我正在用Spring Security建立一个Web门户。在我的门户网站中,具有USER
的用户,ADMIN
角色有权编辑其配置文件。通过登录用户角色,转到编辑页面/RITE/user/myedit/2
并可以编辑。问题是当我编辑URL /RITE/user/myedit/2
时,/RITE/user/myedit/1
可以看到ADMI特权用户。我尝试了注释,但没有起作用。我如何避免这种情况?
@Secured(['ROLE_ADMIN','ROLE_USER'])
def mylist(Integer max)
{
def user = springSecurityService.currentUser
def c= User.findByUsername(user.username)
params.max = Math.min(max ?: 10, 100)
[userInstanceList: c]
}
@Secured(['ROLE_ADMIN','ROLE_USER'])
def myshow(Long id) {
//userService.show(id)
//println "in myshow"
def user = springSecurityService.currentUser
UserDetails currentUser = springSecurityService.principal
if(id==currentUser.id){
def userInstance = User.get(id)
if (!userInstance) {
flash.message = message(code: 'default.not.found.message', args: [message(code: 'user.label', default: 'User'), id])
redirect(action: "mylist")
return
}
[userInstance: userInstance]
}
}
@Secured(['ROLE_ADMIN','ROLE_USER'])
def myedit(Long id) {
def user = springSecurityService.currentUser
UserDetails currentUser = springSecurityService.principal
def c= User.findByUsername(user.username)
if(id == user.id ){
def userInstance = User.get(c.id)
if (!userInstance) {
flash.message = message(code: 'default.not.found.message', args: [message(code: 'user.label', default: 'User'), id])
println("not allowed")
redirect(action: "mylist")
return
}
[userInstance: userInstance]
}
}
您需要手动实现表达的东西:
if( User.findByUsername(springSecurityService.currentUser.username).id
!= id_ofEditedUser) {
throw new AccessDeniedException("one can only edit its own stuff");
}
ralph的建议是准确的,但是当我们谈论只有身份验证的用户可以编辑的用户信息时,我通常不会这样做。您最好完全不需要ID:
def myedit() {
// this is the authenticated user, therefor, this is the information being edited
def userInstance = User.findByUsername(springSecurityService.principal.username)
[userInstance: userInstance]
}
如果您希望除特定用户以外的其他人编辑用户信息,例如管理员,请为此提供一个专门的管理操作。从现在开始,当必须再次查看代码时,这将变得更有意义。