1

I have a parent/childs relationship and both use AuthorizationRule. The save is always done on the parent. For some users, they do not have access to modify the parent but do have access to modify the childs. If the parent HasPermission returns false, it will fail on save even if the parent isn't dirty.

Public MustInherit Class EditObjectRule
    Inherits AuthorizationRule

    Public Sub New()
        MyBase.New(AuthorizationActions.EditObject)
    End Sub

    Protected Overrides Sub Execute(ByVal context As AuthorizationContext)
        context.HasPermission = False
    End Sub

End Class

Should I look at the parent instance and see if it's dirty before doing the security check?

Public MustInherit Class EditObjectRule
    Inherits AuthorizationRule

    Public Sub New()
        MyBase.New(AuthorizationActions.EditObject)
    End Sub

    Protected Overrides Sub Execute(ByVal context As AuthorizationContext)
        If context.Target Is Nothing Then
            context.HasPermission = False
        ElseIf CType(context.Target, IBusinessBase).IsSelfDirty Then
            context.HasPermission = False
        Else
            context.HasPermission = True
        End If
    End Sub

End Class

It seems weird but I don't see any other options.

the_lotus
  • 12,668
  • 3
  • 36
  • 53

1 Answers1

1

The data portal interacts with (create/read/save) an object graph, not individual objects within the graph.

As a result, you can't directly save a child object, you are always saving the object graph via the singular root object (probably your parent object). Something like this, where r is root, l is a list of child objects, and c is each child.

r - l - c
      - c
      - c

(there are advanced ways to save individual child objects, but that's not the normal path)

What this ultimately means is that the permissions of the root object are the ones that really matter to the data portal. Permissions on child objects are "hints" to the UI about what the user can/can't do to that child, but whether you can create/read/update the object graph is based on the rules attached to the root.

Rockford Lhotka
  • 842
  • 6
  • 9
  • If I understand, the parent class would have to return True if either the parent or the child can edit. I would probably need to handle CanWriteProperty for parent and child to handle their individual cases. – the_lotus Dec 05 '19 at 18:52
  • You are correct, the parent would need to collaborate with child objects. But you should be able to do this via a custom rule. It shouldn't be necessary to override methods such as `CanWriteProperty`. – Rockford Lhotka Dec 06 '19 at 16:14