我在Sping Boot 中创建了一个REST API,它维护4个模型:博客文章,对文章的评论,用户配置文件,和角色。目前博客文章只能由管理员删除,而不是创建它的用户,我想添加这个功能,该文章可以由创建者删除,这需要首先登录,所以我该如何实现?
以下是我的用户模型:
@Setter
@Getter
@NoArgsConstructor
@AllArgsConstructor
@Entity
@Table(name = "users")
public class User {
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
private Long id;
@Column(nullable = false, unique = true)
private String email;
private String name;
@Column(nullable = false, unique = true)
private String username;
@Column(nullable = false)
private String password;
@ManyToMany(fetch = FetchType.EAGER, cascade = CascadeType.ALL)
@JoinTable(name = "users_roles",
joinColumns = @JoinColumn(name = "user_id", referencedColumnName = "id"),
inverseJoinColumns = @JoinColumn(name = "role_id", referencedColumnName = "id")
)
private Set<Role> roles;
}
这里是我的帖子模型:
@Data
@AllArgsConstructor
@NoArgsConstructor
@Entity
@Table(
name="Posts", uniqueConstraints = {@UniqueConstraint(columnNames = {"title"})}
)
public class Post {
@Id
@GeneratedValue(
strategy = GenerationType.IDENTITY
)
private Long id;
@Column(name = "Title", nullable = false)
private String title;
@Column(name = "Description", nullable = false)
private String description;
@Column(name = "Content", nullable = false)
private String content;
@OneToMany(mappedBy = "post", cascade = CascadeType.ALL, orphanRemoval = true)
Set<Comment> comments = new HashSet<>();
}
以下是我的删除后终点:
@PreAuthorize("hasRole('ADMIN')")
@DeleteMapping("/{id}")
public ResponseEntity<String> deletePostById(@PathVariable Long id) {
postService.deletePostById(id);
return new ResponseEntity<>("Post Deleted Successfully", HttpStatus.OK);
}
编辑:最后,我能够在这里配置它
private User getUser() {
SecurityContext context = SecurityContextHolder.getContext();
Authentication auth = context.getAuthentication();
return userRepository.findUserByEmail(auth.getName()).orElse(null);
}
1条答案
按热度按时间ajsxfq5m1#
首先,你需要存储谁创建的文章,如果作者应该能够改变/删除它。
然后,您可以使用@PreAuthorize(“hasRole('ADMIN')||hasRole('USER')”),如果您的用户角色名为USER,在该方法中只需检查它是否是管理员或帖子是否由登录用户发布。您可以通过
SecurityContextHolder.getContext().getAuthentication()
检索授权信息。在上面的答案中,您还建议将用户的ID与发布帖子的用户的ID进行比较。如果你真的需要/想通过来实现它,你甚至可以创建自己的bean来实现它。如果你需要解释的话,请参见https://medium.com/@islamboulila/how-to-create-a-custom-security-expression-method-in-spring-security-e5b6353f062f。