Is there a way to ignore (bypass) object level authorization rules in some cases (like BypassPropertyChecks does for setting business properties)?
For instance I want to call DataPortal.Fetch(…) for a read-only collection that has authorization rules for “AuthorizationActions.GetObject”, but in some cases (internal factory method called from Client by consuming Biz Object) I do not want to enforce the authorization rules since the consumer is a business object that has its own way to enforce security.
Thank you,
Lazaro
In CSLA 4 authorization rules are implemented as a class, and you can create your own rules. I would suggest that you are describing a custom rule scenario, where your authz rule should allow the fetch operation based on the knowledge that the object has its own way to enforce security.
Hi,
You could also include an interface and a boolean property to say "BypassAuthorization" with your own custom authorization rules.
Then create factory methods that can accept this as a parameter or has a builtin setting of bypass.
Another option is to create new command objects that bypass authorization rules (f.ex for use in business rules) that fetches the same object and acts as a DTO object. The authorization rules are enforced by the data portal on the "root" object on the client side.
Hi Jonny,
I understand the second option but I have my doubts on how to implement the first option and I would really appreciate it if you can give me a little more details preferable with some sort of pseudocode.
Thanks,
Lazaro
Sample:
Base read only class that contain the interface and the custom authorization rule
public interface ILNRReadOnlyGetAuthorizationRule
{
bool BypassAuthorization { get; set; }
}
Custom object level authorization rule.
private class CanBrowseRule: LNRAuthorizationRuleOr, ILNRReadOnlyGetAuthorizationRule
{
/// <summary>
/// Can the user browse this read only collection
/// </summary>
/// <param name="action">Action this rule will enforce.</param>
/// <param name="roles">List of allowed roles.</param>
public CanBrowseRule(AuthorizationActions action, params ALRSecurity[] roles) : base(action, roles) { }
public bool BypassAuthorization { get; set; }
protected override void Execute(AuthorizationContext context)
{
if (BypassAuthorization)
context.HasPermission = true; // always allow
else
base.Execute(context);
}
}
public static LoansReadOnly GetLoansReadOnly(int propertyLifeID)
One factory method implemented:
• How can I finish the implementation of the BypassAuthorization logic?
• How can I communicate with the custom rule from the static method?
{
return DataPortal.Fetch<LoansReadOnly>(propertyLifeID);
}
Copyright (c) Marimer LLC