none
Extending Entity Framework 4.1 to add security check upon entity retrieval RRS feed

  • Question

  • I've got an application that needs to have it's resources (or 'entities') protected based on permissions / roles. I was wondering if there is a way to extend EF to add custom role checking code to verify that the current user's roles allow them to retrieve / view a specific entity. 

    I have been able to accomplish this in regards to saving entities by overriding the 'SaveChanges' method on ObjectContext.

    What I want to accomplish is basically my model throwing security exceptions if the current user context does not have the appropriate role to perform the action they're attempting. 

    Thanks in advance.

    Monday, October 17, 2011 11:53 PM

Answers

  • Hi 

    One of the feature is missing compare to NHibernate is Interceptors, I guess EF Team will resolve this in future releases.

    You can have work around abstract all actions on DBContext / ObjectContext, so that any request will hit on your defined class so that you could accomplish this scenario

        public class BaseController
        {
            public bool HasViewPermission<T>()
            {
                return true;
            }
        }
    
        public class ArticleController : BaseController
        {
            ArticleEntities db = new ArticleEntities();
    
            public IList<T> GetAll<T>() 
            {
                if (HasViewPermission<Article>())
                {
                    return db.Articles.ToList<Article>();
                }
                throw new Exception("No permission Exception");
            }
        }
    
    Your view will know only Controller, so that you can control this.

    Hope this helps you....


    If this post answers your question, please click "Mark As Answer". If this post is helpful please click "Mark as Helpful".
    Tuesday, October 18, 2011 9:41 AM

All replies

  • Hi void,

    Welcome!

    Thanks for your question, it doesn't supported in EF4.1. As you see, we can overrding the "SaveChanges" method to accomplish the logic.

     Thanks for understanding.

    Have a nice day.


    Alan Chen[MSFT]
    MSDN Community Support | Feedback to us
    Get or Request Code Sample from Microsoft
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Tuesday, October 18, 2011 9:02 AM
    Moderator
  • Hi 

    One of the feature is missing compare to NHibernate is Interceptors, I guess EF Team will resolve this in future releases.

    You can have work around abstract all actions on DBContext / ObjectContext, so that any request will hit on your defined class so that you could accomplish this scenario

        public class BaseController
        {
            public bool HasViewPermission<T>()
            {
                return true;
            }
        }
    
        public class ArticleController : BaseController
        {
            ArticleEntities db = new ArticleEntities();
    
            public IList<T> GetAll<T>() 
            {
                if (HasViewPermission<Article>())
                {
                    return db.Articles.ToList<Article>();
                }
                throw new Exception("No permission Exception");
            }
        }
    
    Your view will know only Controller, so that you can control this.

    Hope this helps you....


    If this post answers your question, please click "Mark As Answer". If this post is helpful please click "Mark as Helpful".
    Tuesday, October 18, 2011 9:41 AM