0

If I wanted to inject some code in to my odata insert/update/delete/query end points is there a way to do this?

For example:

  • On query I want to inject a security based further restraint (like if role is x then return subset of data).
  • On update I want to prevent certain fields from being updated (like CreateDate), so some form of overpost protection. Or I want to not allow a regular user update administrative data columns.
  • On insert/update I want to have server based logic calculate certain column values and further more trigger certain server operations.
  • On delete I want to cancel the delete, insert the record in to an audit table and set the DeleteDate column of the entity - AKA soft delete.

Are these possible? Any documents/tutorials on how to do this?

Thanks

t316
  • 1,149
  • 1
  • 15
  • 28

2 Answers2

0

We do not have column level security, only table level. However you can achieve what you want using before/after events, like beforeCreate, beforeUpdate, where you can insert your server side javascript code to intervene.

Gabor Dolla
  • 2,680
  • 4
  • 14
  • 13
  • Oh - that's great that those events exist. I am new to JayStorm - can you be kind enough to direct me to a place where I can read about this? Or maybe a sample? Can I get access to the logged in user's identity and his/her roles in those functions and run different code paths based on that? – t316 Jun 10 '13 at 13:56
  • Hi, we'll have a blogpost about it soon. – Gabor Dolla Jun 11 '13 at 08:29
  • Very nice writeup. Thanks. Please do consider first class support for cancelling a delete in beforedelete (My understanding is that it can't be done right now?) – t316 Jun 17 '13 at 15:05
  • sure you can, just return false – Gabor Dolla Jun 17 '13 at 16:22
  • Ah - that's great. So for soft delete I can update the DeletedOn date column to the current tie and update the record but return false so the delete is canceled (and effectively turned into an update)? – t316 Jun 17 '13 at 16:25
  • in the event handler you can do strange things but it does not mean that you should – Gabor Dolla Jun 17 '13 at 17:33
0

I recommend the latest blogpost about the event handlers in JayData - the Entity The before/after EntitySet-level events are the ones you can customize on JayStorm PaaS application manager.

Implementing role-based behavior: The 'this' variable contains a user, which you can use to implement custom logic.

var self = this; //it's better to avoid confusions later
var currentUser = self.User;

Checking user group membership:

if (currentUser.Groups.indexOf('admin') <0 ){
  items.forEach(function(it)){
    //items is an array of created/updated/deleted entities
  }
}

Properties of the user: Groups - returns an array of strings Login, FirstName, LastName, Enabled, Password

Softdelete This requires custom development. I recommend you to disallow the delete action to the security groups and publish a service method to provide this functionality.

Robesz
  • 1,646
  • 11
  • 13