I have a pretty straight forward scenario. A user may have rights to create objects at the static level but not edit them. However they do have the rights to edit what they create. This is a typical forum scenario I'm working with. I have admins that can edit everything but I don't want to give users the rights to edit everything. I would like to give them to the rights to edit and delete their stuff based on the idea of ownership.
Anyone done this?
What I ended up doing was creating a separate role and granting it create rights. Then I override the Save in my business object and checked if the user was only in the new ownership rights role and none of the other roles that might have edit rights. If the user was only in that one role then I verified ownership and if the user is not the owner I throw a SecurityException. Otherwise I just call Base.Save() and let csla compare the static authorizations. I also had to add instance level CanEdit and CanDelete methods so I can show/hide the actions in the GUI.
Still open to hearing other ideas if they are out there.
There's not a lot of other options.
There's a wish list item to add per-instance object authz rules to CSLA. But I haven't really appraoched that because it usually isn't role based, and it isn't clear that there's a huge value to having CSLA be involved.
In the final analysis, most per-instance rules deal with things like "the user can edit objects they created" or something like that. Things that are not role-based at all, but instead are based on abitrary state values of the object instance itself.
I
actually did something different a few times. I overrode CanWriteProperty.
Looked something like this
Public
override CanWriteProperty(string propertyName)
{
Bool
returnValue = base.CanWritePeoprty(propertyName);
If
(returnValue)
{
If
(ReadPeoprty(CreatedByID) != MyIdentity.ID)
returnValue
= false;
}
Return
returnValue
}
An
advantage of using this in conjunction with PropertyStatus in WPF or
Silverlight is that you have automatic disabling of all controls, so that the
user cannot even edit the data. This does introduces some extra overhead, but I
did not notice it visually from the end user perspective. In addition to
that I also would create a public property bool CanUserEditData that would have
similar code and bind Save, Cancel buttons enabled state to that property.
Sergey Barskiy
Principal Consultant
office: 678.405.0687 |
mobile: 404.388.1899
Microsoft Worldwide Partner of the Year | Custom
Development Solutions, Technical Innovation
From: Chaz4Code
[mailto:cslanet@lhotka.net]
Sent: Thursday, August 06, 2009 11:18 PM
To: Sergey Barskiy
Subject: Re: [CSLA .NET] Providing Edit and Delete rights per Instance?
What I ended up doing was creating a separate role and granting it create
rights. Then I override the Save in my business object and checked if the
user was only in the new ownership rights role and none of the other roles that
might have edit rights. If the user was only in that one role then I
verified ownership and if the user is not the owner I throw a
SecurityException. Otherwise I just call Base.Save() and let csla compare
the static authorizations. I also had to add instance level CanEdit and
CanDelete methods so I can show/hide the actions in the GUI.
Still open to hearing other ideas if they are out there.
Copyright (c) Marimer LLC