CSLA 4 Authorization

CSLA 4 Authorization

Old forum URL: forums.lhotka.net/forums/t/9436.aspx

Turntwo posted on Thursday, August 26, 2010

The blog post on CSLA Authorization (http://www.lhotka.net/weblog/CSLA4AuthorizationRules.aspx) seems to say that all Authorization rules should be setup in AddBusinessRules.  However looking into the AuthorizationRulesManager, it is still calling AddObjectAuthorizationRules.  I've removed this method from my classes and put all the rules into AddBusinessRules - do I need to put the AddObjectAuthorizationRules method back in?

RockfordLhotka replied on Thursday, August 26, 2010

There are two types of rule - rules that apply at the type level and rules that apply to instances of your object.

Rules that apply at the type level must be defined before any instance of the type is created. That means they must be associated with the type in some static method - and that method is AddObjectAuthorizationRules(). Rules that go here are the create/get/edit/delete permissions at a type level.

Rules that apply to instances of your object are associated with the type in AddBusinessRules() - which is invoked exactly once per AppDomain per type, but is only invoked as you create the first instance of the type (which is too late for the per-type rules).

Turntwo replied on Thursday, August 26, 2010

OK, that makes sense and is consistent with CSLA prior to version 4, but wasn't clear in the blog entry.  No problem easy to fix. 

However, I've encountered another problem - RuleSets and Authorization Rules.  You can set Authorization Rules with a RuleSet specified, however when the Rules are evaluated the RuleSet is ignored (HasPermission bypasses the TypeAuthRules property and uses AuthorizationRulesManager directly, without including the RuleSet). 

I was trying to use RuleSets because I store authorization information in the database, but my application allows the user to switch databases (at which point the rules may change) - I thought RuleSets could maybe be the answer (each RuleSet corresponding to the database connection).  However, I'm getting no rules being processed because the RuleSets are ignored.

I'm going to try updating the HasPermission methods to use the TypeAuthRules property and see if it works then.  I'll post the results in a bit.

Turntwo replied on Thursday, August 26, 2010

Verified that using TypeAuthRules works for Property/Method access checks, as long as I load them in AddObjectAuthorizationRules - I don't load the rules for the new database until that database is accessed, and AddBusinessRules doesn't get re-run when the RuleSet changes - whereas AddObjectAuthorizationRules gets rerun if the RuleSet rules aren't already loaded. 

However, The Object Rules don't respect the RuleSet - HasPermission method for Type rules (Create, Get, Edit, Delete) is static, so BusinessRules can't access the RuleSet property.  I could possibly pull the BusinessRules object and corresponding RuleSet off the object passed, but at least for Create this will be null. So even though you can set a RuleSet on these rules, any RuleSet rules will be ignored.  Am I missing a way to set the current RuleSet globally?

This makes the 1st paragraph actually seem to be backwards - rules that don't respect the RuleSet get loaded on demand per RuleSet, and the rules that will respect the RuleSet are supposed to be loaded in AddBusinessRules - which would require loading all the rules for all rulesets at once - even though those are the instance rules?  (or maybe I'm just backwards - since I may not be using the RuleSet as it was intended). 

Hopefully this makes sense - its been a long day.


Copyright (c) Marimer LLC