minhletn
commented
5 years ago Is there a way to add BusinessRule / ValidationRule to Command objects, so a validation can by triggered on server-side?
Open minhletn opened 5 years ago
minhletn
commented
5 years ago Is there a way to add BusinessRule / ValidationRule to Command objects, so a validation can by triggered on server-side?
rockfordlhotka
commented
5 years ago The Using CSLA 4: Data Portal Configuration book covers how to authorize data portal requests via the IAuthorizeDataPortal interface. That's probably what you are looking for?
In your implementation of the Authorize method you have full access to the client request, including the root object type, any criteria, and the requested operation (create/fetch/update/delete).
You could, for example, define your own custom attribute for types you want to check, and in your Authorize implementation you'd see if the root object type has that attribute.
rockfordlhotka
commented
5 years ago Is there a way to add BusinessRule / ValidationRule to Command objects, so a validation can by triggered on server-side?
The most common place to do this is in the same Authorize method I mention. You have access to the object at that point, and know that the requested operation is update, so you can use that as an indicator that you should call ICheckRules.CheckRules on any editable object.
That won't work on a command object, because there's no rules engine in any base type except BusinessBase. If your "command object" needs rules (and that's not uncommon) then you can subclass BusinessBase to create that type.
jonnybee
commented
5 years ago In addition to intercept on the server side you could easily also add check for permission in GetProductDetails() - assuming that permission = role and you can check
rockfordlhotka
commented
5 years ago That's a good point @jonnybee - which reminds me that you should also look at the per-type authorization rules built into CSLA - they apply to command objects as well as all other types.
If you want to recheck those rules on the server (they are automatically checked on the client), your Authorize method can call a helper method on the context parameter to recheck all per-type rules for the root domain type in the request.
minhletn
commented
5 years ago Thanks @rockfordlhotka, @jonnybee,
I'll use IAuthorizeDataPortal for server-side checking, and use interfaces to determine the types that need to be checked
Question Is there away to to intercept certain DataPortal requests for authorizing?
For example, we want to intercept only GetProductDetails and make sure the current logged in user has the permission to view the requested product's details, but GetProducts is fine since everyone can see the product list
We have many commands in our solution, so are looking for the way to target certain commands by using interface or annotation if possible
I found a thread here, but couldn't see how it can target specific requests https://github.com/marimerllc/csla/issues/564
Version and Platform CSLA version: 4.3.14 OS: Windows Platform: Silverlight