JonnyBee posted on Friday, February 27, 2009
Hi all,
I have a case where I want to use ObjectAuthorization rules (CanCreate, CanEdit, CanDelete) on a child object. But these object level authorization rules are never checked in the "Child" methods of the client side DataPortal:
Csla.DataPortal.CreateChild
Csla.DataPortal.FetchChild
Csla.DataPortal.DeleteChild
Is this intentional or a bug in CSLA?
Must I rely on the UI programmer to make these checks?
Remember - the EditableChild business template is like this:
internal static EditableChild NewEditableChild()
{
return DataPortal.CreateChild<EditableChild>();
}
Meaning that the DataPortal.CreateChild<EditableChild>() (which you would also use to add a new item to a grid clientside - as per Rockys post her
http://forums.lhotka.net/forums/post/31048.aspx ) will NOT check object authorization rules.
Jonnybee
RockfordLhotka replied on Friday, February 27, 2009
This was a choice made for performance reasons. If you populate a list with x thousand child items, checking this permission x thousand times could be painful.
Basically I'm allowing the parent business object developer to do the per-type check if they want to.
I don't think you should rely on the UI developer to do this - but you can put the check into your object model.
