4 Replies Latest reply on Jul 26, 2009 1:39 AM by Ingo Jobling

    Custom PermissionResolver vs PermissionStore

    Francisco Jose Peredo Noguez Master

      I was going to create a custom implementation of PermissionStore so I started reading the included JPA based implementation to use it as reference... after reading it I realized that the methods of that implementation do not seem to be working based on the current user... that is, the listPermissions method for JpaPermissionStore does not seem to return the permission for the currently logged user, but the permissions for all the users in the system!


      Now, lets say a system has 10000 users and half of of the users
      have a particular permission, then JpaPermissionStore.listPermissions would return 5000 objects (one for each user with the permission) and then PersistentPermissionResolver.hasPermission will filter them and return true when (if) it finds that the current user has the permission?


      Here is the code in PersistentPermissionResolver:


      public boolean hasPermission(Object target, String action)
         {      
            if (permissionStore == null) return false;
            
            Identity identity = Identity.instance();
            
            if (!identity.isLoggedIn()) return false;      
            
            List<Permission> permissions = permissionStore.listPermissions(target, action);
            
            String username = identity.getPrincipal().getName();
            
            for (Permission permission : permissions)
            {
               if (permission.getRecipient() instanceof SimplePrincipal &&
                     username.equals(permission.getRecipient().getName()))
               {
                  return true;
               }
               
               if (permission.getRecipient() instanceof Role)
               {
                  Role role = (Role) permission.getRecipient();
                  
                  if (role.isConditional())
                  {
                     RuleBasedPermissionResolver resolver = RuleBasedPermissionResolver.instance();
                     if (resolver.checkConditionalRole(role.getName(), target, action)) return true;               
                  }
                  else if (identity.hasRole(role.getName()))
                  {
                     return true;
                  }
               }
            }      
            
            return false;
         }
      



      Why waste time and resources fetching the permissions for all the users? why not go straight for the permissions of the current user?


      Does this mean that if I want to avoid loading permissions of other users I should be creating a custom PermissionResolver instead of a custom PermissionStore?


      Or am I plain understanding it wrong?