tags:

views:

51

answers:

2
+1  Q: 

Grails - access only for object's owner

Hi!

I'm still working on my first Grails application. This time, my problem is to limit access to some actions for particular users.

Assume users add some object, e.g. books. I would like to give access to edit a book only to admin and the user that added the book. I'm currently using Acegi plugin. I know there is newer version of that plugin, but I'm not sure if it changes anything in my problem.

The second thing is some kind similar. I have a sidebar and there is "Hello ${currentUser.username}. currentUser is a method that returns an instance of currently logged user. But the problem is that I don't have any idea where can I put this message to be able to use it everywhere. Should I put it in some service and include it everywhere? I tried to create an ApplicationController that is extended by all other controllers, but that doesn't seem to work. Have you got any ideas?

Thanks! Grzegorz

+2  A: 

For ROLE access you'll just need to specify that a particular ROLE for a particular URL has access to that action. That is if you are using the plugin's RequestMap approach. If you're using the annotation approach, just annotate the action in the controller with:

@Secured(['WHATEVER_ROLE'])

As far as only allowing the user who created the book to edit it, you can pull the user domain out of the authentication with authenticateService.userDomain(), then you can compare that user with the user who created the book (assuming you have some sort of createdBy property on your Book domain.

def loggedInUser = authenticateService.userDomain()
if (book.createdBy.equals(loggedInUser)) {
   // allow editing
}

Something like that, anyway.

Gregg  2010-06-29 18:27:23
Thans for response! Now the problem is where can I put this getting current user so that I will be able to use this user's data everywhere. For example I would like to see the logged user login in top of page no matter which controller is taking action. Do I need to define it in every controller?
arnvald  2010-06-29 18:42:32
+4  A: 

You should use the newer Spring Security Core plugin since it has an ACL add-on plugin that does exactly what you're looking for. See http://grails.org/plugin/spring-security-acl for details.

For the second question, there's a taglib for that. In the Acegi plugin use this:

Hello <g:loggedInUserInfo field="username"/>

(see http://www.grails.org/AcegiSecurity+Plugin+-+Artifacts) and in the Spring Security Core plugin use this:

Hello <sec:username/>

(see the "Security Tags" section of http://burtbeckwith.github.com/grails-spring-security-core/docs/manual/)

Burt Beckwith  2010-06-29 18:41:33
Oh, yeah, how could I miss the info about tags... thanks for it.I'll switch to the new plugin ASAP, I hope it will facilitate managing users permissions
arnvald  2010-06-29 18:55:55

related questions

How do I get at the goodies in my Grails Config.groovy at runtime?
Running a web app in Grails vs Django
Adding a method to a domain class
Getting Groovy's Grape Going!!!
Groovy question: "except" syntax?
What does it mean for a programming language to be "on rails"?
Groovy parsing JSON vs XML
Parsing XML with multi-line records
How do I redirect a file download using Grails?
Create grails war without version number
What needs checking in for a Grails app?
Grails - Acegi: Customize Authentication Method
J2EE and Grails: Communication with WebServices? Which framework?
Grails 1.0.3 console reports 'premature end of file'
Grails with YUI table example
grails plugin for eclipse and netbeans 6.1
error while using groovy.sql Out parameter.
Rails books?
Rails or Grails?
Is anyone developing facebook apps on Grails
How do I increase the number of default rows per page?
How to check if element in groovy array/hash/collection/list?
How do you access two databases in Grails
How do you change the default homepage in a Grails application?
Learning Ruby on Rails any good for Grails?