CSLA .NET discussion

Re: Property/Method Authorizations are not quite dynamic enough

JonStonecash — Mon, 02 Aug 2010 19:04:57 GMT

Do I love this forum or what? Read the referenced post, agreed with the direction, but overrode the can read and can write properties, and all in time to do my demo in about 10 minutes.

Thanks.

Jon Stonecash

Re: Property/Method Authorizations are not quite dynamic enough

JonnyBee — Mon, 02 Aug 2010 18:50:36 GMT

Hi Jon,

See this discussion too: http://forums.lhotka.net/forums/t/9301.aspx?PageIndex=1

However, for now at least, you can override CanWriteProperty, CanReadProperty and CanExecuteMethod like this to make it dynamic:

    public override bool CanWriteProperty(Csla.Core.IPropertyInfo property)
    {
      // must override so that authorization rules are not cached
      return BusinessRules.HasPermission(AuthorizationActions.WriteProperty, property);
    }

    public override bool CanReadProperty(Csla.Core.IPropertyInfo property)
    {
      // must override so that authorization rules are not cached
      return BusinessRules.HasPermission(AuthorizationActions.ReadProperty, property);
    }

Property/Method Authorizations are not quite dynamic enough

JonStonecash — Mon, 02 Aug 2010 18:39:47 GMT

Rocky,

We are doing what is essentially a claims-based authorization scheme for object, object properties, and object methods. Specifically, for properties and methods, we want to allow/disallow access based upon the contents of the object. We have a set of authorization rules that determine the authorization permissions for one property based upon contents of other properties in the same object. This works just fine. We bring up an object and buttons, text boxes, and so on behave as desired.

The problem comes in those cases that we allow the user to change the contents of the object properties. We wanted to demonstrate to our client that the authorization changes when the contents of the object changes, but we ran into a problem. Csla caches the property and method authorization rules/results for each object. Under normal circumstances that increases performance, but it does get in the way of a cool demo.

Note, that if we exit the form and return, the authorization rules are applied properly. It is just when we are dynamically changing the object that we have a problem. It might be argued that the new rules should not be applied until the object is saved, but I would disagree. It might well be the case that the user is about to enter/change data that would make it impossible to change the object afterward; that would be a serious "oops".

The only time that Csla resets the cache is when the application principal changes. This seems like a hold over from a role based authorization scheme and not in keeping with a claims-based approach.

What I would like is a means to either force the cache to clear, say, with a protected method. I would not need this capability for every class and perhaps not in all circumstances.

Could we look forward to such an addition?

Jon Stonecash