CSLA .NET

Vibrant discussion about CSLA .NET and using the framework to build great business applications.

Forum has moved

New location: CSLA .NET forum


CSLA .NET Resources:
  • CSLA .NET forum
  • CSLA .NET home page
  • Type level authorization rules

    rated by 0 users
    Answered (Verified) This post has 1 verified answer | 2 Replies | 1 Follower

    Top 10 Contributor
    4,106 Posts
    Andy posted on Wed, Feb 11 2015 2:17 PM

    I'm looking through the code for Csla, and it seems the check for things like GetObject are done client side before the call is made to the data portal, which is good in that a remote call won't be made if the user lacks permission.

    However it doesn't look like the check is repeated on the server side. I can certainly call BusinessRules.HasPermission at the start of each DataPortal_XYZ method, but it feels like the framework should handle this. 

    Is if my current understanding is correct and I need to do the check myself in the DataPortal_XYZ methods?

    If that is correct, could we get a feature to do this automatically?

    This is Csla 4.5.601.

    Answered (Verified) Verified Answer

    Top 10 Contributor
    9,475 Posts
    Verified by Andy

    You can add a check in a custom data portal authorizer. The authorizer runs before pretty much anything else on the server, and is the location for global checks you might want to perform before allowing a user request to be processed - for example doing a server-side check of HasPermissions.

    Rocky

    All Replies

    Top 10 Contributor
    9,475 Posts
    Verified by Andy

    You can add a check in a custom data portal authorizer. The authorizer runs before pretty much anything else on the server, and is the location for global checks you might want to perform before allowing a user request to be processed - for example doing a server-side check of HasPermissions.

    Rocky

    Top 10 Contributor
    4,106 Posts
    Andy replied on Thu, Feb 12 2015 7:28 AM

    Thanks Rocky, I'll go that route. 

    Is there a reason that just invoking the configured type level authorization isn't done automatically though?  It seems like that would make sense as a default behavior in Csla, and if you needed something in addition, implementing a customer data portal authorizer should be the answer.

    Page 1 of 1 (3 items) | RSS

    Copyright (c) 2006-2014 Marimer LLC. All rights reserved.
    Email admin@lhotka.net for support.
    Powered by Community Server (Non-Commercial Edition), by Telligent Systems