Databases Reference
In-Depth Information
if (user.IsInRole(“Customer”))
{
if (this.EntityType == typeof(Customer))
{
query = query.Cast<Customer>()
.Where(customer => customer.EmailAddress == user.Identity.Name);
}
else if (this.EntityType == typeof(Order))
{
query = query.Cast<Order>()
.Where(order => order.Customer.EmailAddress == user.Identity.Name);
}
}
return query;
}
Similar to how the
AuthorizationAttribute
simplified implementation of the
CanRead
,
CanInsert
,
CanUpdate
, and
CanDelete
methods, the
CustomQueryAttribute
made
the
GetQueryable
implementation shorter by pushing the entity-specific logic out of the
UnleashedMetaTable
class, with similar trade-offs between encapsulation of security
logic and entity logic.
Extending ObjectContext to Enforce Row-Level Security
Implementing row-level security in the
ObjectContext
presents the same challenge as the
authorization of the Read operations—there are multiple ways to query a particular table,
and the Entity Framework does not offer the extensibility points to intercept them all at
this time. However, you can implement
limited
support for row-level security by modifying
the LINQ queries generated by the strongly typed object sets. Here is how to modify
implementation of the
Customers
object set property in the
NorthwindEntities
class:
public
IObjectSet
<Customer> Customers
{
get
{
Authorize(typeof(Customer), Actions.Read);
if (_Customers == null)
{
var original = base.CreateObjectSet<Customer>(“Customers”)
_Customers = new FilteredObjectSet<Customer>(original);
}
return _Customers;
}
}
private
IObjectSet
<Customer> _Customers;