I am creating an application where users can create games. I am storing in the entity Game who was the user that created the game, I mean, the owner of the game. The entity Game has some relationships ONE_TO_ONE (RuleGame) and ONE_TO_MANY (PublicZone and PrivateZones) to other entities.
What I want is that only the owner of the game and users with ROLE_ADMIN and ROLE_STAFF be able to edit the game and its relationships.
Another way to say this, think like a Social Network, just me and the ADMIN can edit my profile but I cannot edit the profile of other users.
Of course I can create my own logic in a @Service and in each "update" method of the controller of those entities (Game, PublicZone and PrivateZones) call it and check this but I am wondering is there is a better way to go.
I was reading about Audit, like Hibernate Envers, but it is for wiki-like software, log who added/updated/deleted, so it doesnt fit in what I need.
I am using Spring 4.1.6, Spring Data Jpa 1.8.0, Spring Security 4 and Hibernate 4.3.8
Every suggestion is welcome!
