Access extended User associations from screen controller

mg111 · May 12, 2021, 7:55pm

Hello community,

I have extended the standard User entity, and my ExtUser entity contains an association with another table in my model. The problem is now: When I use UserSession.getUser() in my screen controllers, this new association is not loaded in the returned detached instance.

I could fetch this association using the DataManager, but in order to do so I would have to grant access to the ExtUser entity. This however looks like a bad idea security-wise to me. As far as I figured out, normal users are not granted access to the standard User entity as well.

What is the recommended way to fetch such associations in ExtUser from screen controllers without compromising security?

Thanks in advance for your help,
Manuel

albudarov · May 14, 2021, 7:00am

Hi,

UserSession.getUser() isn’t expected to have all association fields loaded. You have to load this association manually.

When you need to invoke some “privileged” action with data on behalf of user who doesn’t have access permissions for the entity, you can implement this action as a method in the middleware service.

See this page:
https://doc.cuba-platform.com/manual-7.2/data_access_checks.html

E.g. if you use EntityManager to reload ExtUser, than this operation ignores all security constraints.

So:

create middleware service and create method with name like “getCurrentExtUser()”
call UserSessionSource.getUserSession() in the service to obtain current user
use Persistence bean and EntityManager to reload the user with necessary associations
EntityManager - CUBA Platform. Developer’s Manual

mg111 · May 14, 2021, 12:40pm

Hi Alexander,

thanks a lot for your answer. I’ll follow your guide and implement it this way.