locked
LightSwitch: Row Level Security RRS feed

  • Question

  • I have a LightSwitch application that has a summary object and a detail object.  If you select a row in the summary object, then the full attributes of the summary object are displayed in the detail object.  I would like to implement row-level security that handles the following use cases:

    1.  If the selected row was created by the user, then the details are editable.

    2.  If the selected row was created by a different user, then the details are not editable.

    3.  If the user has a role that has a super user permission set, then the details are editable regardless of whether or not they created the selected row.

    Since I couldn't figure out exactly how to do this, I setup the following filter in the entity's filter:

            partial void EntityObjects_Filter(ref Expression<Func<EntityObject, bool>> filter)
            {
                if (this.Application.User.HasPermission(Permissions.CanViewAllEntityObjects) == false)
                {
                    filter = eb => eb.CreatedBy == this.Application.User.FullName;
                }
            }

    The behavior this gives is the logged in user can only see summary entity objects they created and see and edit the details associated with them.  Users who have the CanViewAllEntityObjects permission can see all summary entity objects and edit the details associated with them regardless of who created them.  Although this solves use cases 1 and 3, it does not solve use case 2.  I basically chose to filter out all of the rows that users are supposed to be able to see but not edit.  That's not the desired behavior.

    Please also note I implemented all of this in a single screen.  I did not create any child screens.  I believe I can see how I could make a child screen have this kind of behavior possibly, but I was trying to avoid a parent-child screen scenario.

    Wednesday, September 19, 2012 8:16 PM

Answers

  • I resolved the issue.  I added the following code to the Entity in the screen:

    partial void EntityObjects_SelectionChanged()
    {
     var selectedItem = this.EntityObjects.SelectedItem;
     
     if (selectedItem == null)
     {
      return;
     }
     else if (selectedItem.CreatedBy != this.Application.User.FullName && this.Application.User.HasPermission(Permissions.CanEditAllEntityObjects ) == false)
     {
      this.FindControl("DetailsColumn").IsEnabled = false;
      this.FindControl("EntityObjects_DeleteSelected").IsEnabled = false;
     }
     else
     {
      this.FindControl("DetailsColumn").IsEnabled = true;
      this.FindControl("EntityObjects_DeleteSelected").IsEnabled = true;
     }
    }

    Wednesday, September 19, 2012 8:40 PM