AuthorizationRules DBDriven

RangerGuy posted on Tuesday, September 12, 2006

hey everybody,
here's a good article I found on the board.
http://groups.msn.com/CSLANET/general.msnw?action=get_message&mview=0&ID_Message=13839

Our business requirments do not require that a user be checked if they can Add/Edit a single field of the
object. We only really need to say something like this.

Does this user have rights to Add/Edit This customers Contact information?

What is the feelings about not using the AddAuthorizationRules methods and just using the

CanAddObject,CanEditObject etc methods?

We have "Rights" for specific areas in our application like AddEditContactInfo, AddEditBillingAddress.
These rights would be confirmed in CanAdd,CanEdit methods before allowing the user to do anything with the
object.

Basically, we can apply a permission to an entire object not a single property. So I'm thinking I can avoid the
overhead of Authorization Rules and just call the previously metioned methods.


What ya think?

RockfordLhotka replied on Tuesday, September 12, 2006

You absolutely can do that - this is one primary reason for CanReadProperty() and CanWriteProperty() being virtual/Overridable.

Just remember that those methods get invoked a lot and so the code you write behind them needs to be quite efficient, and can't be going off and hitting expensive resources like a database or something on every call.

RangerGuy replied on Tuesday, September 12, 2006

Thanks Rocky! I'm doing something like this CanAddEditContactInfo() which contains a simple loop thru a static list of permission that won't be crazy large and returns true if it finds the permission in the users role. :)