I’m trying to use SecurityProvider (Database type) and SecurityRestrict in order to restrict ServerConnect action.
My DB is following
users (id, email, password) - list of users
accounts (id, title) - list of companies.
account_users (id, account_id, user_id, access) - this is user to company memberships and his role in the company. access is enum with 4 different roles (READ_ONLY, READ_WRITE, ADMIN or OWNER)
In other words, one user can belong to many companies. in every company he can play different role, and has different access - READ_ONLY, READ_WRITE, ADMIN or OWNER.
I’m trying to set up Security provider, please see screenshot. Questions:
- Under every role there is a possibility to have a list of conditions. Are they grouped as AND or OR?
- I want to put a variable in one of the conditions from DB query result.
I want to implement the following flow: user put’s his credentials on the login page, we fetch his list of accounts and take first one, then check his permission against this account and redirect to the page /accounts/{{account_id}}.
If he manually puts url with /accounts/{{account_id}} where he puts others account number he is redirected to his accounts page (I know this part is done on client side, but server side also should be protected).
Last updated: