How to add restriction based on Roles into Config.groovy file on Grails?

Question

I'm trying to add some restrictions to some pages on my Config.groovy, but I'm not able to do it properly.

I want that RoleType.ROLE_HR_ADMIN to access index and creation pages. While for RoleType.ROLE_HR_READONLY it should be able to access the index page and show pages only. I'm already hiding the button so the user can't click on it to go to the creation screen. But if I get the full URL, copy and paste it on the browser I'm still able to access it.

That is what I tried to do on Config.groovy:

'/siteadmin/party/**': [RoleType.ROLE_SITE_ADMIN.id],
        '/siteadmin/party/create/**': [RoleType.ROLE_HR_ADMIN.id],
        '/siteadmin/party/index/**': [RoleType.ROLE_HR_ADMIN.id, RoleType.ROLE_HR_READONLY.id],

but then I'm getting:

"Sorry, you're not authorized to view this page."

If someone can send me a link showing how to do it properly it would be great. I tried some different approaches but none of them worked.

Answer 1

Check this out: https://grails-plugins.github.io/grails-spring-security-core/v2/guide/requestMappings.html

Especially look at grails.plugin.springsecurity.interceptUrlMap :

'/j_spring_security_switch_user': ['ROLE_ADMIN']

so in your case:

'/siteadmin/party/create/**': ['ROLE_HR_ADMIN'],
'/siteadmin/party/index/**': ['ROLE_HR_ADMIN', 'ROLE_HR_READONLY']
'/siteadmin/party/**': ['ROLE_SITE_ADMIN']

Order matters.