That would help a lot, hadn't thought of it from that angle. thanks, will try that out and see how it feels. :)
cheers, Stephen On Fri, May 20, 2011 at 4:52 PM, James Chapman-Smith <ja...@chapman-smith.com> wrote: > Hi Stephen, > > It sounds like you're trying to do the right thing and reduce boiler-plate > code, but the approach seems a little awkward. > > I'd be inclined to adopt a "decorator" pattern on this to get your security > to work. > > Basically have an inner implementation of your methods without security and > then an outer, publicly exposed class that only have security and have it > defer to the inner class to do the work. > > Sort of like this: > > public class Repository > { > private RepositoryImpl Inner = new RepositoryImpl(); > > public Customer GetCustomer(int customerId) > { > RequireOrThrow<AuthorizationResult>(JobRole.site_data_entry, "You do > not have permission to access this customer."); > return this.Inner.GetCustomer(customerId); > } > } > > internal class RepositoryImpl > { > public Customer GetCustomer(int customerId) > { > //Do stuff to get customer - no security code > } > } > > I've over simplified it, but how does that sound? > > Cheers. > > James. > > -----Original Message----- > From: ozdotnet-boun...@ozdotnet.com [mailto:ozdotnet-boun...@ozdotnet.com] On > Behalf Of Stephen Price > Sent: Friday, 20 May 2011 16:59 > To: ozDotNet > Subject: clever friday code > > Hey all, > > I'm looking for a way to get at the value of the parameter of a method > call from a custom attribute. > > [RequiresJobRole(JobRole.site_data_entry)] > public void GetPerson(int personId) > { > // Do stuff if authorised > } > > Then in the attribute > > protected override AuthorizationResult IsAuthorized(IPrincipal > principal, AuthorizationContext authorizationContext) > { > // For inserts and updates I can check the Entity being > operated on via something like this > var person = authorizationContext.Instance as PersonalDetails; > > // But its null if I'm doing a Query / read. > > var hasPermission = // getThe int personId that the method > was called with and check they have access. Is this even possible? > if (hasPermission) > { > return AuthorizationResult.Allowed; > } > return new AuthorizationResult("You do not have permission > to access this person."); > } > > I can do this with Inserts, Updates and Deletes. Calling a method to > do a view or query seems impossible. How do I know what they are > trying to view? user permission is based on the Id of the item they > are looking up. There's a stored proc that goes off and returns their > permission mask on the items they are accessing. Problem is I can't > tell what they are trying to view. > The other solution is to put a user validation call at the top of each > method like so; > > public void GetPerson(int personId) > { > if(UserHasAccess()){ > // Do stuff if authorised > } > else{ > throw new SecurityAccessException("go away"); > } > } > > but a single Attribute on the method would be cleaner. Otherwise have > to put that code all over the place... > > cheers, > Stephen >