Is it possible supress authorization rules in CSLA 4?
I need to write a GET method, this method will be internal and it will be call from another classes with no authorization needed.
Thansks for your suggests.
The question is "How do you know when to do authorization or not?".
I'm sorry Jonny, I didn't explain well.
I have a class, Product. Now I need another class PublicProduct.
I need to get an object (Product) from inside PublicProduct bypassing the authorization rules.
PublicProduct and Product will be in the same assembly. PublicProduct is a class created for non-authenticated users and it will have a few properties created from information got from the Product object.
That's why I need GetObject static method that bypassthe authorization rules.
Different use case = different objects.
No, there is no bypassing the static authorization rules - these are enforced by the DataPortal.
You _may_ create a PublicProduct and the have Product inherit from PublicProduct and add authz rules. However - this creates tight coupling and I would rather seek to have different objects.
You could create separate RuleSets and set the "active" ruleset to one that does not have authorization but it could really complicate the whole application and I have not done this is any of my own projects.
Sorry for writing again but I have a doubt.
Taking into account that " there is no bypassing the static authorization rules - these are enforced by the DataPortal." , I have a question:
In cases where we have a "using reference": Must the identity must have authorization to both objects?
A classic example:
InvoiceEdit uses an InfoCustomerEdit and a has a list of InvoiceDetailEdit.
Operator users can: 1-Edit the InvoiceEdit, 2-Edit the InvoiceDetailEdit list and 3-Get the InfoCustomerEdit
Supervisor users can: 1-Edit the InvoiceEdit, 2-Edit the InvoiceDetailEdit list and 3-EDIT the InfoCustomerEdit
How would you solve it?
I found a way to do what I want:
1- Don't declare an authorization rule for a GetObject action and it will make the class public to anyone
2-Declare two GetObject static methods: One will have no authorization checking and will be INTERNAL and the other one will be PUBLIC but will look like this:
public static MyClass GetMyObjectClass(Guid id)
return DataPortal.Fetch<MyClass>(new MyClassCriteria(id));
throw new Exception("User not authorized");
Copyright (c) Marimer LLC