You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by gbrits <gb...@gmail.com> on 2013/10/02 15:10:43 UTC
How would i configure that a user is only allowed to change it's
own account-data?
Hi all,
given Apache Shiro's permission format domain:action:instance how would I
define that a user may only change it's own account-data?
I could do the following but this leads to an enormous explosion of
permissions:
useraccountdata:write:user1 permit to user1 ... useraccountdata:write:userN
permit to userN
What I need instead is something of permission-rules to configure this
dynamically.
Something like: useraccountdata:write:user{n} permit to user{n}
automatically for all n
Is this supported somehow or am I completely on the wrong path here? If not,
how would you do it?
Thanks,
Geert-Jan
P.s: verbatim copy from Stackoverflow where this quesiton didn't get much
traction.
http://stackoverflow.com/questions/19125869/how-would-i-configure-that-a-user-is-only-allowed-to-change-its-own-account-dat
--
View this message in context: http://shiro-user.582556.n2.nabble.com/How-would-i-configure-that-a-user-is-only-allowed-to-change-it-s-own-account-data-tp7579208.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: How would i configure that a user is only allowed to change
it's own account-data?
Posted by versatec <ro...@versatec.de>.
In that case you could add a permission 'useraccountdata:write:self' to your
application and whoever does not own 'any' or 'self' may not change any
data. You could also include 'useraccountdata:write:team' or something
similar for future use.
--
View this message in context: http://shiro-user.582556.n2.nabble.com/How-would-i-configure-that-a-user-is-only-allowed-to-change-it-s-own-account-data-tp7579208p7579214.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: How would i configure that a user is only allowed to change
it's own account-data?
Posted by gbrits <gb...@gmail.com>.
So that means you're *implicitly* modelling the 'permission to modify your
own data' as the negation of "useraccountdata:write:any".
I'm looking for a way to do this explicitly.
Hypothetically (this may work well for your domain of course), what happens
if there comes a time that some 'users' (say computer actors) are never
allowed to change any useraccountdata not even there own. You would have to
change your code. I'd rather have it work through declarative permissions
instead.
2013/10/2 versatec [via Shiro User] <
ml-node+s582556n7579209h17@n2.nabble.com>
> I am following this road:
> Shiro permissions:
> useraccountdata:write:any - user may edit anybody's data
>
> JSF Backing bean:
> if (subject.isPermitted("useraccountdata:write:any")) return all user data
> found in a list and display in a jsf datatable (pseudo code: select * from
> User)
> else return only subject's own data for editing in the datable (pseudo
> code: select * from User where User.id == subject.getPrincipal().getName()
> )
>
> So depending on whether the subject has the permission to edit 'any' I do
> a different database query than when he lacks this permission.
>
> I also disable some UI components when the subject does not have the 'any'
> permission since filtering and searching make no sense if only one set of
> data is displayed, anyhow.
>
> ------------------------------
> If you reply to this email, your message will be added to the discussion
> below:
>
> http://shiro-user.582556.n2.nabble.com/How-would-i-configure-that-a-user-is-only-allowed-to-change-it-s-own-account-data-tp7579208p7579209.html
> To unsubscribe from How would i configure that a user is only allowed to
> change it's own account-data?, click here<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=7579208&code=Z2JyaXRzQGdtYWlsLmNvbXw3NTc5MjA4fDExNjk3MTIyNTA=>
> .
> NAML<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>
--
View this message in context: http://shiro-user.582556.n2.nabble.com/How-would-i-configure-that-a-user-is-only-allowed-to-change-it-s-own-account-data-tp7579208p7579211.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: How would i configure that a user is only allowed to change
it's own account-data?
Posted by versatec <ro...@versatec.de>.
I am following this road:
Shiro permissions:
useraccountdata:write:any - user may edit anybody's data
JSF Backing bean:
if (subject.isPermitted("useraccountdata:write:any")) return all user data
found in a list and display in a jsf datatable (pseudo code: select * from
User)
else return only subject's own data for editing in the datable (pseudo code:
select * from User where User.id == subject.getPrincipal().getName() )
So depending on whether the subject has the permission to edit 'any' I do a
different database query than when he lacks this permission.
I also disable some UI components when the subject does not have the 'any'
permission since filtering and searching make no sense if only one set of
data is displayed, anyhow.
--
View this message in context: http://shiro-user.582556.n2.nabble.com/How-would-i-configure-that-a-user-is-only-allowed-to-change-it-s-own-account-data-tp7579208p7579209.html
Sent from the Shiro User mailing list archive at Nabble.com.