That would help a lot, hadn't thought of it from that angle.
thanks, will try that out and see how it feels. :)
cheers,
Stephen
On Fri, May 20, 2011 at 4:52 PM, James Chapman-Smith
<ja...@chapman-smith.com> wrote:
> Hi Stephen,
>
> It sounds like you're trying to do the right thing and reduce boiler-plate
> code, but the approach seems a little awkward.
>
> I'd be inclined to adopt a "decorator" pattern on this to get your security
> to work.
>
> Basically have an inner implementation of your methods without security and
> then an outer, publicly exposed class that only have security and have it
> defer to the inner class to do the work.
>
> Sort of like this:
>
> public class Repository
> {
> private RepositoryImpl Inner = new RepositoryImpl();
>
> public Customer GetCustomer(int customerId)
> {
> RequireOrThrow<AuthorizationResult>(JobRole.site_data_entry, "You do
> not have permission to access this customer.");
> return this.Inner.GetCustomer(customerId);
> }
> }
>
> internal class RepositoryImpl
> {
> public Customer GetCustomer(int customerId)
> {
> //Do stuff to get customer - no security code
> }
> }
>
> I've over simplified it, but how does that sound?
>
> Cheers.
>
> James.
>
> -----Original Message-----
> From: ozdotnet-boun...@ozdotnet.com [mailto:ozdotnet-boun...@ozdotnet.com] On
> Behalf Of Stephen Price
> Sent: Friday, 20 May 2011 16:59
> To: ozDotNet
> Subject: clever friday code
>
> Hey all,
>
> I'm looking for a way to get at the value of the parameter of a method
> call from a custom attribute.
>
> [RequiresJobRole(JobRole.site_data_entry)]
> public void GetPerson(int personId)
> {
> // Do stuff if authorised
> }
>
> Then in the attribute
>
> protected override AuthorizationResult IsAuthorized(IPrincipal
> principal, AuthorizationContext authorizationContext)
> {
> // For inserts and updates I can check the Entity being
> operated on via something like this
> var person = authorizationContext.Instance as PersonalDetails;
>
> // But its null if I'm doing a Query / read.
>
> var hasPermission = // getThe int personId that the method
> was called with and check they have access. Is this even possible?
> if (hasPermission)
> {
> return AuthorizationResult.Allowed;
> }
> return new AuthorizationResult("You do not have permission
> to access this person.");
> }
>
> I can do this with Inserts, Updates and Deletes. Calling a method to
> do a view or query seems impossible. How do I know what they are
> trying to view? user permission is based on the Id of the item they
> are looking up. There's a stored proc that goes off and returns their
> permission mask on the items they are accessing. Problem is I can't
> tell what they are trying to view.
> The other solution is to put a user validation call at the top of each
> method like so;
>
> public void GetPerson(int personId)
> {
> if(UserHasAccess()){
> // Do stuff if authorised
> }
> else{
> throw new SecurityAccessException("go away");
> }
> }
>
> but a single Attribute on the method would be cleaner. Otherwise have
> to put that code all over the place...
>
> cheers,
> Stephen
>
