Authorization Rules Best practice

Authorization Rules Best practice

Old forum URL: forums.lhotka.net/forums/t/7150.aspx


Slayer posted on Tuesday, June 23, 2009

Hi

I have been using the authorization rules at method an property level. I have a USER editable object. Users with a restricted role cannot WRITE the USER object permission property. So when the UI invokes the CanWriteProperty('Permission'), it will return false. This is awesome.

Currently i have a business rule -> When the administrator consumes the USER object he is able to change permissions right, but if the USER object being edited is his own, then he may not change the permission. Currently, my object will allow the ADMIN user to change his permission from 'administrator' to 'restricted', but then the object would become invalid. How will i be able to notify the UI to disable that control.

My question :

SHOULD I REMOVE THIS BUSINESS RULE, AND RATHER ADD IT TO THE AUTHORIZATION RULES? This will cause the UI to disable the permission control for the administrator as well.

RockfordLhotka replied on Tuesday, June 23, 2009

You might consider overriding CanWriteProperty() in that business class, and adding code there to implement this custom authz rule.

Copyright (c) Marimer LLC