问题
I have a problem that each user can retrieve other users data from URL.
For instance, I have a rest api like this:
@GetMapping("/getFindByPersonId/{perId}")
@Timed
public List<ComboVahedAmoozeshi> getFindBySkhsIdCombo(@PathVariable Long perId){
return comboVahedAmoozeshiRepository.getFindBySkhsIdCombo(perId);
}
After authorization, each user can change id and get other users data like the image below:
Is there any suggestion to restrict each user to don`t have access to call the method? Or Jhipster have any options to use UUId to hide id?
回答1:
Thanks from @atomferede for the right answer. I have to add jhi_user_id in other entities and used @postfilter annotation to limit user's access to data. Although, maybe it`s a good idea to have this option in jhipster generator to enhance the security level and faster implementation.
来源:https://stackoverflow.com/questions/65107075/restrict-url-access-control-by-id-in-jhipster