Restricting access to individual record or records - like per-instance

Restricting access to individual record or records - like per-instance

Old forum URL: forums.lhotka.net/forums/t/12882.aspx


richardb posted on Friday, May 15, 2015

I have a use case where i need to restrict a user when they are in a certain role to only edit "their own" record(s).

What's the best way of doing this?

I obviously know the user making the request and have/can load their roles up and if in this role, then check if the record belongs to them.  I'm thinking I can write this code in the DataPortal_Fetch method for example and throw a SecurityException.

Is that the best solution here?

The authorization rules are per type, so no help here unless we can still do some sort of per-instance rule?

Thanks.

Richard.

JonnyBee replied on Saturday, May 16, 2015

Hi,

It dependends on whether the user is allowed to view the data but not edit or not allowed to both view and edit.

For the latter I would throw an Exception in DataPortal_Fetch.

Fro the first I would block Save and also throw exception DataPortal_Update/DataPortal_Delete. 

richardb replied on Monday, May 18, 2015

Thanks Jonny.

Yes they are NOT allowed to see the data so throwing an Exception in DataPortal_Fetch will work for me.

And they cannot save it either, so I'll throw an exception in the Update/Delete too in case they try to by-pass the UI.

Copyright (c) Marimer LLC