I have a use case where i need to restrict a user when they are in a certain role to only edit "their own" record(s).
What's the best way of doing this?
I obviously know the user making the request and have/can load their roles up and if in this role, then check if the record belongs to them. I'm thinking I can write this code in the DataPortal_Fetch method for example and throw a SecurityException.
Is that the best solution here?
The authorization rules are per type, so no help here unless we can still do some sort of per-instance rule?
It dependends on whether the user is allowed to view the data but not edit or not allowed to both view and edit.
For the latter I would throw an Exception in DataPortal_Fetch.
Fro the first I would block Save and also throw exception DataPortal_Update/DataPortal_Delete.
Yes they are NOT allowed to see the data so throwing an Exception in DataPortal_Fetch will work for me.
And they cannot save it either, so I'll throw an exception in the Update/Delete too in case they try to by-pass the UI.
Copyright (c) Marimer LLC