[Csla 3.5] Implications with the DataPortal doing AuthorizationRules.CanXYZObject checks

[Csla 3.5] Implications with the DataPortal doing AuthorizationRules.CanXYZObject checks

Old forum URL: forums.lhotka.net/forums/t/5421.aspx

stefan posted on Thursday, September 18, 2008

Hi Rocky,

I noticed that the DataPortal, as a result of a negative AuthorizationRules check, does this
(in the case of Fetch):
      ...
      try
      {
        OnDataPortalInitInvoke(null);

        if (!Csla.Security.AuthorizationRules.CanGetObject(objectType))
          throw new System.Security.SecurityException(string.Format(Resources.UserNotAuthorizedException,
            "get",
            objectType.Name));
      ...
      }
      catch (Exception ex)
      {
        OnDataPortalInvokeComplete(new DataPortalEventArgs(dpContext, objectType, DataPortalOperations.Fetch, ex));
        throw;
      }
      ...
Normally I would expect some custom exception, maybe wrapping the SecurityException,
that lets us react accordingly. Telling the user about a missing authorization should happen
in a readable manner. Building the message using a string literal "get" and the typename only
works in English. You should at least provide some enum value here instead.

Another question: How do I subscribe to OnDataPortalInvokeComplete in my business object.
I have an override of DataPortal_OnDataPortalInvokeComplete, but it does not get called when
the above exception is raised...


Stefan

RockfordLhotka replied on Thursday, September 18, 2008

Thanks for the feedback Stefan,

I think that if this exception gets thrown, it is because the UI developer didn't do their job. The UI should have use CanGetObject() to prevent the user from even trying to do the wrong thing, so the fact that the user was allowed to get here is a bug in the UI code.

But you are right - the literal string should be a resource. I'll add this to the to-do list.

Regarding the data portal - there are several virtual methods available. InvokeComplete is only called if the operation succceeds. There's another one (InvokeException maybe?) that is called when an exception occurs.

stefan replied on Thursday, September 18, 2008

But looking at the snippet I posted, it looks like InvokeComplete is called in the case of an error occuring, with the EventArgs containing the exception...

Stefan


RockfordLhotka replied on Thursday, September 18, 2008

Oh, I’m sorry, I got it confused with the virtual methods…

 

You are right, these are static events on the DataPortal class itself.

 

To handle that event, you need to set up an event handler. You must be careful where you do this, because hooking an event causes a reference from the event source (DataPortal) to the handler. Since this is a static event, that reference will never go away unless you unhook the event – which can lead to memory leaks.

 

But to hook the event, you just use standard event handling code. += in C# and AddHandler in VB.

 

Csla.DataPortal.InvokeComplete += MyHandler;

 

AddHandler Csla.DataPortal.InvokeComplete, AddressOf MyHandler

 

 

Rocky

 

From: stefan [mailto:cslanet@lhotka.net]
Sent: Thursday, September 18, 2008 9:08 AM
To: rocky@lhotka.net
Subject: Re: [CSLA .NET] [Csla 3.5] Implications with the DataPortal doing AuthorizationRules.CanXYZObject checks

 

But looking at the snippet I posted, it looks like InvokeComplete is called in the case of an error occuring, with the EventArgs containing the exception...

Stefan




Copyright (c) Marimer LLC