Type: New Feature
Affects Version/s: None
Fix Version/s: None
A very common pattern in CRUD with user is the following
Provided you have installed spring-security and created user and role entity properly binded with the spring-security you often have a user that has many other entity in a one2one or many2one relationship. Example for a simple bookmark application, a user has many bookmarks and the bookmark belongs to one user and can be marked private (boolean). The scaffolding should be able to limit the view/edit/update of the bookmark to only the owner.
I see the following command to perform it:
secure --class ~.domain.Bookmark --user ~.domain.User --scaffold SHOW [--trigger private]
[...] means optional.
what the command does is:
update the show.jspx with a <sec:...> tag that check [if User.private is set to true and] if the session.user is the owner of the bookmark (using finders, for instance, if the bookmark has no one2many relationship: User.findBookmarkById())
other examples but restricted to roles:
secure --class ~.domain.User --role ROLE_ADMIN --scaffold DELETE
-> only admin role can delete a user.
It is possible to set up a properties file that configure the Entity matching the spring-security convention
role.authority=name (i.e. you have a Role.name field that is mapped to authority in the spring-security world)
This is definitively a common pattern. For instance in the RSVP or the pizza tutorial, you only want the creator and the admin of the order to be able to update the pizzaorder.