How to add custom object authorization rule

How to add custom object authorization rule

Old forum URL:

msrs_it posted on Friday, January 06, 2012

I have certain objects that are to be edited by its owner only.

As per my knowledge the AddObjectAuthorizationRules() fires before the object creation and it is also a static method. How can we know that the user is a owner of that object?

For example, I have a company object. When a user logs in to the system I'm storing his company id in the Identity object.

the constraint is that the details of that company are edited by this user and admin only.

How can I frame the object authorization rule?


Thanks and Regards

JonnyBee replied on Friday, January 06, 2012

It depends on how your authorization should be done.

1. You could add additional check on in static fetch method after DataPortal.Fetch<> statement and check if user can access (fetch) this instance. Ie: call BusinessRules.HasPermission(AuthorizationActions.GetObject, obj, true);

2. You could override CanWriteProperty to return false when current user is not the owner (in efffect: make all fields readonly).

3. You could also add a rule for AuthorizationActions.EditObject that would prevent user from calling Save on your root object



Copyright (c) Marimer LLC