Make Grails action available only for includes

2
votes

I have a Grails controller with multiple actions. For now all actions are available for user calls (I can access them from my browser), even the ones that should be called only from withing the g:include tag. I want to restrict access to such actions from the browser. I cannot mark action as protected because in this case I will not be able to include this action in a view for another controller.

Is there any practice how to encapsulate actions in such situations?

1
grailsgroovyaction
Well there's probably many way of doing it - requestMappings beeing one of them -grails-plugins.github.io/grails-spring-security-core/docs/… but I'll require the spring security plugin, and that you setup roles. I'm using it and it works well for me, but that doesn't mean it will be your silver bullet. - marko
This is the section you want to look at: 4.1 Defining Secured Annotations - marko
Do you think it's OK to handle visibility scope using security plugin? I hoped that there is something like allowedMethods property. It specifies what methods are allowed for the action. It would be great to have the possibility also to forbid access to action completely from outside, but make it available for internal calls. - Yuriy
If I am not wrong then you want an action that can only accessible in a gsp and can not be called from browser. Am I right? - MKB
@Yuriy as user1690588 says Taglibs are the way to go then, I misunderstood the question. - marko

1 Answers

2
votes

The way to “protect” actions from being accessible via a URL is to not provide a URL mapping to them. The default url mapping looks something like this…

class UrlMappings {

    static mappings = {
        "/$controller/$action?/$id?(.$format)?"{
            constraints {
            // apply constraints here
        }

        // ...
    }
}

That “/$controller/$action?/$id?(.$format)?” mapping is convenient for simple crud apps and demos well but for any substantial app you should almost always remove that. Without it, only the actions you explicitly expose are accessible.