Currently building a Spring boot based REST API application (sample centralised school management system). There are various DB entities which are given CRUD access via the APIs, like Account, School, any sub-entity of school like teacher,student etc.
Suppose we have many APIs like
GET /api/getschooldetails?account_id=1&school_id=1GET /api/getteacherlist?account_id=3&school_id=2GET /api/getstudentdetails?account_id=3&school_id=2&student_id=1Similarly POST with JSON request body
POST /api/addteacherrequest : {"account_id":3,"school_id":2,"teachername":"XYZ"}and POST /api/updatestudentnamerequest : {"account_id":3,"school_id":2,"student_id":4,"name":"ABC"}How to add authorisation at API level for the request params/JSON fields so that those users who have authenticated as school_id=2 should get access error if they try to modify API call /api/getteacherlist?account_id=3&school_id=2 to /api/getteacherlist?account_id=3&school_id=3 and get school_id=3 details.
Thinking of adding @Before AOP point for each Controller class to parse query param/JSON and do DB based userid validation i.e. if the userid logged in (via Spring Security Authentication) has access to the account_id and school_id mentioned in the request as they are part of every request in order to avoid code duplication or adding the same check in every DAO class before performing the actual CRUD operation. Please guide if there is any other way using Spring.
