Feb 20th, 2006, 01:45 PM
ACL taking into account on object state
I have businessManager that has edit method(Order).
Now based on order state certain user groups can or cannot edit this object.
- admin always can call edit, unless object state is closed.
- user can edit unless order is closed or shipped.
So far it seams that I have to create custom StateBasedAclProvider, and StateBasedAclDao. Provider would get from dao ACLs based on aclObjectIdentity and state. Dao would return list of BasicAclEntry for given aclObjId and state. Then the rest would look similar to Basic Acl authorization.
Anyone has better idea how to do it?
Thanks in advance,
Mar 6th, 2006, 07:38 AM
If your needs are simple (and they seem to be) perhaps you can try writing a custom AccessDecisionVoter instead.