AddObjectAuthorizationRules - bug/discrepancy
AddObjectAuthorizationRules - bug/discrepancyOld forum URL: forums.lhotka.net/forums/t/6523.aspx
JonnyBee posted on Friday, February 27, 2009
I have a case where I want to use ObjectAuthorization rules (CanCreate, CanEdit, CanDelete) on a child object. But these object level authorization rules are never checked in the "Child" methods of the client side DataPortal:
Is this intentional or a bug in CSLA?
Must I rely on the UI programmer to make these checks?
Remember - the EditableChild business template is like this:
internal static EditableChild NewEditableChild()
Meaning that the DataPortal.CreateChild<EditableChild>() (which you would also use to add a new item to a grid clientside - as per Rockys post her http://forums.lhotka.net/forums/post/31048.aspx
) will NOT check object authorization rules.
RockfordLhotka replied on Friday, February 27, 2009
This was a choice made for performance reasons. If you populate a list with x thousand child items, checking this permission x thousand times could be painful.
Basically I'm allowing the parent business object developer to do the per-type check if they want to.
I don't think you should rely on the UI developer to do this - but you can put the check into your object model.
Copyright (c) Marimer LLC