This seems like a fundamental question, but I haven't found a clear answer. I'm using the spring-security-core plugin with Grails, and I have S2Users who have many Portfolios, and Portfolios have many Transactions.
When I go to a scaffolded view to examine Transactions, how do I know that each user is only seeing his own Transactions? Conversely, how can I create a user that can see all Transactions of all users?
It's not clear to me what the default behavior is, and how Grails/Spring-Security knows whether a particular domain class should be visible to everyone versus ones that are only for the associated user.
See Question&Answers more detail:os