1. 为您的实体添加一个安全密钥，创建一个权限表，并将用户与权限与实体类型以及安全密钥与角色相关联.通过这种方式，您可以这样说:Admin_role 可以访问 Student(实体类型)并执行读取(操作权限)和写入(操作)，而 Student_role 可以访问他/她自己的 Student_key 和 Read_permission.您可以通过将地址重构为实体并向其添加安全密钥来修复地址.

1. Add a security key to your entities, create a table for permissions and link user with permission with entitytype and also with security key with role. This way you can say things like: Admin_role can access Student (Entitiy type) and do read (Operation in Permission) and Write (Operation) while Student_role can access Student_key for him-/herself and Read_permission. You can fix the address by refactoring that into an entity and adding a security key to it.

1. 你的第四个可能有一个封闭世界的假设，并说除非你可以为用户的当前角色，将属性名称与字典中的标志(实体+属性)-哈希链接到标志，封闭世界假设默认情况下不允许读取.那么当然你不会获得任何写入权限等.

1. Your number four could have a closed-world assumption and say that unless you can for the current role of the user, link the property-name with a flag in a dictionary (entity+property)-hash to flag, the closed world-assumption being that reads are not allowed by default. Then of course you don't get any writes-permissions etc.

您可以在数据库中定义视图并使用数据库身份验证系统为其分配权限.如果您能够自己编写代码，这可能是最干净的方式，根据我们的角色选择调用哪个视图的方式.(我以前的 RDBMS 老师会喜欢我这么说的 ;)) 这也与 Hibernate 有所不同，并将您的东西更多地与数据库结合起来.我猜，这取决于您的代码需要有多可移动/可移植.

You can define views in your database and assign rights to them using the database authentication system. This is probably the most clean way if you are able to code yourself, the way of selecting which view to call depending on which role we are. (My former RDBMS-teacher would love me for saying this ;)) This also goes away a bit from Hibernate and couples your stuff more to the database. It depends on how movable/portable your code needs to be, I guess.

围绕您的通用 dao (IRepository) 使用一个方面，它根据您的权限重写查询；这当然意味着您在代码中拥有基于权限的安全性.

Use an aspect around your generic dao (IRepository) which rewrites the queries based on your permissions; this implies you have the permission-based security in code of course.

隐藏在 gui 中的编辑按钮实际上只有在您首先将权限移植到代码时才能完成，就像我的第 1 点一样.我建议您看看 Ayendes 博客，他是一个非常熟练的编码员.

The edit-button hiding in the gui can really only be done if you first port the permissions to code, like in my point 1. I suggest you have a look at Ayendes blog for an open-source implementation of this, he's a very skilled coder.