4

I'm trying to set a hiddenField in a "create" view, where the field is set to the id of the currently logged in user. Which you get from the "springSecurityService.principal.id" property.

I was wondering if it was possible to do this exclusively from the template instead of passing the value from a controller. e.g.

<%@ page import="grails.plugins.springsecurity.SpringSecurityService" %>
<% def springSecurityService %>

<html>
...
...
<g:hiddenField name="user.id" value="${springSecurityService.principal.id}"/>
...

I tried this code, but ended up getting a NullPointer exception with reference to the "principal" property.

Is there any way to do this or do I have to explicitly pass the id of the currently logged in user from the "create" method?

NOTE: Yes I know that it's trivial for anyone to construct a POST request with a doctored hidden field. There are checks in the controller code to ensure that the currently logged in user can only create, edit, delete their own posts. My question is more to do with not having to type out the code to pass the currently logged in user to three different views.

srkiNZ84
  • 3,558
  • 5
  • 30
  • 37

3 Answers3

13

try using following syntax

<g:hiddenField name="user.id" value="${sec.loggedInUserInfo(field:"id")}"/>
Ben W
  • 2,469
  • 1
  • 24
  • 24
  • 2 years late, but hey :-). Doesn't it render a hidden field with an id which might be changed by the user and introduce a security risk? – Will Sep 03 '12 at 14:08
  • Yes..that's right. It is really a bad idea to use logged-in user's id on UI..I would never do that :) – Ben W Sep 18 '12 at 02:12
  • 2
    It's not a risk if it's only used to determine to display a control or not. You should still be using some sort of ACLs or URL restrictions on the server side too – Jason Nichols Oct 30 '12 at 12:45
  • 1
    +1 Jason. "Exposing user id is a security risk" is equivalent to "Exposing amazon product ids in the url is a security risk" – Spundun Aug 15 '13 at 02:02
5

Storing the id of the currently logged-in user as a hidden field in the view is a really bad idea, because anyone with a basic knowledge of how the web works can replace this value with the ID of another user.

Instead you should use the springSecurityService on the server side to get the curren user. You can get a reference to this service via dependency-injection in a domain class, controller, service, taglib, etc.

class MyController {
  def springSecurityService

  def myAction() {
    def currentUser = springSecurityService.currentUser
  }
}
Dónal
  • 185,044
  • 174
  • 569
  • 824
  • Yes, I am aware of the security implications. My problem was that I now have to specifically pass the currently logged in user for the "create", "save", "edit", "update" and "delete" methods. This seems to defeat the principles of DRY and was wondering if there was a better way to do it. – srkiNZ84 Feb 10 '12 at 00:18
  • @srkiNZ84 - I am not sure what do you mean by passing current logged in user to method. Can you please copy the code here? – Ben W Feb 10 '12 at 19:07
4

Grab the securityService via the applicationContext:

${applicationContext.springSecurityService.currentUser.id}

<g:hiddenField name="user.id" value="${applicationContext.springSecurityService.currentUser.id}"/>
davmor
  • 448
  • 5
  • 9