# Object Permission Control

# Basic Permission Control

For permission control logic without complex logic, unrelated to operating object data, and only related to its type, the interface configuration method can be used. If you need to determine whether a user can operate an object based on the values in the object, such as the values of certain fields combined with the current user's role, you need to use customized development to implement it.

TIP

The following content is only for explaining how the system works. In the current version of the system, for object creation and modification operations, there is no need to directly configure RequestMap to control permissions. You only need to configure the enable roles field in the object form to implement permission control.

The following reference content is for troubleshooting when problems occur.

By default, object permission control is set according to whether the API port created by the object is exposed to a certain role. This setting is set in Request Map. In the following document, taking the object DomainObject as an example, the relevant permission configuration for this type of object is explained.

# View Permission

If you want to grant a certain role ROLE_A the viewing permission for this object, you need to insert the following records in Request Map

HttpMethod, Config Attribute, Url
GET,"ROLE_A",/
GET,"ROLE_A",/DomainObject/**
GET,"ROLE_A",/domain/DomainObject
GET,"ROLE_A",/DomainObject/**
1
2
3
4
5

# Create Permission

If you need to grant its creation permission to a certain role ROLE_A, you need to create the following related records in the Request Map object:

HttpMethod: POST
Config Attribute: ROLE_A
Url: /DomainObject
1
2
3

# Edit Permission

If you need to grant its editing permission to a certain role ROLE_A, you need to create the following related records in the Request Map object:

HttpMethod: PUT
Config Attribute: ROLE_A
# For old deprecated Grails GORM defined Domain Class, its Url
Url: /DomainObject/**
1
2
3
4

# Delete Permission

If you need to grant its deletion permission to a certain role ROLE_A, you need to create the following related records in the Request Map object:

HttpMethod: DELETE
Config Attribute: ROLE_A
Url: /DomainObject/**
1
2
3

# Dynamic Permissions

The system can dynamically judge whether a user has the right to create, modify, or delete an object at runtime based on the attribute values of the object, the current user's role, and other information. The customization method is detailed as follows.

# Dynamic Create Permission

For dynamic creation permission judgment of objects, you need to create the following Dynamic Object Hook object

Hook Type: Select Object create ability
Object Type: Select the object type to which this customized logic applies
Core Logic: Select the specific judgment implementation logic
1
2
3

# Injected Variables

The injected variables that can be used are shown in the following table:

Variable Name Variable Type Description
objectType Class<?> The current operating object type
userContext grails.plugin.springsecurity.userdetails.GrailsUser The current operating user information
application grails.core.GrailsApplication The current grails application context
log Closure<?> The log closure for printing execution logs

# Return Result

The customized code needs to return a Map<String, Boolean> object, which contains an element with the key create, as shown in the following example:

// ๆœฌ่กŒไปฃ็ ่ฟ”ๅ›žๅ…่ฎธ็”จๆˆทๅˆ›ๅปบ่ฏฅๅฏน่ฑก
// Allow user to create this object
return ['create': true] 
1
2

# Dynamic Modify and Delete Permissions

For dynamic modification and deletion permission judgment of objects, you need to create the following Dynamic Object Hook object

Hook Type: Select Update/delete ability
Object Type: Select the object type to which this customized logic applies
Core Logic: Select the specific judgment implementation logic
1
2
3

and the corresponding Dynamic Object Hook object

# Injected Variables

The injected variables that can be used in the customized code are shown in the following table:

Variable Name Variable Type Description
objectType Class<?> The current operating object type
userContext grails.plugin.springsecurity.userdetails.GrailsUser The current operating user information
objectValue grails.core.GrailsDomainClass Please use the object parameter Deprecated
object grails.core.GrailsDomainClass The current operating object, the type is the current operating object type
application grails.core.GrailsApplication The current grails application context
log Closure<?> The log closure for printing execution logs

# Return Result

The customized code needs to return a Map<String, Boolean> object, which contains elements with keys update and delete, as shown in the following example:

//่ฟ”ๅ›žๅ…่ฎธ็”จๆˆทๆ›ดๆ–ฐ่ฏฅๅฏน่ฑก๏ผŒไฝ†ไธๅ…่ฎธ็”จๆˆทๅˆ ้™ค่ฏฅๅฏน่ฑก 
//Allow user to update this object, but not allow user to delete this object
return [
  result: [
    'update': true,
    'delete': false
  ]
] 
1
2
3
4
5
6
7
Last Updated: 9/29/2024, 2:33:14 AM