I'm doing something similar - I need to do row level permission checks in my
Grails application with Grails-Shiro-Plugin. I need some help getting my
head around the permission check implementation. Below is a simple example
on what I'm doing:
Let's say I have domain objects like these:
class Doc {
Long id
User owner
}
class User {
Long id
}
A permission check in a service method:
currentSubject.isPermitted("doc:update:${doc.id}")
I'd like to have wildcard permission strings like this for the user. Maybe
they would be read from a database table USER_ROLE_PERMISSIONS or
something...:
def perms = [ "doc:read:*", "doc:update,delete:owner=${userId}",
"doc:save:*" ]
The permission check implementation is in my DbRealm class. The
Grails-Shiro-Plugin calls DbRealm.isPermitted() when a Subject.isPermitted()
call is made:
boolean isPermitted(principal, requiredPermission) {
def perms = [ "doc:read:*", "doc:update,delete:owner=${principal}",
"doc:save:*" ]
def permission = perms?.find {
Permission perm = shiroPermissionResolver.resolvePermission(it)
return (perm.implies(requiredPermission))
}
return (permission != null)
}
The permission check is the troublesome bit for me.
- Should I subclass the WildcardPermission class and implement my own
implies() method which could understand the notation for item owner id?
- Should I build and cache the permissions for user in advance so that it
would contain all possible items the user could access? Something like [
"doc:update:123", "doc:update:124", "doc:delete:123", "doc:delete:124", ...]
? This seems like a runtime ACL.
I can't be the first one doing this but I haven't found a simple solution
yet. I'm trying to avoid creating something unnecessarily complex :)
Regards,
Antti
--
View this message in context:
http://shiro-user.582556.n2.nabble.com/Best-Permission-Structure-e-g-User-departments-tp7578991p7579060.html
Sent from the Shiro User mailing list archive at Nabble.com.
