GGCE-SEC: Link between entities and SecurityActions
While we support the SOAP interface, we should include GGCE security checks on direct interactions with tables in DataviewServiceImpl
in persistEntity()
and deleteEntity()
. Or alternatively, we check permissions in an aspect?
- If the record
.isNew()
inpersistEntity()
, the CREATE permission needs to be checked, otherwise WRITE. - In
deleteEntity()
we check for DELETE permission.
For this to work, we need to link entity classes to SecurityAction
.
Since permissions are site-based, we somehow need to extract site.id
before permission checks. This could be done with an interface.
If we use an interface, then we can add both: Site getSite()
(or Site aclSite()
) and SecurityAction requiredSecurityAction()
.
Any thoughts?