I often find that there's a need to do authorization not just based on the user's roles (permissions), but also based on some state in the object itself. A common scenario is only the creator of a particular object can edit it (but they can be viewed by all). Or a property value should only be allowed to be changed if the Status property is a certain value.
The Target property of the AuthorizationContext would seem to allow access to any object state, but I want to verify if that is the proper way to access the state or not.
I found a thread from a while back that discussed sending input property values into authorization rules, and also allowing the rule to specify if its result may be cached, but nothing seems to have come of those.
Any suggestions (which ideally don't involve overriding CanWriteProperty)?
CslaGenFork has published a rule library that includes some authorization rules like:
Ideas for new rules are welcome
I didn't see it at first, but I did find the property to allow caching of the result of the auth rule to be disabled in the latest version. If I can assume that the Target object is ok to use to get the other values of the state of the object, I think I'm all set.
Copyright (c) Marimer LLC