Hi Steven, There are already an Attribute within the .net framework that are used to enforce permissions..
Try the PrincipalPermissionAttribute.. http://msdn.microsoft.com/en-us/library/system.security.permissions.principalpermissionattribute.aspx You could maybe use Reflector or other similar tool to see how it's done in this class, so you can implement yours. Grant On Fri, May 20, 2011 at 5:29 PM, Stephen Price <[email protected]>wrote: > Hey all, > > I'm looking for a way to get at the value of the parameter of a method > call from a custom attribute. > > [RequiresJobRole(JobRole.site_data_entry)] > public void GetPerson(int personId) > { > // Do stuff if authorised > } > > Then in the attribute > > protected override AuthorizationResult IsAuthorized(IPrincipal > principal, AuthorizationContext authorizationContext) > { > // For inserts and updates I can check the Entity being > operated on via something like this > var person = authorizationContext.Instance as PersonalDetails; > > // But its null if I'm doing a Query / read. > > var hasPermission = // getThe int personId that the method > was called with and check they have access. Is this even possible? > if (hasPermission) > { > return AuthorizationResult.Allowed; > } > return new AuthorizationResult("You do not have permission > to access this person."); > } > > I can do this with Inserts, Updates and Deletes. Calling a method to > do a view or query seems impossible. How do I know what they are > trying to view? user permission is based on the Id of the item they > are looking up. There's a stored proc that goes off and returns their > permission mask on the items they are accessing. Problem is I can't > tell what they are trying to view. > The other solution is to put a user validation call at the top of each > method like so; > > public void GetPerson(int personId) > { > if(UserHasAccess()){ > // Do stuff if authorised > } > else{ > throw new SecurityAccessException("go away"); > } > } > > but a single Attribute on the method would be cleaner. Otherwise have > to put that code all over the place... > > cheers, > Stephen >
