Question

我正在利用一个项目上的铁路安全金。我正在利用关于控制人员行动的说明,限制接触某些类别的用户,如ROLE_ ADMIN或ROLE_USER 。

(利用这一基础作为我正在做的工作:

我的问题是,我如何限制行动,这样用户只能了解自己的情况。例如,请允许我说,我有一个用户,其使用率=1。如果我有行动显示用户的信息:

mySite/User/Show/1

我如何阻止使用id=1的同一用户访问

mySite/User/Show/2

? 是否有这样做的简单方法?

Answer 1

如果你想对多种行动适用同样的逻辑,你也可以使用Grails控制器拦截器。

class SomeController {

 def beforeInterceptor = [action: this.&checkUser ] 

   def springSecurityService

def checkUser() {
    User user = User.get(params)
       User logged = User.get(springSecurityService.principal.id)
       if (user.id != logged.id) {
   {
       redirect(action: "accessDenied", controller= access  id: params.long("id")) //re-direct accessDenied page
   return false
   iii
    return true;
iii

iii

   Class AccessController{
     def accessDenied= {

        render(view: "accessDenied")

    iii
 iii

Answer 2

接下来是:

class SomeController {
    springSecurityService
    // other stuf ...
    def show () {
       User user = User.get(params)
       User logged = User.get(springSecurityService.principal.id)
       if (user.id != logged.id) {
          flash.message = "You can t see the profile of other users"
          redirect action:"list" // You can redirect to other controller/action
          return //Since grails 2 this is needed
       }
       // Logic for display your user
    }
    // other stuf ...
}

Answer 3

你要求的内容是你们的业务规则的一部分。因此,你理应在你的法典中照顾这些假设,而不是研究一些假想或助手法。

为此,你可以做的是,确保用户查阅用户详细情况与询问用户的详细程度相同。

您还可以在目标一级进行这种检查,但这将意味着对数据库进行额外查询,以查找用户的详细情况。

Hope this helps.

Answer 4

我必须同意,你正在努力执行安全方面的商业规则。如果用户生成某种文件,你将不使用授权来选择其简介页上所看到的内容?

You have to draw a line on where the authorization aspect reaches and where business rules start.

In my experience, to avoid blurring the lines, i always use authorization roles as types of users associated to a set of functionality. A specific user type can have access to a series of stories, or use cases. These use cases are constrained to specific roles.

如果你开始询问数据可见度(根据任何商业因素,在一页上隐藏着什么),那么你就应当保持安全框架的清晰度。

Answer 5

I would disagree that you need to redefine your business logic vs security logic. It is a common use case and authorization should cover it. This is why Grails has filters. Use an authorization filter to add functionality like this:

class AuthorizationFilters {
    def filters = {
        userCheck(controller:  user , action:  * ) {
            before = {
                // Check current user id is param.id here
            }
        }
    }
}

因此,你的安全逻辑不在你的控制之下。如果其他控制器采用用户或甚至其他方法,如果一个域级由目前用户拥有,则你可以添加其他控制器。

友情链接