ansaurus

Question

Answer 1

A:

Spring Security (Acegi Plugin) is definitely the way to go with Grails.

There is a taglib you can use that will allow a page to be different for different roles such as the following:

<g:ifUserHasRole roles="ROLE_ADMIN">
html code for extra fields
</g:ifUserHasRole>

Sean A.O. Harney 2010-01-23 18:29:58

Thanks for that incredible fast answer.This tag seems to very helpful as limited views and propably edit functionality can be implemented by using it. The only drawback which occurs to me is: Roles are hardcoded in the GSP-files, aren't they? Do you have some clever hint for this issue, too?

Daniel 2010-01-23 18:35:45

In Bootstrap.groovy you usually have some code to define the roles and .save() but GORM (with sql) actually creates some database tables such as role.

Sean A.O. Harney 2010-01-23 18:52:06

Thanks again for your answer.One question concerning security: If viewing or editing of a property is disabled, this does not mean that the controller "knows" about the fact and ignores some data which is sent in the request. So what is the best practice to prevent such an "attack". In addition, it seems to me that I have to hardcode the role mapping to a property on two places: GSP and the controller. Is there any central place to put it?

Daniel 2010-01-23 19:09:28

I don't think the Spring Security plugin has ACL support yet?

Kimble 2010-01-24 13:04:33

@kimble Yes it isn't ACL, but role based access control seems to be what he wants.

Sean A.O. Harney 2010-01-24 13:42:52

Answer 2

A:

Me, I'd encode it on the domain class, emulating the way GORM has you annotate the domain classes (static access = [field1: "ROLE_USER", field2: "ROLE_ADMIN,ROLE_USER"] as an example). Then build a method your controller could use to redact them for a given user. That method could use the domain class's annotations to decide how to redact it. Then, metaprogram it onto each of the domain classes the way plugins do.

Similarly, write the opposite method to restrict data bindings of params into the domain class, write your own data binding utility method, then metaprogram it onto each domain class as well.

Then you can just use instance.redact(user) or instance.bindData(params, user) to do what you want, and it's practically declarative syntax.

John Stoneham 2010-01-23 19:52:24

Answer 3

A:

We have a similar situation and use both the ifUserHasRole tag in the gsp to drive the appropriate presentation and the we have a filter that enforces the rules based on the action being called. For example, on user controller we would only allow the management roles to call save action, or if the user.id is the same as the session.user.id. This seemed to be the best option for our situation.

JeffSea 2010-02-05 14:24:49

Answer 4

A:

What about creating an ACL class like this:

class ACL(val entry: Entry*) {
  def isAccessAllowed(subject: String, permission: String): Boolean = ...
}

class Entry(val subject: String, val permission: String*)

usage:

new ACL(
  new Entry("dave", "read", "write"), 
  new Entry("linda", "read")
)

(This example is in Scala, because I found it more expressive in this case, but it should be easy to transfer it to Groovy.)

You would then connect an ACL object with the object to be protected.

deamon 2010-02-05 16:00:50

ansaurus

tags:

views:

answers:

ACL on field level in Grails

related questions