Hi Stephen,
It sounds like you're trying to do the right thing and reduce boiler-plate
code, but the approach seems a little awkward.
I'd be inclined to adopt a "decorator" pattern on this to get your security to
work.
Basically have an inner implementation of your methods without security and
then an outer, publicly exposed class that only have security and have it defer
to the inner class to do the work.
Sort of like this:
public class Repository
{
private RepositoryImpl Inner = new RepositoryImpl();
public Customer GetCustomer(int customerId)
{
RequireOrThrow<AuthorizationResult>(JobRole.site_data_entry, "You do
not have permission to access this customer.");
return this.Inner.GetCustomer(customerId);
}
}
internal class RepositoryImpl
{
public Customer GetCustomer(int customerId)
{
//Do stuff to get customer - no security code
}
}
I've over simplified it, but how does that sound?
Cheers.
James.
-----Original Message-----
From: [email protected] [mailto:[email protected]] On
Behalf Of Stephen Price
Sent: Friday, 20 May 2011 16:59
To: ozDotNet
Subject: clever friday code
Hey all,
I'm looking for a way to get at the value of the parameter of a method
call from a custom attribute.
[RequiresJobRole(JobRole.site_data_entry)]
public void GetPerson(int personId)
{
// Do stuff if authorised
}
Then in the attribute
protected override AuthorizationResult IsAuthorized(IPrincipal
principal, AuthorizationContext authorizationContext)
{
// For inserts and updates I can check the Entity being
operated on via something like this
var person = authorizationContext.Instance as PersonalDetails;
// But its null if I'm doing a Query / read.
var hasPermission = // getThe int personId that the method
was called with and check they have access. Is this even possible?
if (hasPermission)
{
return AuthorizationResult.Allowed;
}
return new AuthorizationResult("You do not have permission
to access this person.");
}
I can do this with Inserts, Updates and Deletes. Calling a method to
do a view or query seems impossible. How do I know what they are
trying to view? user permission is based on the Id of the item they
are looking up. There's a stored proc that goes off and returns their
permission mask on the items they are accessing. Problem is I can't
tell what they are trying to view.
The other solution is to put a user validation call at the top of each
method like so;
public void GetPerson(int personId)
{
if(UserHasAccess()){
// Do stuff if authorised
}
else{
throw new SecurityAccessException("go away");
}
}
but a single Attribute on the method would be cleaner. Otherwise have
to put that code all over the place...
cheers,
Stephen
