Checking another User has a permission set

Support
#1

Hi,

I’m using Jmix 2.1.3 and would like to change what is visible in the User list based on the permissions of the current user. I want to restrict Users lower in the chain not being able to see or modify/delete Users with higher permissions.

I’m trying to do this with a specific permission in the User with the higher level authority, and then in another User’s screen, only list the Users without that specific permission. But I can’t work out how to see if another User has a specific permission?

Thanks
Mark

#2

No doubt this is possible, but I do have to warn that it is not quite how the jmix implementation of springboot works. Springboot operates on a more group based policy listing making what you’re trying to do fairly difficult. This is primarily why we created domain structure technology in the first place as computers operate on the same principles.

I’ve only ever seen this done really well in a web application when merged with something like ldap/Active Directory for user management and then assigning group provisioning that the application reads from the AD server.

To do an (if, user A has a permission, nest user B’s permission would have to be done from the “Security” section and be manually written up, and it would have to have a defined tree structure similar to the AD/DC solution I described.

Hopefully someone else has some better news for you, as there are some great devs on here. But in my experience the answer is wrap it into a AD/DC/LDAP server for authentication and user management or enter a very difficult ream of interdependent functions that eventually stop working on you.

Good Luck,
Oran

#3

Hi Oran,

Thanks for the reply, and I may be misinterpreting it so apologies if so :slight_smile:

I may have over-complicated my initial explanation, really all I want to do is when logged in as User A, get the system to confirm if User B has permission X. Where permission X might not be part of User A’s permission set, but I don’t need User A to have permission X, just to see if User B has it.

If that makes any sense…

Thanks
Mark

#5

Hi Mark,

That does make more sense. I was interpreting it as a type of gpo type of structure (inheritance inherits the difference lol). I would approach that by making a new bean and that calling that object when needed if you’re doing something on an button basis (click here to validate) kind of thing.

If you’re doing it in the security settings that will either have to have a bound identifier in the database or be done in the configuration file directly. I tried doing it in the ui and had absolutely no luck. Make it simpler on yourself though by setting up the relationship in the ui and them modifying the file for the secondary search so none of the id’s get mixed up with the secondary relationships.

Thank you,
Oran

#6

Hi Mark,

You can use the following beans may help you with solving the task:

  • RoleAssignmentRepository - to find which roles are assigned to a specific user.
  • ResourceRoleRepository - to get a list of policies for a role.

The code that checks if a user has some specific policy may look as follows:

    @Autowired
    private RoleAssignmentRepository roleAssignmentRepository;

    @Autowired
    private ResourceRoleRepository resourceRoleRepository;

    private boolean userHasSpecificPolicy(User user, String policy) {
        return roleAssignmentRepository.getAssignmentsByUsername(user.getUsername()).stream()
                .filter(roleAssignment -> RoleAssignmentRoleType.RESOURCE.equals(roleAssignment.getRoleType()))
                .map(roleAssignment -> resourceRoleRepository.findRoleByCode(roleAssignment.getRoleCode()))
                .filter(Objects::nonNull)
                .flatMap(resourceRole -> resourceRole.getResourcePolicies().stream())
                .filter(resourcePolicy -> ResourcePolicyType.SPECIFIC.equals(resourcePolicy.getType()))
                .anyMatch(resourcePolicy -> policy.equals(resourcePolicy.getResource()));
    }
1 Like