Seeing only your own data in Grails

Question

This seems like a fundamental question, but I haven't found a clear answer. I'm using the spring-security-core plugin with Grails, and I have S2Users who have many Portfolios, and Portfolios have many Transactions.

When I go to a scaffolded view to examine Transactions, how do I know that each user is only seeing his own Transactions? Conversely, how can I create a user that can see all Transactions of all users?

It's not clear to me what the default behavior is, and how Grails/Spring-Security knows whether a particular domain class should be visible to everyone versus ones that are only for the associated user.

Answer 1

When I go to a scaffolded view to examine Transactions, how do I know that each user is only seeing his own Transactions?

You're going to have to modify the scaffolded views for it to work correctly:

@Secured(['ROLE_USER'])
def list() {
   def authenticatedUser = User.findByUsername(springSecurityService.principal.username)
   def transactions = Transaction.findAllByUser(authenticatedUser)
   [transactions: transactions]
}

The above will only allowed authenticated users to access the list() method and will get all Transactions for the logged in user.

Conversely, how can I create a user that can see all Transactions of all users?

You don't create a user that can see them all, you create a method in your controller that allows a particular user to see them all, for example:

@Secured(['ROLE_USER', 'ROLE_ADMIN'])
def list() {

   def authenticatedUser = User.findByUsername(springSecurityService.principal.username)
   def transactions = []
   if (SpringSecurityUtils.ifAnyGranted('ROLE_ADMIN')) {
       transactions = Transaction.list()
   }else{
       transactions = Transaction.findAllByUser(authenticatedUser)
   }
   [transactions: transactions]
}

Something like that, anyway. Tweak as needed.

Answer 2

There are plugins that help you with this. I'm using the Hibernate Filter plugin for that exact purpose, it helps you to restrict the SQL so that each user only can see his/her own data. You can then override with your own implementation of the HibernateFilterFilters, that disables all filters if the user has ROLE_ADMIN (copy the source from the plugin and adapt).

There are also some plugins for multi-tenancy, but the maintenance of those seem to be unsure to me. I like the Hibernate Filter plugin, it's simple and straightforward - but you have to change all .get()-calls to .findById() because how the plugin hooks into Grails/GORM.

Answer 3

If the data access rules are more complex and need to be enforced in all the application code, you can use spring-security-acl plugin.