marcosaccioly posted on Friday, October 31, 2008
Hello guys,
I've been trying to understand the example website that comes with the ProjectTrackercs files and I can't figure out one thing in the RelosEdit.aspx.cs file. In the ApplyAuthorizationRules() method we have one call to Csla.Security.AuthorizationRules.CanEditObject and one call to Csla.Security.AuthorizationRules.CanCreateObject in order to check the authorization of the logged in user and display the controls approprietly. Both are extremely similar and here's the first one, the way I found it:
private void ApplyAuthorizationRules()
{
this.GridView1.Columns[this.GridView1.Columns.Count - 1].Visible = Csla.Security.AuthorizationRules.CanEditObject(typeof(Roles));
this.AddRoleButton.Visible = Csla.Security.AuthorizationRules.CanCreateObject(typeof(Roles));
}
As far as I can understand, the purpose of the ApplyAuthorizationRules() was made extremely clear by Lhotka in his Expert C# BOs, page 548:
(...) The ApplyAuthorizationRules() method asks the Roles class whether the current user is authorized to edit the object or add new roles. If the user isn’t authorized, then the appropriate controls Visible properties are set to false, and the controls are thereby hidden.
However, when debugging the app and hovering the mouse over the Roles argument in the code above, it says it's of type
System.Web.Security.Roles and, therefore, the gridview column is always visible, as the checks to the objects authorization are never effectively done, since the method CanEditObject(Type objectType) in Csla\Security\AuthorizationRules.cs always sets bool result = true;
I've changed my code to
private void ApplyAuthorizationRules()
{
this.GridView1.Columns[this.GridView1.Columns.Count - 1].Visible = Csla.Security.AuthorizationRules.CanEditObject(typeof(ProjectTracker.Library.Admin.Roles));
this.AddRoleButton.Visible = Csla.Security.AuthorizationRules.CanCreateObject(typeof(ProjectTracker.Library.Admin.Roles));
}
so it meets the real purpose. Now it works as expected, allowing only users assinged to the Administrator role to view the Edit and Delete columns of the gridview, as well as the "Add Role" button.
I have browsed the forums for it but found nothing and thought it would be nice to post it here. Sorry if it is of any inconvenience.
Thank you all for the time and effort,
JoeFallon1 replied on Friday, October 31, 2008
I do agree it is misleading. <g>
I always thought it was a poor choice of words for that feature of the app due to the possible confusion in the mind of the reader. Turns out the compiler is confused by it too.
Joe
