Hibernate Filter plugin

Tags : security, filter, hibernate, grails2
- security
- filter
- hibernate
- grails2
Latest : 0.3.2
Last Updated: 18 July 2012
Grails version : 1.3 > *

Authors : null
License : Apache License 2.0

5 votes

2% of Grails users

Dependency :

compile ":hibernate-filter:0.3.2"

Documentation Source Issues

Summary

Integrates Hibernate filtering into Grails

Installation

grails install-plugin hibernate-filter

Description

This plugin integrates hibernate filters with Grails.

The plugin now works with 1.3 and 2.0+

This plugin currently does not work with WebFlow. I am working on the issue.

Overview

The plugin allows you to easily define hibernate filters on classes and associations within the domain class. Filters can be disabled/enabled anywhere within the code. Filters can also be designated as a default filter to be automatically applied. This allows smart defaults for security purposes.

This is very useful to enforce security rules outside of the GORM methods. Filters can also be applied to collections so that views don't have to enforce security without the use of DTOs.

Installation

Install the plugin and change one line in the grails-app/conf/DataSource.groovy file:

import org.grails.plugin.hibernate.filter.HibernateFilterDomainConfiguration
dataSource {
   …
   configClass = HibernateFilterDomainConfiguration
}

Usage

Hibernate filters are configured in domain classes (grails-app/domain):

class Member {
    boolean enabled
    boolean visible
    ...    static hasMany = [images: Image]
    static hibernateFilters = {
        enabledFilter(condition:'enabled=1', default:true)
        validFilter(condition:'enabled=1 and visible=1', aliasDomain:'ValidMember')
        enabledFilter(collection:'images', default: true)
        yearParam(condition: ':myParam = year', types: 'string')
    }
}

The first line creates a default filter called 'enabledFilter' which the condition 'enabled=1'
The second line creates a non-default filter called 'validFilter' with an alias domain 'ValidMember'
The third line creates a default filter that uses the same condition as the first one and applies it to the association 'images'

Filters with the same name use the same condition even if not in the same domain class

You need to use Domain.findById() instead of Domain.get() because .get() is not considered a query.

Properties

condition - The filter condition
default - true to enable this filter by default (or a closure returning true or false)
collection - the collection (association) to apply this filter to
aliasDomain - A domain name to use when you want to apply this filter in a single instruction.

Example: ValidMember.findAllByName('user1') - Will find only members matching the validFilter with the name 'user1'

Injected methods

Several methods are injected into grails domain classes

withHibernateFilter - execute the enclosed code with the named filter enabled

Foo.withHibernateFilter('filterName') {
    ..code to execute
}

withHibernateFilters - execute the enclosed code with all default filters enabled

Foo.withHibernateFilters {
    ..code to execute
}

withoutHibernateFilter - execute the enclosed code with the named filter disabled

Foo.withoutHibernateFilter('filterName') {
    ..code to execute
}

withoutHibernateFilters - execute the enclosed code with all default filters disabled

Foo.withoutHibernateFilters {
    ..code to execute
}

enableHibernateFilter - enable a Hibernate filter (returns the Hibernate org.hibernate.Filter instance)

Foo.enableHibernateFilter('filterName')def filter = Foo.enableHibernateFilter('filterWithArgs')
filter.setParameter('argName', 42)

disableHibernateFilter - disable a hibernate filter

Foo.disableHibernateFilter('filterName')

Usage for filter with parameter

Book.enableHibernateFilter('yearParam').setParameter('myParam', '2008')

Enables the 'yearParam' filter and sets the parameter to '2008'.

Examples

Given the above domain configuration

Data

Member (name:'user1', enabled:true)

Image (name:'image1', enabled:false)
Image (name:'image2', enabled:true)
Image (name:'image3', enabled:true)

Member (name:'user2', enabled:false)
Member (name:'user3', enabled:true, visible:true)

Controller

class MemberController {    def sessionFactory
    def index = {
        Member.withoutHibernateFilter('enabledFilter') {
            println Member.list() // returns all members
        }
        // renders a view with members and images where enabled=true
        [members: Member.list()]
    }
}

View

<body>
    <g:each in="${members}" var="member">
        member: ${member.name} (enabled:${member.enabled})<br/>
        <g:each in="${member.images}" var="image">
            image: ${image.name} (enabled:${image.enabled})<br/>
        </g:each>
        <br/>
    </g:each>
</body>

OUTPUT

member: user1 (enabled:true)
image: image2 (enabled:true)
image: image3 (enabled:true)member: user3 (enabled:true)

feedback is always welcome - scott (at) bulldoginfo (dot) com

Version History

0.1 (Nov 1, 2009) - Initial release
0.1.1 (Nov 2, 2009) - Added support for aliasDomain names
0.1.2 (Nov 3, 2009) - Fixed NPE when domain classes are in a package
0.1.6 (nov 17, 2009) - Removed hibernate dependency that was causing problems. Moved injected methods to be static domain methods.
0.1.7 (Dec 7, 2009) - Fixed bug when using domains in packages
0.2 (Jun 6, 2010) - Added ability to have named parameters in filter (Thanks to Jean-Guy)
0.3 (Feb 29, 2012) - Better support for named parameters (GPHIBERNATEFILTER-1) and support for Grails 2.0+
0.3.1 (Mar 1, 2012) - Bug fix for collections and subclassing (GPHIBERNATEFILTER-2)
0.3.2 (July 18, 2012) - Bug fix for onChange events