Bypass object level authorization

Bypass object level authorization

Old forum URL:

Lazaro posted on Thursday, November 17, 2011

Is there a way to ignore (bypass) object level authorization rules in some cases (like BypassPropertyChecks does for setting business properties)?

For instance I want to call DataPortal.Fetch(…) for a read-only collection that has authorization rules for “AuthorizationActions.GetObject”, but in some cases (internal factory method called from Client by consuming Biz Object) I do not want to enforce the authorization rules since the consumer is a business object that has its own way to enforce security.


Thank you,


RockfordLhotka replied on Thursday, November 17, 2011

In CSLA 4 authorization rules are implemented as a class, and you can create your own rules. I would suggest that you are describing a custom rule scenario, where your authz rule should allow the fetch operation based on the knowledge that the object has its own way to enforce security.

JonnyBee replied on Thursday, November 17, 2011


You could also include an interface and a boolean property to say "BypassAuthorization" with your own custom authorization rules.
Then create factory methods that can accept this as a parameter or has a builtin setting of bypass.

Another option is to create new command objects that bypass authorization rules (f.ex for use in business rules) that fetches the same object and acts as a DTO object. The authorization rules are enforced by the data portal on the "root" object on the client side.


Lazaro replied on Friday, November 18, 2011

Hi Jonny,


I understand the second option but I have my doubts on how to implement the first option and I would really appreciate it if you can give me a little more details preferable with some sort of pseudocode.





 Base read only class that contain the interface and the custom authorization rule

public interface ILNRReadOnlyGetAuthorizationRule
  bool BypassAuthorization { get; set; }

Custom object level authorization rule.
private class CanBrowseRule: LNRAuthorizationRuleOr, ILNRReadOnlyGetAuthorizationRule
  /// <summary>
  /// Can the user browse this read only collection
  /// </summary>
  /// <param name="action">Action this rule will enforce.</param>
  /// <param name="roles">List of allowed roles.</param>
  public CanBrowseRule(AuthorizationActions action, params ALRSecurity[] roles) : base(action, roles) { }
  public bool BypassAuthorization { get; set; }
  protected override void Execute(AuthorizationContext context)
    if (BypassAuthorization)
      context.HasPermission = true;  // always allow

One factory method implemented:
• How can I finish the implementation of the BypassAuthorization logic?
• How can I communicate with the custom rule from the static method?

public static LoansReadOnly GetLoansReadOnly(int propertyLifeID)
  return DataPortal.Fetch<LoansReadOnly>(propertyLifeID);


Copyright (c) Marimer LLC