From the ProjectTracker 'Project' class...
public override Project Save()
{
if (IsDeleted && !CanDeleteObject())
throw new System.Security.SecurityException("User not authorized to remove a project");
else if (IsNew && !CanAddObject())
throw new System.Security.SecurityException("User not authorized to add a project");
else if (!CanEditObject())
throw new System.Security.SecurityException("User not authorized to update a project");
return base.Save();
}
If, for some reason, the user didn't have edit rights but did have add rights, this code will throw an error. The last 'else if' check should probably read...
else if (!IsNew && !CanEditObject())
I guess in my mind that scenario isn't valid - if you can't edit then you can't add ![Smile [:)]](/emoticons/emotion-1.gif)
You can certainly adapt this to meet other requirements, that's the point really. But I don't think this is incorrect.
At a higher level, this is a great illustration of how something simple can be interpreted in different ways - with possibly major differences in functionality. I see Add as a subset of Edit, where you are seeing Add and Edit as orthogonal. The real arbiter would have to be the business decision maker (if there was one in this case), and that detail would need to become part of the use case.
I think this is why the Agile people often talk about the code being the documentation - because the idea of coming up with some meta-language for describing business requirements at this level of detail has thus far proven elusive - and yet software can't be created without this level of requirement being described by the business decision maker...
For ProjectTracker it might be valid, but for other projects, maybe not so much. :-) The fault is mainly mine - I blindly copied and pasted that code into my business objects without analyzing the code - which is where I ran into the problem.
I have a business object that is "add-only". Once it's created, no editing/deleting is allowed (a reversing transaction is created if it has to be "un-done"). Since I was using the de-facto code from ProjectTracker, I received a nice SecurityException during the Save() process, since the user obviously didn't have edit rights but did have add rights.
For what it's worth...
Copyright (c) Marimer LLC