Home/ Questions/Q 8801029
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-14T00:44:13+00:00

This seems like a fundamental question, but I haven’t found a clear answer. I’m

  • 0

This seems like a fundamental question, but I haven’t found a clear answer. I’m using the spring-security-core plugin with Grails, and I have S2Users who have many Portfolios, and Portfolios have many Transactions.

When I go to a scaffolded view to examine Transactions, how do I know that each user is only seeing his own Transactions? Conversely, how can I create a user that can see all Transactions of all users?

It’s not clear to me what the default behavior is, and how Grails/Spring-Security knows whether a particular domain class should be visible to everyone versus ones that are only for the associated user.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    When I go to a scaffolded view to examine Transactions, how do I know
    that each user is only seeing his own Transactions?

    You’re going to have to modify the scaffolded views for it to work correctly:

    @Secured(['ROLE_USER'])
def list() {
   def authenticatedUser = User.findByUsername(springSecurityService.principal.username)
   def transactions = Transaction.findAllByUser(authenticatedUser)
   [transactions: transactions]
}

    The above will only allowed authenticated users to access the list() method and will get all Transactions for the logged in user.

    Conversely, how can I create a user that can see all Transactions of
    all users?

    You don’t create a user that can see them all, you create a method in your controller that allows a particular user to see them all, for example:

    @Secured(['ROLE_USER', 'ROLE_ADMIN'])
def list() {

   def authenticatedUser = User.findByUsername(springSecurityService.principal.username)
   def transactions = []
   if (SpringSecurityUtils.ifAnyGranted('ROLE_ADMIN')) {
       transactions = Transaction.list()
   }else{
       transactions = Transaction.findAllByUser(authenticatedUser)
   }
   [transactions: transactions]
}

    Something like that, anyway. Tweak as needed.

    • 0