spring security - Seeing only your own data in Grails

Question

This seems like a fundamental question, but I haven't found a clear answer. I'm using the spring-security-core plugin with Grails, and I have S2Users who have many Portfolios, and Portfolios have many Transactions.

When I go to a scaffolded view to examine Transactions, how do I know that each user is only seeing his own Transactions? Conversely, how can I create a user that can see all Transactions of all users?

It's not clear to me what the default behavior is, and how Grails/Spring-Security knows whether a particular domain class should be visible to everyone versus ones that are only for the associated user.

Answer 1

When I go to a scaffolded view to examine Transactions, how do I know that each user is only seeing his own Transactions?

You're going to have to modify the scaffolded views for it to work correctly:

@Secured(['ROLE_USER'])
def list() {
   def authenticatedUser = User.findByUsername(springSecurityService.principal.username)
   def transactions = Transaction.findAllByUser(authenticatedUser)
   [transactions: transactions]
}

The above will only allowed authenticated users to access the list() method and will get all Transactions for the logged in user.

Conversely, how can I create a user that can see all Transactions of all users?

You don't create a user that can see them all, you create a method in your controller that allows a particular user to see them all, for example:

@Secured(['ROLE_USER', 'ROLE_ADMIN'])
def list() {

   def authenticatedUser = User.findByUsername(springSecurityService.principal.username)
   def transactions = []
   if (SpringSecurityUtils.ifAnyGranted('ROLE_ADMIN')) {
       transactions = Transaction.list()
   }else{
       transactions = Transaction.findAllByUser(authenticatedUser)
   }
   [transactions: transactions]
}

Something like that, anyway. Tweak as needed.