Need to implement custom authorization rules

Need to implement custom authorization rules

Old forum URL:

breakphreak posted on Monday, July 26, 2010


Hey there - I am new to the forum and here is my first (hopefully answerable) question Geeked

Need to implement custom authorization rule(s).


Currently I know that rules can be applied during setup phase:

BusinessRules.AddRule(typeof(myClass), new IsInRole(AuthorizationActions.GetObject, new [] {"role1", "role2"}));

This approach is insufficient and less flexible then required. The rules should be probably applied during DataPortal<T>.Update() (did I missed anything from the source, please?). Any advice will be warmly welcomed.


RockfordLhotka replied on Monday, July 26, 2010

I assume you've read this post:

The AddRule() method doesn't actually run the rule - it just associates the rule with the business object type. The rules are actually applied (executed) when appropriate (such as when a property is read or changed, or an attempt is made to retrieve an object).

Per-type and per-instance rules are enforced by the data portal, so when Save() is called, the relevant authz action is checked (Create/Get/Edit/Delete) and an exception is thrown if the user isn't authorized. The various meta-state properties (like IsSavable) also check the relevant authz permission to calculate their value.

You will need to implement custom rules to do what you describe, because that goes beyond just "is the user in role X". That's fine - just create a subclass of Csla.Rules.AuthorizationRule, do your checks and return true/false as appropriate.

breakphreak replied on Monday, July 26, 2010

Thanks a lot for so quick and elaborative answer.

Copyright (c) Marimer LLC