Location Based access control method should add the restrictions to these following methods from the UserService class which are directly getting the User object from the DAO.
It can restrict by the locations while directly accessing the users for some other use cases.
Apart from this, It should have a method to restrict person object of the users since we haven't assigned the person attribute for those persons belongs to the users.
Need to add an AOP Advise for those methods to restrict by the locations.
If the person doesn't have the location person attribute, then get the list of the users who belong to that person, and check for the location access among them.