Internal GetObject bypassing Authorization rules. Is that possible?

Internal GetObject bypassing Authorization rules. Is that possible?

Old forum URL: forums.lhotka.net/forums/t/10015.aspx


correodemarques posted on Wednesday, February 02, 2011

Hello all,

I have one business object (BO1) that needs to load another business object (BO2) to obtain some data. The user may not have the required permission to load BO2, but that doesn't matter because BO1 is not going to expose BO2, it is just going to use BO2's data.

Can I write an internal factory method GetObject that doesn't check Authorization Rules? I read the book, a little while ago, and don't remember if there is a way to do this.

I don't want to create a ReadOnly object to load BO2 data because it's a big amount of data (several properties)

I'm using CSLA 4 for c#.

Thanks for the help.

tiago replied on Wednesday, February 02, 2011

I guess you can use a Command object.

correodemarques replied on Wednesday, February 02, 2011

tiago

I guess you can use a Command object.

 

I already have BO2, I don't want to make another object to use BO2 without authorization checking.

How a Command object would be different than make a ReadOnly object that brings the data I need?

 

tiago replied on Wednesday, February 02, 2011

The previous post was a wrong answer. Depending on your specific use case, I guess a read only object would also solve the problem.

RockfordLhotka replied on Wednesday, February 02, 2011

No, there is no way to bypass the authorization check performed by the data portal. If you have a per-type rule controlling whether the current user can create or get a business object type that rule will be enforced by the data portal.

ajj3085 replied on Thursday, February 03, 2011

There's no reason not to create a separate object.  Just create an internal interface and helper method; the helper method accepts an object of your interface and loads the data.   In that way you can reuse the loading logic you have while having the two objects which have your differing behaviors.

geordiepaul replied on Friday, March 11, 2011

I've also been searching to see if this problem can be overcome. Some way of overriding authorisation for internal methods would be really useful and promote using existing objects rather than rewriting existing object to achieve something very simple.

There is similar logic for bypassing property checks, why not authorisation on the dataportal?

Copyright (c) Marimer LLC