Should ChildDataPortal be checking AuthorizationRules like Csla.DataPortal

vdhant posted on Sunday, December 14, 2008

Hi guys
Maybe i am not thinking about this correctly and haven’t got the concept of the child_xyz methods right in my head, but i would think that ChildDataPortal should check the AuthorizationRules in the same way that Csla.DataPortal.

If i am correct one object can call the Csla.DataPortal.xyzChild. If this is the case this would happen within the DataPortal_xyz methods. If this is right it is possible for the parent object to try and retrieve or persist data that the user doesn't have access to. Given, the developer should maybe manually do this check, but I would have thought that this should be enforced by the ChildDataPortal in the same way Csla.DataPortal does for the parent. If it does not and the developer does not check it, it is possible for data that the user can't access to be returned to the client, or for the client to try and conduct an update directly against the Csla.DataPortal methods and only have the parent object checked against the AuthorizationRule.

Just a thought, as I said I may have this very wrong and there is something i am missing.
Cheers
Anthony