Databases Reference
In-Depth Information
By defining authorization rules and row-level security as data annotation attributes applied
to entity classes, you can implement a security system that is independent of the specific
presentation framework and equally useful in Dynamic Data as well as traditional web
pages of the application. Although no built-in attributes enable you to accomplish this
task, creating custom attributes is not difficult. In this section, you learn about two custom
attributes from the sample solution that comes with this topic—
AuthorizationAttribute
and
CustomQueryAttribute
—and how the Dynamic Data and Entity Framework can be
extended to take advantage of them.
NOTE
The accompanying sample solution illustrates the security annotations discussed here
to implement different levels of access to the Northwind Traders website. You might
want to refer to the running application while reading this section.
The web application uses Forms authentication and defines three roles the users might
have: Customer, Employee, and Manager. Visitors can log in by clicking the “Login” link
in the upper-right corner of any web page. The login page lists several sample user
accounts that can be used to access the application in different roles.
The
unauthenticated
site visitors can only see the “product catalog”—the dynamic web
pages for the Product and Category entities. They cannot insert, update, or delete any
entities. This is implemented by applying the AuthorizationAttribute to every entity class
in the model and denying anonymous access to all entities with the exception of
Product and Category. Only these two entity classes allow Read action for all users.
When logged in, the users in the
Customer
role can see not only the product catalog,
but also their past orders and profile information—the Order and Customer entities.
The
CustomQueryAttribute
is used with both of these entities to implement row-level
security. Even though Northwind Traders application assigns an employee for each
order, customers cannot access this information because they have no read access to
the Employee entity. Customers cannot modify any information.
Users in the
Employee
role can read all entities in the model; however, they can only
change the Customer, Order, and Order_Detail entities. Only the users in the
Manager
role can perform all actions—Read, Insert, Update, and Delete for all entities in the
model.
AuthorizationAttribute
AuthorizationAttribute
is a custom .NET attribute you find in the
Unleashed.DataAnnotations
project of the sample solution accompanying this topic. It
enables you to define authorization rules for a given entity class or its actions similar to
how you would normally do it in the web configuration file. As you recall from the earlier
discussion in this chapter, here is how to configure security to allow only users in
Manager
or
Employee
roles to access the dynamic Suppliers pages in the sample application:
