I have a MyEditableRoot that contains a MyEditableChildCollection made of MyEditableChildItem like this:
In the "protected static void AddObjectAuthorizationRules()" I set different authorization roles.
1) I noticed AddObjectAuthorizationRules isn't executed for MyEditableChildCollection.
2) No matter what role I specify like this
BusinessRules.AddRule(typeof(MyEditableChildItem), new IsInRole(AuthorizationActions.GetObject, "sklbz"));
I can see each and every item of the collection.
I have strong suspicions this is my fault: I should be checking authorization in factory get method.
The point is: when/where does CSLA.NET check for object level authorization? Only on root objects?
I think the answer is "when the data portal is invoked." Now, I don't know if that also includes the child data portal or not, but I would be suprised if it didn't.
Copyright (c) Marimer LLC