Limiting access to create/edit/delete entities

Now we need to ensure that only admin users can edit entities; normal users should only be able to view entities authorized to them. For this, it would be better to handle it at the API level using the Spring Security PreAuthorize annotation. Let's start with the OrderItem entity. Go to src/main/java/com/mycompany/store/web/rest/OrderItemResource.java and add @PreAuthorize("hasAuthority('ROLE_ADMIN')") to the createOrderItem, updateOrderItem, and deleteOrderItem methods:

    @DeleteMapping("/order-items/{id}")
    @PreAuthorize("hasAuthority('ROLE_ADMIN')")
    public ResponseEntity<Void> deleteOrderItem(@PathVariable Long id) {
        ...
    }

We are asking Spring Security interceptors to provide access to these methods only when the user has ROLE_ADMIN. The PreAuthorize annotation stops access before executing the method. Spring Security also provides PostAuthorize and more general Secured annotations. More information about these can be found in the Spring Security documentation at https://projects.spring.io/spring-security/.

Compile the backend using ./gradlew compileJava or the IDE. Now go to the order items page and try to create an order item. You will get a POST http://localhost:9000/api/order-items 403 (Forbidden) error from the API call on the web console. Now, let's add the annotation to all the entity Resource class's create, update, and delete methods. You could skip customer and product category entities, as they are entirely forbidden to ROLE_USER already.

Let's also hide the create, edit, and delete buttons from the Angular views using the *jhiHasAnyAuthority="'ROLE_ADMIN'" directive.

Table of Contents for Limiting access to create/edit/delete entities

Create new playlist

Sign In

Sign Up

Table of Contents for
Limiting access to create/edit/delete entities