Restrict access to child entities based on parent entity restrictions

Question

I've stumbled across an inconvenience of getting access to child entities in my application. For example I have the following entity structure in my App: Company->Portfolio->Project->Project Stage. There is also a User entity nested under Company entity witch has ManyToMany relation to Portfolio.

Whenever I try to access any child entity (e.g. Project Stage) I have to go all the way up to the Portfolio entity and check if it has a relation to the current User entity. So in a child entity's controller I have to use the following chain:

List<User> users = projectStage.getProject().getPortfolio().getUsers();
for (User user : users) {
    if(user.equals(currentAuthorizedUser)) {
        // allow access to child entity
        // break;
    }
}

Is there a way to automate this process so I don't need to repeat the same set of checks for each child entity in the hierarchy?

Answer 1

Firstable, you can make ProjectStage and Project implement an interface with one method

void checkAccess(User user) throw ForbiddenAccessException;

Each class must implement the check as you defined it in your code above.

Then, you can use action composition in your controller.

1. Create an action CheckAccessAction that extends play.mvc.Action.Simple
2. Before each method that needs the access check like loadProjectStage(), deleteProject(), updateProject()... add @With(CheckAccessAction.class)
3. In the call method of the action composition, you can do your check regarding the type of object that you're trying to access (if you can have the currentAuthorizedUser in the request)

You can define the @With(CheckAccessAction.class) at controller level if all the methods need it.