ACL and query for domain objects

[jocsch]

Hi all,
currently I'm trying to understand how to use the provided ACL package in acegi.
What would be the best way to filter on domain objects? Think about a query where I want to get a list of all customers who the user is allowed to edit.
That might be 2 out of 500.
If I understand the acegi approach correctly, I wouldn't care about the security in my business logic so I would simply do a

Code:

getAllEditCustomers(User)

which would return all customers in the case acegi wouldn't intercept.
But I can't see how to accomplish that with acegi. I can't load 500 customers and traverse them to see if the user is allowed to edit them.

I think the only efficient way is to mix business and security logic in the DB query so that only the 2 customers are returned.

Mhm, but I'm not sure if I really grasp the concepts behind acegi and ACL. So is there are cleaner way than mixing security and business?

Thanks,
Markus[/code]

[Ben Alex]

You are right in that efficiency reasons will often dictate you must include ACL criteria in your database query. There isn't much we can do about that.

Acegi Security's ACL package is intended to help you when you're reading individual domain objects, restricting invocations of methods on domain objects, and restricting saves/updates/deletes on domain objects. For select queries you'll often want the database to do some filtering for you, particularly if paginating the resultset (so you can indicate an accurate number of hits the user has access to).

[jwt]

see my post here

http://forum.springframework.org/showthread.php?t=12793