我正在建立一个带有弹簧安全性的Grails Web门户。在我的门户中具有USER,ADMIN角色的用户有权编辑其个人资料。通过登录USER角色,转到编辑页面/RITE/user/myedit/2并进行编辑。问题是当我通过/RITE/user/myedit/2编辑网址/RITE/user/myedit/1时,我能够看到ADMI特权用户。我试过注释,但没有用。我怎么能避免这个?
@Secured(['ROLE_ADMIN','ROLE_USER'])
def mylist(Integer max)
{
def user = springSecurityService.currentUser
def c= User.findByUsername(user.username)
params.max = Math.min(max ?: 10, 100)
[userInstanceList: c]
}
@Secured(['ROLE_ADMIN','ROLE_USER'])
def myshow(Long id) {
//userService.show(id)
//println "in myshow"
def user = springSecurityService.currentUser
UserDetails currentUser = springSecurityService.principal
if(id==currentUser.id){
def userInstance = User.get(id)
if (!userInstance) {
flash.message = message(code: 'default.not.found.message', args: [message(code: 'user.label', default: 'User'), id])
redirect(action: "mylist")
return
}
[userInstance: userInstance]
}
}
@Secured(['ROLE_ADMIN','ROLE_USER'])
def myedit(Long id) {
def user = springSecurityService.currentUser
UserDetails currentUser = springSecurityService.principal
def c= User.findByUsername(user.username)
if(id == user.id ){
def userInstance = User.get(c.id)
if (!userInstance) {
flash.message = message(code: 'default.not.found.message', args: [message(code: 'user.label', default: 'User'), id])
println("not allowed")
redirect(action: "mylist")
return
}
[userInstance: userInstance]
}
}
答案 0 :(得分:1)
您需要手动实现表达的内容:
if( User.findByUsername(springSecurityService.currentUser.username).id
!= id_ofEditedUser) {
throw new AccessDeniedException("one can only edit its own stuff");
}
答案 1 :(得分:1)
拉尔夫的建议是准确的,但是当我们谈论只有经过身份验证的用户可编辑的用户信息时,我通常不会这样做。你最好不要求身份证明:
def myedit() {
// this is the authenticated user, therefor, this is the information being edited
def userInstance = User.findByUsername(springSecurityService.principal.username)
[userInstance: userInstance]
}
如果您希望除特定用户以外的其他人能够编辑用户信息,例如管理员,则专门为此提供管理操作。从现在起6个月后再次查看代码会更有意义。