Context based security on a collection

FireGarden posted on Tuesday, January 02, 2007

  I have a readonly collection of divisions corresponding to the divisions in my company. I want to restrict user access by division. Effectively when I call CanGetObject() I need to know what division it is being called for.

With the Csla framework the CanGetObject() call is static / shared which means I don't have access to the division name property when trying to determine access rights.

Is the solution simply to have a non static version of CanGetObject? How do I know which one to call?

This problem is represented in a lot of ways where the security is based on not the object or its properties but on the actual data contained in that instance of the object.

Any direction how to implement this kind of security restriction in Csla would be apprectiated.

Regards,

Rob

ajj3085 replied on Wednesday, January 03, 2007

I would think an instance CanGetObject would help.  The static one could be used in the general case.  Can the user ever get a Division object?  There may be cases where a user never has permissions to load a Division object.

The instance level method would take into account the division's name to determine.  It probably hand the call off to the Division object (I assume the instance methods are on the readonly object) because you may use the same method in the static Get method and throw a securityexception if the result is false.

HTH
Andy

FireGarden replied on Wednesday, January 03, 2007

Hello Andy,
    I will try to implement and let you know if I run into any road blocks.

Thanks for replying and supporting this forum.

Rob