I’m trying to use SecurityProvider (Database type) and SecurityRestrict in order to restrict ServerConnect action.
My DB is following
users (id, email, password) - list of users
accounts (id, title) - list of companies.
account_users (id, account_id, user_id, access) - this is user to company memberships and his role in the company. access is enum with 4 different roles (READ_ONLY, READ_WRITE, ADMIN or OWNER)
In other words, one user can belong to many companies. in every company he can play different role, and has different access - READ_ONLY, READ_WRITE, ADMIN or OWNER.
I’m trying to set up Security provider, please see screenshot. Questions:
- Under every role there is a possibility to have a list of conditions. Are they grouped as AND or OR?
- I want to put a variable in one of the conditions from DB query result.
I want to implement the following flow: user put’s his credentials on the login page, we fetch his list of accounts and take first one, then check his permission against this account and redirect to the page /accounts/{{account_id}}.
If he manually puts url with /accounts/{{account_id}} where he puts others account number he is redirected to his accounts page (I know this part is done on client side, but server side also should be protected).