Closed ppazos closed 4 years ago
ppazos
commented
4 years ago The menu items are filtered, but accessing admin urls from an accman or an orgman is not checking authorization, we need to add these checks in the auth interceptor and add the urls to the database per role as in the spring sec plugin.
ppazos
commented
4 years ago We are actually using RequestMap, and AuthInterceptor is actually verifying the role:
if (!authService.loggedInUserHasAnyRole(rm.configAttribute)) { render view: "/noPermissions.gsp" return false // all URLs are closed by default! }
Since we are not using the RequestMap, wee need to be sure EHRServer2 has the correct permissions for each section and each role in the Web Console, and that we don't show sections that are not accessible by the current logged in user.