Databases Reference
In-Depth Information
public override bool CanRead(IPrincipal user)
{
return base.CanRead(principal) && this.IsAuthorized(user, Actions.Read);
}
Implementation of the MetaTable permission methods is much shorter with the
AuthorizationAttribute than the initial implementation with hard-coded rules for multi-
ple entities within a single method. Compare the last code snippet with the one here,
which you saw earlier in this chapter:
public override bool CanRead(IPrincipal principal)
{
if (this.Name == “Products”) return true;
if (this.Name == “Categories”) return true;
return principal.IsInRole(“Employee”);
}
Of course, the code did not disappear; it simply moved from the meta model to the indi-
vidual entity classes:
[Authorization(
Allow.Roles, “Manager”,
Allow.Users, “*”, Actions.Read,
Deny.Users, “*”)]
partial class Product { ... }
Although the security system with rules applied to entities is more verbose and not as
encapsulated, it is actually easier to maintain. With the centralized, hard-coded implemen-
tation, there is always a risk of affecting rules of unrelated entities with any change you
make, and the real-world implementation of security for an entity model of decent size
would be many times bigger and more complex than what we have in this sample.
However, the more important benefit is being able to enforce it consistently across
dynamic and regular web pages as well as other applications.
Extending ObjectContext to Authorize Insert, Update, and Delete Actions
You can extend the Entity Framework ObjectContext class to take advantage of the
AuthorizationAttribute and prevent unauthorized Insert, Update, and Delete actions.
Doing so enables you to enforce the same security rules in the custom pages of your web
application that are already enforced by the dynamic pages.
Back in Chapter 8, the UnleashedObjectContext base class was introduced to perform vali-
dation at the ObjectContext level. Because authorization logic is so similar to validation,
you can use the same approach to implement it. Specifically, the authorization needs to
happen in the overridden SaveChanges method of the ObjectContext class before the
inherited implementation is called to persist the changes. Here is how this looks in the
UnleashedObjectContext class in the sample project:
 
Previous Page
Next Page
ASP.NET Dynamic Data
Search WWH ::




Custom Search
Home