I own the role student in my Spring Security Core. The role student can edit your information. But if he wants to edit another user's information that's also possible.
@Secured(['ROLE_ADMIN','ROLE_STUDENT'])
@PreAuthorize('isAuthenticated() and principal?.id == #studentInstance.id')
def edit(Student studentInstance) {
respond studentInstance
}
I used the ACL plugin, but it did not work. You can still edit another student.
You can use @Secured in controllers because the core plugin looks for them and builds the corresponding access rule checks for you, but none of the other Spring Security annotations are supported in controllers.
Instead, annotate a service method and call it from the controller. Spring Security wraps annotated Spring beans (e.g. services) in proxies that perform the checks and only call the bean methods if the checks succeed.