Apache shiro 隐含权限 [英] Apache shiro implied permissions

问题描述

如果用户拥有权限 user:edit:1 并且我使用的是注释驱动的 @RequiresPermissions("user:edit") 为什么 shiro 抛出一个例外?他们拥有 user:edit:1 的事实不应该暗示这种许可吗?如果我把 @RequriesPermissions("user:edit:1") 那么它工作正常，但在操作的上下文中，我不知道 1 是什么，以便稍后在方法中检查，但如果他们根本没有 user:edit 权限，我想完全避免进入该方法.

If a user has a permissions user:edit:1 and I'm using the annotation driven @RequiresPermissions("user:edit") why is shiro throwing an exception? Shouldn't that permission be implied by the fact that they have user:edit:1? If I put @RequriesPermissions("user:edit:1") then it works fine but during the context of operation I won't know what 1 is yet so that will be checked later in the method, but I'd like to avoid going into the method at all if they don't have the user:edit permission at all.

推荐答案

"user:edit" 暗示 "user:edit:1" 但反之则不然.您可以继续使用 @RequiresPermissions("user:edit") 然后检查方法中的 "1".您也可以使用通配符@RequiresPermissions("user:edit:*")，这是完全相同的，但我认为它更清晰.

"user:edit" implies "user:edit:1" but not the other way around. You can keep using @RequiresPermissions("user:edit") and then check for the "1" in your method. You can also use a wildcard @RequiresPermissions("user:edit:*"), which is the exactly the same but I think it's clearer.

这篇关于Apache shiro 隐含权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！