Authorize Object using spring security?

Question

I have an application that have two domain model Organization and TicketQuestion . Authenticated User want to create ticket that have an organization property to solve that each user permit to some organization like this:

User1 permit to Organization1

User2 permit to Organization2

TicketController.java have save method that create ticket. I have this vulnerability: User1 can invoke method with ticket that have Organization2( that dose not have permission to it ). I am using Hibernate filter for authorize data in GET methods but i dont know how can i protect data that user want persist and dose not have permission ??;

/ticket/save  

{
   id:-1,
   organization:{
    id:2,
    title:'organization2' //not allowed this organization
   }
}


@Entity
@Table(name = "core_organization_structure")
public class OrganizationStructure {
    @Id
    @GeneratedValue(strategy = GenerationType.IDENTITY)
    private Long id;

    @Column(name = "title", nullable = false)
    private String title;
}

@Entity
@Table(name = "core_Ticket")
public class Ticket  {


    ..some prop

    @ManyToOne
    @JoinColumn(name = "org_id", nullable = false)
    private OrganizationStructure org;
}

Answer 1

When the form is submitted, you need to load the authenticated user's permissions and check that they are authorized to perform the action they are attempting to perform.

If the user is attempting to create a ticket for an organization that they do not have permissions to; don't persist the record, and handle it appropriately. (Throw an exception, return a 401, etc...)