This typical example:
There is admin user and regular user B.
A can see and change x, y, z.
B can see x, y (not z) and change x (not y, z) only when z has a certain value.
public class U{ private Long id; private String x; private String y; private String z; [... getter and setter] }
The question is how to implement this with Spring Data Rest as a whole. ResourceProcessor only seems to be applicable for links, and Validator does not see if the user has changed the field ...
I implemented an attribute-based access control, so I can create and save roles, permissions, and policies (using SpEl) that determine who can see and change a specific field in the database easily.
Update 1
I added Jackson BeanSerializerModifier to filter attributes, but there is a problem that I do not know the value of the original (database) z and cannot check if B has permission to change x.
Update 2
I added a special Jackson Std (De) serializer, but now I cannot use it dynamically for each entity, because I had to write a full (de) serialzer for each entity.
Update 3
Two weeks after many unsuccessful attempts to solve this problem, I will try to integrate the filters into the SDR.
Update 4
While I was adding a filter for PUT and PATCH requests, I added that https://jira.spring.io/browse/DATAREST-373 and https://jira.spring.io/browse/DATAREST-428 is the best solution. Now I am going to find solutions for them.