0

I'm using Spring Security ACL in my Grails project to manage access into my application. I can create Admin and User to have different permissions into the application. Now, I want that a particular user can see only some instances of a domain class object. That is:

following the example domain class object

class Patient
{
   String name;
   String surname;
   ...
}

Suppose that there are 3 created Patient objects. I want that, if I login with

username = test1

password=test1

I can see only Patient that belongs to this User. I think that is needed that, when I create a new Patient, it is stored that this Patient belongs to the User currently logged. How can I do that?

EDIT: Another problem is that, if I change the URL in the part of id to show, I can see all the Patient that are created. I want that, if I change URL manually, I see an access error. Is it possible?

EDIT 2: How can I get the role of the user currently logged in? I've tried with the following code How to get current user role with spring security plugin? but I cannot perform the getAuthorities() because it tells me that it does not exists

I've solved EDIT2 in the following discussion grails exception: Tag [paginate] is missing required attribute [total] I need to solve the EDIT1 thanks

Community
  • 1
  • 1
FrancescoDS
  • 1,077
  • 4
  • 21
  • 55

1 Answers1

0

If I understand you right you need to define belongsTo. This will create mapping in database from Patient to User.

Edit: to get current logged in user use

class SomeController {
  def authenticateService

  def list = { 
     def user = authenticateService.principal() 
     def username = user?.getUsername()
     .....
     .....
  } 
}

To map to user change logic in controller or use events to create mapping

Edit: edit create action:

class PatientController {
   def authenticateService
   ...
   def create() { 
      def patientInstance = new Patient(params)
      patientInstance.user = authenticateService.principal()
   ... 
      [patientInstance: patientInstance] 
   }
   ...
}
Mr. Cat
  • 3,522
  • 2
  • 17
  • 26
  • I've added the belongsTo into the domain class, but when I create the new Patient I have the following error: Property [secUser]of class [Patient] cannot be null. It means that the User is not automatically set I suppose...so I need to change the Save method into the controller...but how can I get the currently logged User ID? – FrancescoDS Aug 27 '13 at 09:17
  • If I want to change logic of the controller, how can I do it? I have the following: def create() { [patientInstance: new Patient(params)] } The problem is that when I want to see the list of Patient I want to have only the ones that belongs to current User logged in, so I need to change not only create method but also the others onto the controller – FrancescoDS Aug 27 '13 at 09:43
  • in your list method you get the username of the User, but I need to store the ID of the User into my Patient object...so how can I get the ID? – FrancescoDS Aug 27 '13 at 09:57
  • I cannot perform patientInstance.user = authenticateService.principal() in the create() because of definition in previous line of code. And then, authenticateService is null. which assignment is needed for it? – FrancescoDS Aug 27 '13 at 10:17
  • let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/36321/discussion-between-mr-cat-and-francescods) – Mr. Cat Aug 27 '13 at 10:49
  • The only thing I've done to solve the problem is to use the following in save() : patientInstance.secUser = springSecurityService.getCurrentUser() to store the user into the patient instance. now I need to know how in the list() I can see only patients that has the id of the user currently logged in – FrancescoDS Aug 28 '13 at 13:44