Hi, I've always wondered if this approach works if the "Documents" property is updatable. My intuition tells me that if a user for whom the securityFilter returns a subset of the actual records clears the Documents collection, then all previous documents (even those that were filtered out) are going to be deleted. Is this so or is there some magic that only deletes the "right" documents?
On Thu, Jan 9, 2014 at 3:56 PM, Pete Appleton <[email protected]>wrote: > I've done this by using an NHibernate filter based on the username; for > example: > > > > <set inverse="true" name="Documents"> > > <key> > > <column name="FolderID" /> > > </key> > > <one-to-many class="Document" /> > > <filter name="securityFilter" condition="DocumentId in (select > DocumentId from ... where UserName = :userName)" /> > > </set> > > > > We then simply enable the filter at the point of opening an ISession (in > our case, it's done by a Castle Windsor facility). The nice thing about > this is that it's completely transparent to everything other than (1) the > mappings and (2) the session creation, as well as being extremely simple to > use. > > > > /Pete > > > > *From:* [email protected] [mailto:[email protected]] *On > Behalf Of *Patrick Doran > *Sent:* 08 January 2014 22:16 > *To:* [email protected] > *Subject:* [nhusers] Suggestions on implementing entity level security > > > > I have done some research on this topic, on this board and just searching > around google. Let me explain what I'd like to try to do first: > > > > 1) Based on the requesting user prevent the loading of any entity that > user doesn't have access to. > > 2) We would rather implement this at a layer lower than say a repository > as those implementing new repository methods and applying: > > Session.Get, Session.Query, Session.QueryOver or Session.CreateCriteria > shouldn't need to apply the security filtering logic. > > 3) Want to prevent the loading of an entity that a user doesn't have > access to even it is associated with an entity they do have access to IE: > > > > A user has access to a folder, that folder is a list of documents. One of > the documents they are explicitly denied access to. The expectation is that > the domain object "folder" would have the Documents collection minus the > item restricted. > > > > We have looked at using the ILoadEventListeners OnLoad and this seems to > work with the basic case of, essentially null out the entity in the event > data, however we do some projections with linq to nhibernate, and as far as > I can tell there isn't any events to hook in to here. I am willing to work > around these cases, if the event method is a tenable solution. One of the > devs on my team looked at rhino security and wasn't sure it would > accomplish what we want to do. Before I dive in to Rhino Security I wanted > to see if anyone had in solutions, either via libraries or implementation > suggestions. I appreciate any help. > > > > -Patrick > > > > > > -- > You received this message because you are subscribed to the Google Groups > "nhusers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at http://groups.google.com/group/nhusers. > For more options, visit https://groups.google.com/groups/opt_out. > > -- > You received this message because you are subscribed to the Google Groups > "nhusers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at http://groups.google.com/group/nhusers. > For more options, visit https://groups.google.com/groups/opt_out. > -- You received this message because you are subscribed to the Google Groups "nhusers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/nhusers. For more options, visit https://groups.google.com/groups/opt_out.
