Announcement Announcement Module
Collapse
No announcement yet.
Contextual access to objects Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Contextual access to objects

    I'm just getting started with acegi security and have what I hope is a reasonably simple question.

    Here's a quick summary of what I'm trying to do:
    • I am building an auction site using Spring MVC.
    • Users are able to create, edit and view products.
    • To create or edit a product you must be in the role of SELLER.
    • Anybody can view a product.
    • Seller can only edit the products they created.
    • The product edit page shows additional information that a buyer should not see.

    The view/edit controllers use a service method to get the product they require (i.e. getProductWithId(...)). Since anybody can view a product, we don't need any authorisation control but could put READ control if we wanted.

    I can control access to the create or update pages by specifying a that only SELLERs have access to the appropriate URLs.

    However, a SELLER should only be able to view a product that they created in the product edit page. This means that I need a way of saying in the context of the edit product page, you must have UPDATE authorisation for the product to read it (i.e. to be able to call the method getProductWithId(...)).

    Is this possible? Or do I need to create a method like getProductWithIdForUpdate(...)? Or maybe I can express my intent in some other way?

    Any thoughts would be appreciated.

    Regards,
    Damien

  • #2
    You'll need to use the ACL capabilities as per the Contacts Sample application. It more than addresses what you need to do. It's not possible to achieve your use case via role security alone; you need ACLs.

    Comment


    • #3
      Ben,

      Thanks for the reply. I had already looked at the contacts sample and spent quite a bit of time reviewing how ACLs work. I've now had another look through the contacts sample but can't see an example of the situation that I have.

      Let's just say that all users will be setup to have READ access on all Products.

      For all users to access the service method getProductWithId(...), I'd set up an AfterInvocationProvider that required that the user had READ access on the Product.

      So the question still is, when a user is entering the update product page, how do I enforce that they must have UPDATE access (rather than READ) on the Product to get it from getProductWithId(...).

      Regards,
      Damien

      Comment


      • #4
        This post might give a more gentle intro: http://forum.springframework.org/viewtopic.php?t=3838

        This post had a similar question: http://forum.springframework.org/viewtopic.php?t=3818

        Comment

        Working...
        X