User Control Security

Wbmstrmjb posted on Wednesday, November 18, 2009

What is the standard (if there is one) for implementing security in the UI when the security is different for a child than a parent?

Say you have a root BO that is Car and child list that is Wheels. You can delete Wheels, but not Cars. The statics on the root BO (Car) for CanGet, CanAdd, CanEdit, CanDelete are all applicable to Car, but Wheels has it's own rules.

Our current extended controls look at the BO assigned to it and then using reflection call CanXYZ for whatever it is trying to determine. In this case, we need the child grid to allow Delete even though the root's CanDelete is false.

Do you add the "Can" statics to the child list? Is that acceptable or is there another way to do this that is cleaner?

Thanks,
Mike

ajj3085 replied on Thursday, November 19, 2009

Usually I set AllowRemove on the child collection, based on security.  But technically any code can set this to true, so I also override RemoveItem and do the security check there.

I've add the CanXYZ properties to both the child list and the child itself.  I think now I prefer it on the child itself, since it makes more sense to ask the child if you can delete it than ask the list.. but you'll still have the list asking the child type in RemoveItem though..

This area isn't as clean as I would like, so I too would like to hear what the best option is.