https://github.com/bitsofinfo/spring-boot-data-pre-authorize-issue
https://github.com/bitsofinfo/spring-boot-data-pre-authorize-issue
Last synced: 10 months ago
JSON representation
- Host: GitHub
- URL: https://github.com/bitsofinfo/spring-boot-data-pre-authorize-issue
- Owner: bitsofinfo
- Created: 2016-09-23T17:10:52.000Z (over 9 years ago)
- Default Branch: master
- Last Pushed: 2016-11-20T03:12:45.000Z (about 9 years ago)
- Last Synced: 2025-01-29T11:12:56.220Z (12 months ago)
- Language: Java
- Homepage:
- Size: 54.7 KB
- Stars: 0
- Watchers: 2
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# spring-boot-data-pre-authorize-issue
```
./gradlew bootRun
```
## POST a new record; (MyPermissionEvaluator will be called with NULL targetObject
```
curl -X POST -H "Content-Type: application/json" -H "Authorization: Basic dXNlcjoxMjM=" -H "Cache-Control: no-cache" -d '{
"firstname":"spring",
"lastname":"buggy"
}' "http://localhost:8080/testrecords"
```
```
onBeforeCreate id: null Firstname:spring Lastname: buggy ID:my.test.TestRecord@5b864879
MyPermissionEvaluator hasPermission_1() called: targetDomainObject=(targetDomainObject=null)
onAfterCreate id: 1 Firstname:spring Lastname: buggy ID:my.test.TestRecord@5b864879
```
## PATCH the record; (MyPermissionEvaluator will be called with NON-NULL targetObject on `findOne`, followed by NULL targetObject on `save`
```
curl -X PATCH -H "Content-Type: application/json" -H "Authorization: Basic dXNlcjoxMjM=" -H "Cache-Control: no-cache" -d '{
"firstname":"spring",
"lastname":"buggy"
}' "http://localhost:8080/testrecords/1"
```
```
MyPermissionEvaluator hasPermission_1() called: targetDomainObject=my.test.TestRecord
onBeforeSave id: 1 Firstname:spring Lastname: buggy ID:my.test.TestRecord@a17f455
MyPermissionEvaluator hasPermission_1() called: targetDomainObject=(targetDomainObject=null)
onAfterSave id: 1 Firstname:spring Lastname: buggy ID:my.test.TestRecord@a17f455
```
----------
Note the only way this works if if you have *no-intermediary repository interfaces* between `PagingAndSortingRepository` and your end repository interface... which if we have to do that sort of defeats the purpose of being able to extend our own intermediary interfaces after PagingAndSortingRepository
such as this... works as expected
```
@RepositoryRestResource(collectionResourceRel = "testrecords", path = "testrecords")
public interface TestRecordRepository extends PagingAndSortingRepository {
@Override
@PostAuthorize("hasPermission(returnObject, 'READ')")
TestRecord findOne(Integer id);
@Override
@PreAuthorize("hasPermission(#c,'CREATE,UPDATE')")
TestRecord save(@P("c") TestRecord data);
}
```