thymeleaf-extras-springsecurity icon indicating copy to clipboard operation
thymeleaf-extras-springsecurity copied to clipboard
verified publisher icon thymeleaf

Best practice using hasPermissions with model attributes

Open hopperd opened this issue 8 years ago • 3 comments

Currently it seems to properly access model attributes when using the PermissionEvaluator you have to explicitly do it like so. sec:authorize="hasPermission(#request.getAttribute('organization'), 'update:contacts')"

I would have thought something like sec:authorize="hasPermission(#organization, 'update:contacts')"

Would have worked but seems to always evaluate to null. Though using the same in pre-authorize annotations (method level) works just fine.

hopperd avatar Mar 16 '17 21:03 hopperd

@danielfernandez any suggestion here?

hopperd avatar Mar 23 '17 12:03 hopperd

The sec:authorize attribute tries to mimic the behaviour of Spring Security's original JSP tag library, and the way expressions are executed in them. And the expressions executed for Spring Security's tags are not executed on the root context that would be used for the rest of the templates, but in their own, security-specific context. That's why the available objects are not the same…

So basically, Thymeleaf is here just mirroring the behaviour expected for Spring Security users in other environments.

danielfernandez avatar Mar 23 '17 23:03 danielfernandez

@danielfernandez In that case, I have checked that one can use:

sec:authorize="hasPermission('id', 'type', 'ADMINISTRATION')"

but how can I render id dynamically based on some ${obj}?

hasancansaral avatar May 16 '17 08:05 hasancansaral