AddObjectAuthorizationRules - bug/discrepancy

AddObjectAuthorizationRules - bug/discrepancy

Old forum URL:

JonnyBee posted on Friday, February 27, 2009

Hi all,

I have a case where I want to use ObjectAuthorization rules (CanCreate, CanEdit, CanDelete) on a child object. But these object level authorization rules are never checked in the "Child" methods of the client side DataPortal:
Is this intentional or a bug in CSLA?

Must I rely on the UI programmer to make these checks?

Remember - the EditableChild business template is like this:
    internal static EditableChild NewEditableChild()
      return DataPortal.CreateChild<EditableChild>();

Meaning that the DataPortal.CreateChild<EditableChild>() (which you would also use to add a new item to a grid clientside -  as per Rockys post her ) will NOT check object authorization rules.


RockfordLhotka replied on Friday, February 27, 2009

This was a choice made for performance reasons. If you populate a list with x thousand child items, checking this permission x thousand times could be painful.

Basically I'm allowing the parent business object developer to do the per-type check if they want to.

I don't think you should rely on the UI developer to do this - but you can put the check into your object model.

Copyright (c) Marimer LLC