Hi all, I have been thinking about using the wild card permissions within our application but I am struggling with how to represent the following:
(1) A user who has permission to edit themselves. (2) A user who has permissions to edit people in the same department. The only option I have come up with is to represent permissions as follows: *user:updateSelf * *user:updateOther:<departmentX>* One problem with this is that it would potentially require two permission checks. I had originally wanted just one permission like 'user:update'. In addition there is a possibility that we might need to add permissions down to attribute level for some resources. Again the only way I can think of representing this is to split it out as follows: *user:updateOwnEmail* *user:updateOtherEmail:<departmentX>* *...* * * What do you think? I was hoping for a more hierarchical approach which meant I could just use a single permission check in the code. I did think about generating the permissions from other information in the database (i.e. not necessarily storing all the permissions as permissions but I would like to stick with 'clear' permissions if possible). Any tips/pointers would be greatly appreciated as we have only just started to use shiro and I would like to minimise our initial mistakes! Cheers, Stuart
