SEC-1640: provide access to current calling object in @Preauthorize and PermissionEvaluator #1880

Closed
spring-issuemaster opened this Issue Dec 17, 2010 · 3 comments

1 participant

@spring-issuemaster

Mike J (Migrated from SEC-1640) said:

This would create an easy way to wire up basic object level permissions for Spring Roo (or other DD) projects, which use void no-arg methods for many methods that should be secured. E.g., take an entity "Contact", I'd like to be able to do this:

@PreAuthorize("hasPermission(this, 'write')");
public void persist(){
..
}

Or even:

@PreAuthorize("this.owner.name== authentication.name");
public void persist(){
..
}

In the examples above, "this" would refer to the instance of the object that contains the annotated method (in this case, an instance of Contact).

Can this be supported?

@spring-issuemaster

Mike J said:

Hi, can you give me a pointer to the source to explore to investigate this issue on my own? Specifically, I guess I want to find the class that calls the expression handler?

Any thoughts on this in regards to whether this would be reasonable (or problematic)?

Thanks.

@spring-issuemaster

Luke Taylor said:

I've added a "this" property to the expression root object. Please give it a try with the latest snapshot build.

@spring-issuemaster

Mike J said:

Works brilliantly! Thanks.

@spring-issuemaster spring-issuemaster added this to the 3.1.0.RC2 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment