I think I've found a bug in the DataPortal class when using an ObjectFactory. I'm using an older version but I've checked and it still seems to be in CSLA 4 beta too.
Anyway, the problem is that when using an object factory, and doing an update of a newly created business object, the wrong authorization permission is checked. Currently, it always checks:
even if the business object is new - i.e. it should be checking CanCreateObject(objectType)
The code is correct for the non-ObjectFactory branch, but is incorrect in the ObjectFactory branch.
Of course, this manifests itself as a user having Create but not Edit permissions being able to Create in the UI (because the function is enabled) but then encountering a security exception when they save (because they're not in the Edit role)
Thanks, that sounds like a bug.
Copyright (c) Marimer LLC