[Flow] Content security
Peter Beernink
p.beernink at drecomm.nl
Thu Aug 15 08:31:11 CEST 2013
Hi,
I'm currently working on a project which requires users to have access
to certain persisted items.
This entity can be public, meaning all users can access the item, or it
can be private.
When such an item is private, whether or not the user has access to it
depends on whether or not is has an involvement on the item.
For this I've setup an model Involvement which has a manyToOne relation
to the item in question and a manyToOne relation to the account object.
Now I'm struggling with how to setup the security configuration for this.
Checking for the private / public option is not a problem, that I can
resolve with 'this.private = TRUE' and add a GRANT or DENY for it.
However I'm not sure on how to extend it to use the relationships.
I was hoping for something like 'this = involvement.object &&
current.securityContext.account = involvement.account' but that doesn't
seem to work.
I've also tried the fully qualified class name, but when looking in the
compiled constraint this only keeps in the first part of the namespace.
Does anyone have an idea on how to make such a setup work?
Peter
More information about the Flow
mailing list