In CSLA 3.x we had InstanceDenyRead / InstanceDenyWrite. What's the equivalent for that in CSLA 4.0?
In CSLA 4 there are only per-type rules.
But a per-instance rule is really a per-type rule that takes into account various elements of state about the current instance. And since CSLA 4 authorization rules can look at the entire object (and any other ambient state), it is quite realistic to think that you can create an authorization rule that grants/denies access based on the overall state of the object.
Then just attach that rule to your property's read or write action and you should be good to go.
What I actually meant is, what is the equivalent of the "Deny" part?
We have the CommonRules.IsInRole which is equivalent for for CSLA 3.8's "Allow", but what about "Deny" - I'm not sure whether the IsNotInRole is semantically the same.
Inside the framework there's now just a HasPermission concept, that ends up being true/false. So HasPermission(read), HasPermission(write), etc.
The IsInRole rule returns true if the user has the role. The IsNotInRole returns true if the user is not in the role.
So yes, IsNotInRole is basically a deny.
Copyright (c) Marimer LLC