0

I created middleware layer between the BL and the Entity Framework DAL for filtering the data by the user permission business logic in the application. My layer implements IObjectSet that have an instance of the "None filtered ObjectSet" and the filter expression is running whenever the ObjectSet is in use. All working grate, instead of the method "Include". I found a solution that create an extension method that convert the "None filtered ObjectSet" to ObjectQuery and use the ObjectQuery.Include method but this solution can cause a bypass of the permission filtering.

public IQueryable<TEntity> Include<TJoin>(string path)
    {
        if (_nonAuthorizedObjectSet is ObjectQuery<TEntity>)
        {
            var result = ((ObjectQuery<TEntity>)_nonAuthorizedObjectSet).Include(path);
            return result as IQueryable<TEntity>;
        }
    }

For example:

Table name "Items" have columns {Item_Id,Owner,Item_Type_Id} This table have a permission logic that the user can only see the items that the Owner==user. Table "Item_Types" have no permission logic.

By doing: PermittedDAL. Items.ToArray() – get only the items that the current_user==Owner. Item_Types.Include("Items") Problem!! - I get all the items.

Thanks

Ronen Rabinovitz
  • 81
  • 1
  • 8
  • I read your question three times and I don't understand it. What is `User_Types` in the example? What do you want to filter? The main entities or included (eagerly loaded) entities? – Ladislav Mrnka Nov 03 '11 at 09:08
  • Ok,I fix the example, I want to filter the included entity. but the issue is the the filtering need to be in the ObjectSet and not in the BL. the row "Item_Types.Include("Items")" must return only the filterd Items. – Ronen Rabinovitz Nov 04 '11 at 10:26

1 Answers1

0

EF does not support filtering eager loaded records (Include). Only main records can be filtered. If you need to filter relations you must either use custom projections or separate queries for each relation.

Ladislav Mrnka
  • 360,892
  • 59
  • 660
  • 670