通过jhipster中的ID限制URL访问控制 [英] Restrict URL access control by id in jhipster

问题描述

我有一个问题，每个用户都可以从URL检索其他用户的数据.

I have a problem that each user can retrieve other users data from URL.

例如，我有一个像这样的rest api:

For instance, I have a rest api like this:

@GetMapping("/getFindByPersonId/{perId}")
@Timed
public List<ComboVahedAmoozeshi> getFindBySkhsIdCombo(@PathVariable Long perId){
    return comboVahedAmoozeshiRepository.getFindBySkhsIdCombo(perId);
}

授权后，每个用户都可以更改id并获取其他用户的数据，如下图所示:

After authorization, each user can change id and get other users data like the image below:

是否有建议限制每个用户无权调用该方法?还是Jhipster有使用UUId隐藏ID的任何选项?

Is there any suggestion to restrict each user to don`t have access to call the method? Or Jhipster have any options to use UUId to hide id?

推荐答案

感谢@atomferede提供的正确答案.我必须在其他实体中添加jhi_user_id并使用@postfilter注释来限制用户对数据的访问. 虽然，在jhipster generator中具有此选项可能会是一个好主意，以提高安全级别和更快的实现.

Thanks from @atomferede for the right answer. I have to add jhi_user_id in other entities and used @postfilter annotation to limit user's access to data. Although, maybe it`s a good idea to have this option in jhipster generator to enhance the security level and faster implementation.

这篇关于通过jhipster中的ID限制URL访问控制的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！