Databases Reference
In-Depth Information
the
GetQueryable
method of the
UnleashedMetaTable
class associated with the page. The
same code samples are not repeated here; you can find the complete details in the sample
project accompanying this topic.
NOTE
The page in Figure 14.9 does not display the grid columns and filters for the Employee
foreign key column of the Orders table. This is a result of the entity-level authorization
rules implemented by overriding the
CanRead
method of the
MetaTable
class
discussed earlier. In this example, the
CanRead
method allows reading Employee entity
information only to users in the Employee
role
. Combined with the row-level filtering
just implemented, the entity- and action-level authorization gives you the ability to
create a search page that is both dynamic and secure at the same time.
To recap what has been discussed so far in this chapter, Dynamic Data offers two major
methods for implementing security. With Web configuration, you can define authoriza-
tion rules on per-entity and per-action basis and reject users who do not have appropriate
permissions to access dynamically generated pages. You can also extend the Dynamic Data
metadata API by overriding the available
CanRead
,
CanInsert
,
CanUpdate
,
CanDelete
, and
GetQuery
methods. Unlike the web configuration alone, extending the meta model not
only prevents unauthorized access, but also performs UI trimming and hides information
and commands the users are not authorized to see.
Extending the metadata is clearly a superior way to implement security in Dynamic Data
web applications. However, real-world applications usually have a substantial number of
non-dynamic pages, implemented with ASP.NET WebForms or MVC. Any authorization
rules hard-coded into the custom
CanRead
,
GetQuery
, and other methods of the
MetaTable
class are not useful to the rest of the application. On the other hand, implementing
authorization with web configuration does not allow you to take full advantage of the
Dynamic Data framework and pushes you to developing custom pages much earlier than
you might want.
This tradeoff is not unique to security. You face a similar dilemma when implementing
business rules; you can solve this problem with the help of
data annotations
—general-
purpose .NET attributes that can be used by any presentation layer. As you recall from the
discussion in Chapter 8, “Implementing Entity Validation,” Dynamic Data makes heavy
use of validation and other attributes in the
System.ComponentModel.DataAnnotations
namespace. The MVC framework supports the validation attributes as well, and by using
them, you can implement business rules in a way that works with both. Moreover, by
extending the Entity Framework's
ObjectContext
, NorthwindEntities class in this example,
you can extend these benefits to all applications that might need to access the Northwind
database.
