I am following this road:
Shiro permissions:
useraccountdata:write:any - user may edit anybody's data
JSF Backing bean:
if (subject.isPermitted("useraccountdata:write:any")) return all user data
found in a list and display in a jsf datatable (pseudo code: select * from
User)
else return only subject's own data for editing in the datable (pseudo code:
select * from User where User.id == subject.getPrincipal().getName() )
So depending on whether the subject has the permission to edit 'any' I do a
different database query than when he lacks this permission.
I also disable some UI components when the subject does not have the 'any'
permission since filtering and searching make no sense if only one set of
data is displayed, anyhow.
--
View this message in context:
http://shiro-user.582556.n2.nabble.com/How-would-i-configure-that-a-user-is-only-allowed-to-change-it-s-own-account-data-tp7579208p7579209.html
Sent from the Shiro User mailing list archive at Nabble.com.
