开发者

How to restrict user from accessing a particular action of a controller?

 def filters = {
   loginCheck(controller:'*', action:'*') {
        before = {
           if(!session.user && !session.merchants) 
           {
               redirect(action:'login')
               return false
            }
        }}

That was my filter for login security. 开发者_如何学GoAnd below is interceptor in action for restricting user from search action. But both are not working. Can any one tell what the mistake is?

def beforeInterceptor = [action:this.&checkUser,Only:'search']

    def scaffold = true
    def checkUser() 
    {
        if (session.user)
        {
            redirect(action:"search")
        }
        if(session.merchants)
        {
        redirect(action:"toIndex")
        flash.message="You are not valid user for this action"
        return false
        }   
    }


There's a really nice shorthand that you can apply directly to actions (if you're not using filters):

@Secured(['ROLE_USER'])
def search = {

}

You can give every user ROLE_USER and simply require that role.


actually you filter should work as it is set for every controller and every action. here is the grails example from the reference:

class SecurityFilters {
   def filters = {
       loginCheck(controller:'*', action:'*') {
           before = {
              if(!session.user && !actionName.equals('login')) {
                  redirect(action:'login')
                  return false
               }
           }
       }
   }
}

I worked with this one and it worked for me. What I'm not sure is about the session.merchants in your code. What is this ?

Did you follow this:

To create a filter create a class that ends with the convention Filters in the grails-app/conf directory.


Edit: If you use spring security you don't need to add a filter or interceptor. check the user guide: http://burtbeckwith.github.com/grails-spring-security-core/docs/manual/index.html

you can configure it with url mappings or annotations.

ex.

grails.plugins.springsecurity.controllerAnnotations.staticRules = [
   '/js/admin/**': ['ROLE_ADMIN'],
   '/someplugin/**': ['ROLE_ADMIN']
]

EDIT 2:

To get the logged in user use:

 def authenticateService

...
def action{
     def user = authenticateService.principal() 
     def username = user?.getUsername()
...
0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜