Type level authorization rules

Type level authorization rules

Old forum URL: forums.lhotka.net/forums/t/12831.aspx

ajj3085 posted on Wednesday, February 11, 2015

I'm looking through the code for Csla, and it seems the check for things like GetObject are done client side before the call is made to the data portal, which is good in that a remote call won't be made if the user lacks permission.

However it doesn't look like the check is repeated on the server side. I can certainly call BusinessRules.HasPermission at the start of each DataPortal_XYZ method, but it feels like the framework should handle this. 

Is if my current understanding is correct and I need to do the check myself in the DataPortal_XYZ methods?

If that is correct, could we get a feature to do this automatically?

This is Csla 4.5.601.

RockfordLhotka replied on Wednesday, February 11, 2015

You can add a check in a custom data portal authorizer. The authorizer runs before pretty much anything else on the server, and is the location for global checks you might want to perform before allowing a user request to be processed - for example doing a server-side check of HasPermissions.

ajj3085 replied on Thursday, February 12, 2015

Thanks Rocky, I'll go that route. 

Is there a reason that just invoking the configured type level authorization isn't done automatically though?  It seems like that would make sense as a default behavior in Csla, and if you needed something in addition, implementing a customer data portal authorizer should be the answer.

Copyright (c) Marimer LLC