Hey all,
I'm looking for a way to get at the value of the parameter of a method
call from a custom attribute.
[RequiresJobRole(JobRole.site_data_entry)]
public void GetPerson(int personId)
{
// Do stuff if authorised
}
Then in the attribute
protected override AuthorizationResult IsAuthorized(IPrincipal
principal, AuthorizationContext authorizationContext)
{
// For inserts and updates I can check the Entity being
operated on via something like this
var person = authorizationContext.Instance as PersonalDetails;
// But its null if I'm doing a Query / read.
var hasPermission = // getThe int personId that the method
was called with and check they have access. Is this even possible?
if (hasPermission)
{
return AuthorizationResult.Allowed;
}
return new AuthorizationResult("You do not have permission
to access this person.");
}
I can do this with Inserts, Updates and Deletes. Calling a method to
do a view or query seems impossible. How do I know what they are
trying to view? user permission is based on the Id of the item they
are looking up. There's a stored proc that goes off and returns their
permission mask on the items they are accessing. Problem is I can't
tell what they are trying to view.
The other solution is to put a user validation call at the top of each
method like so;
public void GetPerson(int personId)
{
if(UserHasAccess()){
// Do stuff if authorised
}
else{
throw new SecurityAccessException("go away");
}
}
but a single Attribute on the method would be cleaner. Otherwise have
to put that code all over the place...
cheers,
Stephen
