CSLA 4 Authorization rules supressing

lazaroms posted on Tuesday, March 12, 2013

Is it possible supress authorization rules in CSLA 4?

I need to write a GET method, this method will be internal and it will be call from another classes with no authorization needed.

Thansks for your suggests.

Lazaro M

JonnyBee replied on Tuesday, March 12, 2013

Hi, 

The question is "How do you know when to do authorization or not?". 

1. If property is only internal for use from other classes in your assembly then change from GetProperty to ReadProperty in your property getter as ReadProperty does not check authorization. 
2. Create a separate internal property that uses ReadProperty
3. Create an internal method that return the property value
4. Create a Accessor class that inherits from ObjectFactory which exposes the ReadProperty(<bo>, <PropertyInfo>) 

lazaroms replied on Tuesday, March 12, 2013

I'm sorry Jonny, I didn't explain well.

I have a class, Product. Now I need another class PublicProduct.

I need to get an object (Product) from inside PublicProduct bypassing the authorization rules.

PublicProduct and Product will be in the same assembly. PublicProduct is a class created for non-authenticated users and it will have a few properties created from information got from the Product object.

That's why I need GetObject static method that bypassthe authorization rules.

JonnyBee replied on Tuesday, March 12, 2013

Hi,

Different use case = different objects. 

No, there is no bypassing the static authorization rules - these are enforced by the DataPortal. 

You _may_ create a PublicProduct and the have Product inherit from PublicProduct and add authz rules. However - this creates tight coupling and I would rather seek to have different objects.

You could create separate RuleSets and set  the "active" ruleset to one that does not have authorization but it could really complicate the whole application and I have not done this is any of my own projects. 

lazaroms replied on Tuesday, March 12, 2013

Hi Jonny:

Sorry for writing again but I have a doubt.

Taking into account that " there is no bypassing the static authorization rules - these are enforced by the DataPortal." , I have a question:

In cases where we have a "using reference": Must the identity must have authorization to both objects?

A classic example:

InvoiceEdit uses an InfoCustomerEdit and a has a list of InvoiceDetailEdit.

Operator users can: 1-Edit the InvoiceEdit, 2-Edit the InvoiceDetailEdit list and  3-Get the InfoCustomerEdit

Supervisor users can: 1-Edit the InvoiceEdit, 2-Edit the InvoiceDetailEdit list and  3-EDIT the InfoCustomerEdit

How would you solve it?

Thanks again

lazaroms replied on Tuesday, March 12, 2013

I found a way to do what I want:

1- Don't declare an authorization rule for a GetObject action and it will make the class public to anyone

2-Declare two GetObject static methods: One will have no authorization checking and will be INTERNAL and the other one will be PUBLIC but will look like this:

    public static MyClass GetMyObjectClass(Guid id)

    {

      if (Csla.ApplicationContext.User.IsInRole("CanGetRole"))

      {

        return DataPortal.Fetch<MyClass>(new MyClassCriteria(id));

      }

      else

      {

        throw new Exception("User not authorized");

      }

    }