How to restrict user from accessing a particular action of a controller?
def filters = {
loginCheck(controller:'*', action:'*') {
before = {
if(!session.user && !session.merchants)
{
redirect(action:'login')
return false
}
}}
That was my filter for login security. 开发者_如何学GoAnd below is interceptor in action for restricting user from search action. But both are not working. Can any one tell what the mistake is?
def beforeInterceptor = [action:this.&checkUser,Only:'search']
def scaffold = true
def checkUser()
{
if (session.user)
{
redirect(action:"search")
}
if(session.merchants)
{
redirect(action:"toIndex")
flash.message="You are not valid user for this action"
return false
}
}
There's a really nice shorthand that you can apply directly to actions (if you're not using filters):
@Secured(['ROLE_USER'])
def search = {
}
You can give every user ROLE_USER and simply require that role.
actually you filter should work as it is set for every controller and every action. here is the grails example from the reference:
class SecurityFilters {
def filters = {
loginCheck(controller:'*', action:'*') {
before = {
if(!session.user && !actionName.equals('login')) {
redirect(action:'login')
return false
}
}
}
}
}
I worked with this one and it worked for me.
What I'm not sure is about the session.merchants
in your code.
What is this ?
Did you follow this:
To create a filter create a class that ends with the convention Filters in the grails-app/conf directory.
Edit: If you use spring security you don't need to add a filter or interceptor. check the user guide: http://burtbeckwith.github.com/grails-spring-security-core/docs/manual/index.html
you can configure it with url mappings or annotations.
ex.
grails.plugins.springsecurity.controllerAnnotations.staticRules = [
'/js/admin/**': ['ROLE_ADMIN'],
'/someplugin/**': ['ROLE_ADMIN']
]
EDIT 2:
To get the logged in user use:
def authenticateService
...
def action{
def user = authenticateService.principal()
def username = user?.getUsername()
...
精彩评论