通过jhipster中的ID限制URL访问控制 [英] Restrict URL access control by id in jhipster
问题描述
我有一个问题,每个用户都可以从URL检索其他用户的数据.
I have a problem that each user can retrieve other users data from URL.
例如,我有一个像这样的rest api:
For instance, I have a rest api like this:
@GetMapping("/getFindByPersonId/{perId}")
@Timed
public List<ComboVahedAmoozeshi> getFindBySkhsIdCombo(@PathVariable Long perId){
return comboVahedAmoozeshiRepository.getFindBySkhsIdCombo(perId);
}
授权后,每个用户都可以更改id并获取其他用户的数据,如下图所示:
After authorization, each user can change id and get other users data like the image below:
是否有建议限制每个用户无权调用该方法?还是Jhipster有使用UUId隐藏ID的任何选项?
Is there any suggestion to restrict each user to don`t have access to call the method? Or Jhipster have any options to use UUId to hide id?
推荐答案
感谢@atomferede提供的正确答案.我必须在其他实体中添加jhi_user_id并使用@postfilter注释来限制用户对数据的访问. 虽然,在jhipster generator中具有此选项可能会是一个好主意,以提高安全级别和更快的实现.
Thanks from @atomferede for the right answer. I have to add jhi_user_id in other entities and used @postfilter annotation to limit user's access to data. Although, maybe it`s a good idea to have this option in jhipster generator to enhance the security level and faster implementation.
这篇关于通过jhipster中的ID限制URL访问控制的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!