AddObjectAuthorizationRules - bug/discrepancy

AddObjectAuthorizationRules - bug/discrepancy

Old forum URL: forums.lhotka.net/forums/t/6523.aspx


JonnyBee posted on Friday, February 27, 2009

Hi all,

I have a case where I want to use ObjectAuthorization rules (CanCreate, CanEdit, CanDelete) on a child object. But these object level authorization rules are never checked in the "Child" methods of the client side DataPortal:
 Csla.DataPortal.CreateChild
 Csla.DataPortal.FetchChild
 Csla.DataPortal.DeleteChild
 
Is this intentional or a bug in CSLA?

Must I rely on the UI programmer to make these checks?

Remember - the EditableChild business template is like this:
    internal static EditableChild NewEditableChild()
    {
      return DataPortal.CreateChild<EditableChild>();
    }

Meaning that the DataPortal.CreateChild<EditableChild>() (which you would also use to add a new item to a grid clientside -  as per Rockys post her http://forums.lhotka.net/forums/post/31048.aspx ) will NOT check object authorization rules.

Jonnybee

RockfordLhotka replied on Friday, February 27, 2009

This was a choice made for performance reasons. If you populate a list with x thousand child items, checking this permission x thousand times could be painful.

Basically I'm allowing the parent business object developer to do the per-type check if they want to.

I don't think you should rely on the UI developer to do this - but you can put the check into your object model.

Copyright (c) Marimer LLC