how to use switched user spring security in grails to override user permissions -


i'm trying build administrative tools user gsp's without building entire administration controller , pages.

my application has user's , administrators. user creates account, administrator approves account before user can perform functions. admin uses switchuser feature review user's account before approving account.

instead of writing code admin have go , user, find record, , update account approved, want add 'approve' button on 1 of user account pages visible admin in switched user role. issue 'approve' action can't executed user's permissions admin has switched to, otherwise user activate own account.

this gsp looks like:

my.gsp:

<sec:ifswitched>     <p><g:link controller='charge' action='activateprofile'>approve profile</g:link> - profile become live in system.</p> </sec:ifswitched>

i'm using @secured annotations in controller

what works doesn't seem right:

@secured("permitall() , isauthenticated()") def activateprofile() {    springsecurityutils.isswitcheduser() {       //activate profile    }    else {       //not allowed unless switched user    } }

what i'd work doesn't exist because there no isswitcheduser() annotation:

@secured("isauthenticated() , (hasanyrole('role_admin', 'role_switched_user') or isswitcheduser()) def activateprofile() {    //update database , make user's profile active }

and of course doesn't work because switched user, switched account doesn't have either of these roles, page not authorized error occurs:

@secured("isauthenticated() , (hasanyrole('role_admin', 'role_switched_user')) def activateprofile() {    springsecurityutils.isswitcheduser() {       //activate profile    }    else {       //not allowed unless switched user    } }

am stuck using permitall , checking in action permission? works , secure doesn't feel right.

you can using 1 of following 2 ways:

custom permissionevaluator

you can use haspermission() methods within security annotations , create custom permissionevaluator. within code looks this:

@preauthorize("haspermission(#myobject, 'update')") public void updatesomething(myobject) {   .. }

inside permissionevaluator implementation can place check switched user.

service calls in security annotations

inside security expressions can reference beans prefixing bean names @.

for example:

@preauthorize("@mysecurityservice.isswitcheduser() or ...") public void dosomething(myobject) {   .. }

more details: both methods require bit of setup. time ago wrote more detailed answer these 2 methods. can find here: grails custom security evaluator


Comments

Post a Comment

Popular posts from this blog

Android layout hidden on keyboard show -

i have strange problem layout. when tap on edittext , keyboard shown edittext stay on bottom , when tap on to hide keyboard , keyboard hides , edittext go should when want input text. when tap again, keyboard shown , edittext goes down behind keyboard... <relativelayout android:layout_width="match_parent" android:layout_height="match_parent" > <scrollview android:layout_width="match_parent" android:layout_height="fill_parent" android:above="@+id/rl_commands"> <textview android:layout_width="match_parent" android:layout_height="wrap_content"/> </scrollview> <relativelayout android:layout_width="match_parent android:layout_height="24dp" android:id="@+id/rl_commands" android:alignparentbottom="true">
Read more

google app engine - 403 Forbidden POST - Flask WTForms -

i have flask application running on google app engine. trying submit form built using wtform , keep getting following error. 403 forbidden: don't have permission access requested resource. either read-protected or not readable server. location.html (part of code) <form method=post action="/home/location"> .... <button type="submit" class="btn btn-primary" value="submit"> directions </button> </form> main.py @app.route('/home/location', methods=['post', 'get']) def location(): form = cfcdirections.direction(request.form) print(request.method) if request.method == 'post' , form.validate(): print("after if") directions = cfcdirections() street_no = directions.no street = directions.street suburb = directions.suburb postcode = directions.postcode
Read more

c - Why would PK11_GenerateRandom() return an error -8023? -

i looking through internet trying find source of pk11_generaterandom() function see why function fail. have program uses function when moved new flavor of linux, fails after forking ( fork() ) since not believe there problem nss, suspect doing incorrectly disregarded in older versions of linux new 1 there issue. the openssl package same on 'good' , 'bad' server: openssl 0.9.8e-fips-rhel5 01 jul nss rpm differs though. 'good' has nss-3.12.2.0-2.el5 and bas has version nss-3.15.3-4.el5_10 the 'good' server uses quite obsolete linux: linux 2.6.18-128.el5 #1 smp wed jan 21 08:45:05 est 2009 x86_64 x86_64 x86_64 gnu/linux enterprise linux enterprise linux server release 5.3 (carthage) red hat enterprise linux server release 5.3 (tikanga) the 'bad' server newer: linux bad 2.6.18-371.4.1.el5 #1 smp wed jan 29 11:05:49 pst 2014 x86_64 x86_64 x86_64 gnu/linux oracle linux server release 5.10 red hat enterprise linux server release
Read more