[英]How can I write a “user can only access own profile page” type of security check in Play Framework?
I have a Play framework application that has a model like this: A Company
has one and only one User
associated with it. 我有一个Play框架应用程序,该应用程序具有这样的模型:一家
Company
只有一个和一个与之关联的User
。
I have URLs like http://www.example.com/companies/1234
, http://www.example.com/companies/1234/departments
, http://www.example.com/companies/1234/departments/employees
and so on. 我有这样的URL
http://www.example.com/companies/1234
, http://www.example.com/companies/1234/departments
, http://www.example.com/companies/1234/departments/employees
等等。 The numbers are the company id's, not the user id's. 数字是公司ID,而不是用户ID。
I want that normal users (not admins) should only be able to access their own profile pages, not other people's profile pages. 我希望普通用户(而非管理员)只能访问自己的个人资料页面,而不能访问其他人的个人资料页面。 So a user associated with the company with id 1234 should not be able to access the URL
http://www.example.com/companies/6789
因此,与ID为1234的公司关联的用户应无法访问URL
http://www.example.com/companies/6789
I tried to accomplish this by overriding Secure.check()
and comparing the request parameter "id" to the ID of the company associated with the logged in user. 我试图通过重写
Secure.check()
并将请求参数“ id”与与登录用户关联的公司的ID相比较来实现这一点。 However, this obviously fails if the parameter is called anything else than "id". 但是,如果参数除“ id”以外的其他名称,则此操作显然会失败。
Does anyone know how this could be accomplished? 有谁知道如何做到这一点?
You could have a simple @Before function, or if it is only on the view page that you want to apply the security, then you could have a simple bit of code at the beginning that checks the user's id (I assume from the session), and checks that they are allowed to access the page, by getting the User form the id in the session, and the Company from the id passed in, and checking against each other. 您可以有一个简单的@Before函数,或者如果仅在视图页面上要应用此安全性,则可以在开始时使用一个简单的代码来检查用户的ID(我从会话中假定) ,并通过传入会话中的用户表单ID和用户从传入的ID中获取公司,并进行相互检查,检查是否允许他们访问该页面。
If security fails, then either return a badrequest instead of render, or call an action that shows a notAuthorised custom page. 如果安全性失败,则返回badrequest而不是render,或调用显示notAuthorized自定义页面的操作。
You could make a SecureProfileController class that extends Controller, has a method that does the checkCompanyId-that-is-to-be-viewed against users companyId, and let the controllers that need that logic extend the SecureController. 您可以创建一个扩展Controller的SecureProfileController类,该类具有一种针对用户companyId执行checkCompanyId(将要查看的方法)的方法,并让需要该逻辑的控制器扩展SecureController。
If the method is an @Before function, like Codemwnci says, then it can intercept all the action methods in the inherited classes. 如果该方法是@Before函数(如Codemwnci所说),则它可以拦截继承的类中的所有操作方法。
Alternatively you could have a look at Deadbolt, where you can setup roles for users and restrict access based on those roles: http://www.playframework.org/modules/deadbolt-1.0/home 或者,您可以查看Deadbolt,在其中您可以为用户设置角色并根据这些角色限制访问权限: http : //www.playframework.org/modules/deadbolt-1.0/home
Hope that helps :) 希望有帮助:)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.