This is regarding CSLA 3.8.3
We (my colleague and I) have a parent collection that is used to populated grids. Our child objects housed by the collection have type level authorization rules. However these rules are not being honored. The BusinessListBase is happily firing any of the Child... dataportal methods without checking the child's authorization rules. We traced as well as we can in the source and it appears that neither BLB nor the ChildDataPortal check authorization before running the child's DP methods. However, we see the DataPortal class doing these checks. We think we're missing something here. Can someone please shed some light on this?
The dataportal only fires AuthorizationChecks on the root level for performance optimization.
For Child methods you must call the methods yourself.
Copyright (c) Marimer LLC