2one or many2one relationship. Example for a simple bookmark application, a user has many bookmarks and the bookmark belongs to one user and can be marked private (boolean). The scaffolding should be able to limit the view/edit/update of the bookmark to only the owner.
      I see the following command to perform it:

      secure --class ~.domain.Bookmark --user ~.domain.User --scaffold SHOW [--trigger private]
      [...] means optional.
      what the command does is:
      update the show.jspx with a <sec:...> tag that check [if User.private is set to true and] if the session.user is the owner of the bookmark (using finders, for instance, if the bookmark has no one2many relationship: User.findBookmarkById())

      other examples but restricted to roles:
      secure --class ~.domain.User --role ROLE_ADMIN --scaffold DELETE

      -> only admin role can delete a user.

      It is possible to set up a properties file that configure the Entity matching the spring-security convention

      role.authority=name (i.e. you have a Role.name field that is mapped to authority in the spring-security world)
      user.username=fullname
      user.password=pass
      ...

      This is definitively a common pattern. For instance in the RSVP or the pizza tutorial, you only want the creator and the admin of the order to be able to update the pizzaorder.

        Issue Links

          Activity

          There are no comments yet on this issue.

            People

            • Assignee:
              Unassigned
              Reporter:
              gershwinou
            • Votes:
              11 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:

                Time Tracking

                Estimated:
                Original Estimate - 5d
                5d
                Remaining:
                Remaining Estimate - 5d
                5d
                Logged:
                Time Spent - Not Specified
                Not Specified