Idea for AuthorizationRules

Idea for AuthorizationRules

Old forum URL: forums.lhotka.net/forums/t/5396.aspx


AzStan posted on Saturday, September 13, 2008

I ran into an interesting problem recently.  My Windows Form features a CheckBox control bound to a read-only property (no set accessor). The form also features a ReadWriteAuthorization control.  The unanticipated result is that the checkbox control is enabled when ResetControlAuthorization() is called on the ReadWriteAuthorization control.

Looking further, it seems that the implementation of Csla.Security.IAuthorizeReadWrite interface in BusinessBase does not check to see if the property is hard-wired for writing.  This is understandable, because to do so would require reflection, and an associated performance penalty.

On the other hand, it seems counterintuitive to call a method named CanWriteProperty() and get a result of true, when the underlying property is hard-wired as read-only.

It would be easy enough to just turn off the readwriteauthorization for that one control.  Simple, but carries a small penalty in reduced code maintainablility, and doesn't get to the issue.

I'm tempted to override CanWriteProperty in my custom base class and use reflection to check the Property, but this could have a big performance penalty.

It would be nice to be able to override CanWriteProperty and to be able to include the reflection based result in the Authorization Cache.  Maybe Rocky could modify the _writeResultCache member in BusinessBase to be protected instead of private?  I've had a few reasons to want protected access to that cached dictionary of authorization values.

Alternatively, Rocky could rewrite CanWriteProperty in BusinessBase to check if the property in question is Read-only.  Though it would require reflection, the result could be cached with the Authorization result.

Discussion anyone?

 

rsbaker0 replied on Saturday, September 13, 2008

My $0.02...

I'd think that either the ReadWriteAuthorization or your own implementation could cache the property information so that any performance penalty is incurred once for each property bound to a control on the form. You wouln't have to reflect each time -- just reflect once and save the information about which properties don't have an accessible setter somewhere.

Copyright (c) Marimer LLC