The CRUD module is the base of any rapid prototyping module. It helps you to administer data in the backend, while still being quick to create a frontend that closely resembles your prototype. For example, when creating an online shop, your first task is to create a nice looking frontend. Still it would be useful if you could change some things such as product name, description, or ID in the backend. This is where CRUD helps. However, there is no security inside the CRUD module, so anyone can add or delete data. This is where the secure module can help.
You can find the source code of this example in the chapter3/crud-secure directory.
You should already have added controllers for CRUD editing, as well as an infrastructure for authentication or at least something similar to a user entity. If you do not know about this part, you can read about it at http://www.playframework.org/documentation/1.2/crud.
You should have your own security implementation, something like this:
public class Security extends Secure.Security {
static boolean authenticate(String username, String password) {
User user = User.find("byUserAndPassword", username, Crypto.passwordHash(password)).first();
return user != null;
}
static boolean check(String profile) {
if ("admin".equals(profile)) {
User user = User.find("byUser", connected()).first();
if (user != null) {
return user.isAdmin;
}
} else if ("user".equals(profile)) {
return connected().equals("user");
}
return false;
}
}Adding users via CRUD should only be done by the admin:
@Check("admin")
@With(Secure.class)
public class Users extends CRUD {
}However, creating Merchants should never be allowed for the admin, but only by an authorized user. Deleting (most data on live systems will not be deleted anyway) Merchants, however, should be an admin only task again:
@With(Secure.class)
public class Merchants extends CRUD {
@Check("admin")
public static void delete(String id) {
CRUD.delete(id);
}
@Check("user")
public static void create() throws Exception {
CRUD.create();
}
}As you can see, you can easily secure complete controllers to be only accessible for logged-in users. Furthermore you can also make only special controllers available for certain users. As these methods are static, you are not able to call super() in them, but need to define the static methods of the parent controller again and then manually call the methods of the CRUD controller.
CRUD should never be a big topic in your finished business application because your business logic will be far more complex than adding or removing entities. However, it can be a base for certain tasks. This is where more advanced aspects come in handy.