Authorization and roles

I believe that “allow all” behavior only works if you do not have any authorization rules in place for an action or property.  Once you specify at least one authorization rule, all users that do not fall into that role will be denied access.  So if you want an object that none can delete, specify a non-existing role for delete rule.

 

Sergey Barskiy

Senior Consultant

office: 678.405.0687 | mobile: 404.388.1899

Microsoft Worldwide Partner of the Year | Custom Development Solutions, Technical Innovation

 

 

Hi.

I am beginning a project using CSLA 3.5.

I know that the default mode for object authorization rules is to allow all permissions. But what if you want the opposite behaviour? For example, only an Admin can delete an object. I have to specifically call DenyDelete for every role other than Admin, and what if a new role gets added later? I would rather have no one with delete access unless I specifically grant it.

 

Also, what about the case of mulitple roles? Most of our users have more than one role. They might be a User and a Programmer and a Manager. If I DenyCreate the User role, will that prevent a Manager who is also a User from being able to create an object?

 

Thanks,

Carl

 

Okay, so then from what you are saying, by virtue of me specifying AllowDelete for Admin, that automatically denies it for any other role?

-- Yes

And what if my Admin is also a SomeOtherRole?

-- Does not matter.  What matters is that logged in user belongs to Admin role.

 

 

 

Sergey Barskiy

Senior Consultant

office: 678.405.0687 | mobile: 404.388.1899

Magenic ®

Microsoft Worldwide Partner of the Year | Custom Development Solutions, Technical Innovation

 

 

Thanks for the quick reply, Sergey!

Okay, so then from what you are saying, by virtue of me specifying AllowDelete for Admin, that automatically denies it for any other role? And what if my Admin is also a SomeOtherRole?

 

Thanks again!

Carl