Custom authorization in ADO.NET Data Services

Asked
Viewd1004

1

I have an ADO.NET Data Service that exposes an Entity Framework data model (.edmx).

I need to allow / reject reads/writes to certain entities for certain users. I use Windows Authentication. All I could find is overriding the OnStartProcessingRequest :

protected override void OnStartProcessingRequest(ProcessRequestArgs args)
{
    base.OnStartProcessingRequest(args);

    bool isBatch = args.IsBatchOperation;
    System.Uri requestUri = args.RequestUri;

    // parse uri and determine the entity and the operation
    // (i.e.: select/update/delete/insert) will be determined by the HTTP verb
}

However I think this sucks and I am hoping for a better solution... Any ideas? :(

1 ответов

4

You can set the entity rights on service initialization for each user like

config.SetEntitySetAccessRule("Orders", UserRights.GetRights(identity, "Orders"));

config.SetEntitySetAccessRule("Products", UserRights.GetRights(identity, "Products"));

The main disadvantages of applying resource visibility in this way are that the visibility is at entity level and not at row level.

You can overcome that with a combination of service operations and change interceptors.

[ChangeInterceptor("Products")]
public void OnProductsChange(Products product, UpdateOperations operations)
{
      if(!UserRights.HasAccessRights(identity, "Products", operations))
      {
             throw new DateServicesException(404, "Access denied!");
      }
}
  • первый пример следует использовать, если вы не хотите, чтобы ppl имел определенный доступ ко всей таблице / ресурсу

    второй пример можно использовать в таких сценариях, как пользователь не может создавать продукты, цена которых превышает определенную маржу, которая зависит от некоторых расчетов на стороне сервера.

    dmportella22 сентября 2009, 15:52