AuthorizationActions.EditObject seems doesn't work on child object.

sash_kr posted on Monday, April 21, 2014

How to prevent user to edit child object?

I have class with f.ex "orders" property. This is "BusinessBindingListBase" which contains "Order" objects.

I thought I can add "authorization rule" (AuthorizationActions.EditObject) that implements some logic. But it never executes. I can edit this child object and even save it. It looks wierd. How to prevent child object editing?

ajj3085 replied on Monday, April 21, 2014

I think you need per property auth rules, I believe the type level ones only apply to the root object, not the children.

sash_kr replied on Monday, April 21, 2014

And this is the only way?

JonnyBee replied on Monday, April 21, 2014

The default behavior implemented in CSLA is to check AuthorizationAction.EditObject in DataPortal.Update method on an object that has IsNew = false and this method is only ever called for "root" objects. 

If you want to block the user from making any changes to the object you should either:

1. Add AuthorizationRule on each property (AuthorizationAction.WriteProperty) or
2. Override CanWriteProperty(propertyInfo) to return false. 

It is the base.CanWriteProperty that checks for AuthorixzationAction.WriteProperty but you can override and add your own custom logic.

sash_kr replied on Tuesday, April 22, 2014

Thanks JonnyBee. I've found your post about this: http://forums.lhotka.net/forums/p/10611/49658.aspx