Non-generic SetProperty does not check authorization/validation rules

Non-generic SetProperty does not check authorization/validation rules

Old forum URL: forums.lhotka.net/forums/t/5871.aspx


chadhinton posted on Monday, November 24, 2008

I'm using cslacs-3.5.1-080803 and have found that calling the non-generic SetProperty in Csla.Core.BusinessBase bypasses authorization and validation rules checking. I checked the latest 3.5.x repository code the problem is present.

    /// <summary>
    /// Sets a property's managed field with the
    /// supplied value, first checking authorization, and then
    /// calling PropertyHasChanged if the value does change.
    /// </summary>
    /// <param name="propertyInfo">
    /// PropertyInfo object containing property metadata.</param>
    /// <param name="newValue">
    /// The new value for the property.</param>
    /// <remarks>
    /// If the user is not authorized to change the
    /// property a SecurityException is thrown.
    /// </remarks>
    protected void SetProperty(IPropertyInfo propertyInfo, object newValue)
    {
      FieldManager.SetFieldData(propertyInfo, newValue);
    }

This essentially calls straight through to set the field data. The generic SetProperty methods explicitly check CanWriteProperty and implicitly run validation rules through calls to LoadPropertyValue and PropertyHasChanged.

Are the comments on this method a typo? Is this method intended to bypass rules? I obviously can't "easily" use the generic methods. That means reflection would be required... not the end of the world but I'd rather not. I don't mind tracking a local fix (or submitting a patch) if this is a bug and a fix for this will be incorporated into a further release.

Thanks,
Chad


RockfordLhotka replied on Monday, November 24, 2008

This is a bug. I need to look a little deeper to find the exact answer.

Either it should check the rules, or (more likely) this should be named LoadProperty().

The purpose of the non-generic method is purely for data loading, in the case that you don't know the data type and are willing to let CSLA do its type coersion process on your data.

I'll add this to the issue tracker.

Copyright (c) Marimer LLC