I have a parent/childs relationship and both use AuthorizationRule. The save is always done on the parent. For some users, they do not have access to modify the parent but do have access to modify the childs. If the parent HasPermission returns false, it will fail on save even if the parent isn't dirty.
Public MustInherit Class EditObjectRule
Inherits AuthorizationRule
Public Sub New()
MyBase.New(AuthorizationActions.EditObject)
End Sub
Protected Overrides Sub Execute(ByVal context As AuthorizationContext)
context.HasPermission = False
End Sub
End Class
Should I look at the parent instance and see if it's dirty before doing the security check?
Public MustInherit Class EditObjectRule
Inherits AuthorizationRule
Public Sub New()
MyBase.New(AuthorizationActions.EditObject)
End Sub
Protected Overrides Sub Execute(ByVal context As AuthorizationContext)
If context.Target Is Nothing Then
context.HasPermission = False
ElseIf CType(context.Target, IBusinessBase).IsSelfDirty Then
context.HasPermission = False
Else
context.HasPermission = True
End If
End Sub
End Class
It seems weird but I don't see any other options.
The data portal interacts with (create/read/save) an object graph, not individual objects within the graph.
As a result, you can't directly save a child object, you are always saving the object graph via the singular root object (probably your parent object). Something like this, where r is root, l is a list of child objects, and c is each child.
r - l - c
- c
- c
(there are advanced ways to save individual child objects, but that's not the normal path)
What this ultimately means is that the permissions of the root object are the ones that really matter to the data portal. Permissions on child objects are "hints" to the UI about what the user can/can't do to that child, but whether you can create/read/update the object graph is based on the rules attached to the root.