DenyRead("*", "SomeRole") and then few AllowRead("PropertyN", "SomeRole")

gaRex posted on Sunday, October 28, 2007

I`ve searched for something like that here and didn`t find anything.

Want I want

What I want is a behaviour like in apache`s auth:

Deny from all
Allow from host1 host2 host3

In code it may be like that:

DenyRead("*", "SomeRole");
AllowRead("Property1", "SomeRole");
AllowRead("Property2", "SomeRole");


This will deny ALL properties for this role and then allow only two for example.

Why I want like that?

When I have some BO with about 20-30 properties and this object may be frequently change in future, but "SomeRole" must always see only two of them.

If there is another way of solving such proplem, pls, redirect me there.

ajj3085 replied on Monday, October 29, 2007

Well using AllowRead / DenyRead you'll have to put in a line for each property.  Can any roles read the other properties?  If so, AllowRead will only allow reading from that role, all others will be denied implicitly. 

So AllowRead( "Property3", "SomeOtherRole" ) will implicitly deny any other role.

If you're not, you may want to just override CanReadProperty, check for SomeRole, and if user is a member of SomeRole, check if its one of those two properties and hand the call off to the base.  Otherwise, return false.