Type level AuthorizationRules and Child Objects

Type level AuthorizationRules and Child Objects

Old forum URL: forums.lhotka.net/forums/t/9571.aspx

cmasters posted on Friday, September 24, 2010

This is regarding CSLA 3.8.3

We (my colleague and I)  have a parent collection that is used to populated grids. Our child objects housed by the collection have type level authorization rules. However these rules are not being honored. The BusinessListBase is happily firing any of the Child... dataportal methods without checking the child's authorization rules. We traced as well as we can in the source and it appears that neither BLB nor the ChildDataPortal check authorization before running the child's DP methods. However, we see the DataPortal class doing these checks. We think we're missing something here. Can someone please shed some light on this?




JonnyBee replied on Friday, September 24, 2010

The dataportal only fires AuthorizationChecks on the root level for performance optimization.

For Child methods you must call the methods yourself.

Copyright (c) Marimer LLC