-
1. Re: Feature request: Fine-grained entity security
shane.bryzak Mar 18, 2007 7:52 PM (in response to christian.bauer)Would it make sense to tie this into Hibernate validation, or is this a silly idea?
-
2. Re: Feature request: Fine-grained entity security
gavin.king Mar 18, 2007 8:32 PM (in response to christian.bauer)You can definitely write a JPA entitylistener which checks actual field values using equals() during an update operation. (In theory you should really use Type.isDirty() in Hibernate, but that's not portable.)
So you would require that the user annotate entity attributes with @Restrict, and imply a permission like (customer, name) from that. Then the interceptor would look at the fields annotated @Restrict and check the permission when the entity is updated.
The thing which makes me a bit skeptical of this stuff is that there would only be field-level permissions for update operations, not for read, create, delete.
I suppose you could interpret a field-level permission during create as meaning that it gets checked if it is non-null.
But read would be *very* difficult to do.
Shane, I don't see how Hibernate Validator would help. -
3. Re: Feature request: Fine-grained entity security
gavin.king Mar 18, 2007 8:34 PM (in response to christian.bauer)Alternatively, the user can write an entitylistener, and call Identity.checkPermission() themselves.
-
4. Re: Feature request: Fine-grained entity security
christian.bauer Mar 19, 2007 7:15 AM (in response to christian.bauer)I think UPDATE for individual fields is by far the most common case: You can always check CREATE easily in customerHome.persist() and SELECT in customerHome.find(). Nobody is using DELETE anyway :)