locked
Hide entityset from / but allow access as relationship RRS feed

  • Question

  • Hi.

    I have two tables named Customers and Orders.

    Can I do so you can't call it like this:

    /Orders

    but can call it like this:

    /Customers(1)/Orders

    ?


    By the way, too bad all books about ado.net data services is not published Sad
    Sunday, October 19, 2008 9:33 PM

Answers

  •  

    If you do not want to allow access to top level entity set, you can override OnStartProcessingRequest method on your DataService class, and check the request uri. If the request uri is accessing top level Orders, you can throw. That way no one will be able to access Orders directly from the top level.

     

    As said before, this is not the best way to doing this and hence we are considering better ways of doing this in the future releases.

     

    Thanks

    Pratik

    Wednesday, October 22, 2008 4:25 PM
    Moderator

All replies

  • Hi Lasse,

     

    This is a containment scenario and is currently not supported in V1. We are planning to add support for such scenarios in the next release of ADO.Net Data Services. Once the feature is available, the top level access to Orders could be dis-allowed.

     

    Thanks

    Waseem

     

    Monday, October 20, 2008 6:37 PM
    Answerer
  • Hhm but the next version properly don't come in the near future?

    I have these tables:

    Shops
      --Customers
        --Orders

    And the user have access to the data service with the ShopID (+ password). So I restrict a user to only query the shops customers.

    So if a user calls /Orders I have to check the orders parent (Customer)'s parent (Shop). I guess that this is a really slow process. But if a user calls /Shops(1)/Customers(1)/Orders I could check only the Customers parent (Shop) which is in a value in the entity any way.
    Monday, October 20, 2008 6:53 PM
  • You can do that sort of logic in a query interceptor for Orders and Customers and shops.  Example:

    [QueryInterceptor("Users")]

    public Expression<Func<Users, bool>> UsersInterceptor()

    {

    // Further restrict access to Users. Admins get all records. User's only get their own.

    if (HttpContext.Current.User.IsInRole("Admins"))

    return (u => true);

    else

    {

    // Some logic that would be valid in your case.

    return (u=>u.UserID.ToString()==HttpContext.Current.User.Identity.Name);

    }

    }

    Tuesday, October 21, 2008 12:06 AM
  • Thanks, I will try that and return with the result Smile
    Tuesday, October 21, 2008 12:51 PM
  • That does not work. If I make a QueryInterceptor on Shops which only allow Shop.ID == 1, I can still call /Orders and get orders from a Customer which not has Shop1 as parent/relation.
    Tuesday, October 21, 2008 10:03 PM
  • The problem is, I have to do the queryinterceptor "nested".

    so I write: return o => o.Customer.Shop.ID == [USERID];

    This can't be performant?
    Tuesday, October 21, 2008 10:22 PM
  •  

    If you do not want to allow access to top level entity set, you can override OnStartProcessingRequest method on your DataService class, and check the request uri. If the request uri is accessing top level Orders, you can throw. That way no one will be able to access Orders directly from the top level.

     

    As said before, this is not the best way to doing this and hence we are considering better ways of doing this in the future releases.

     

    Thanks

    Pratik

    Wednesday, October 22, 2008 4:25 PM
    Moderator
  • Thanks Smile
    Wednesday, October 22, 2008 5:12 PM
  • Hi Waseem,

    Is this feature available now?

    Thanks

    Friday, February 3, 2012 2:49 AM
  • Hi,

    Containment will not be part of the V3 release (it's defined in the protocol but WCF DS doesn't implement it yet). It's high on our list of things to do next though.

    Thanks,


    Vitek Karas [MSFT]
    Friday, February 3, 2012 11:57 AM
    Moderator
  • Thanks Vitek.
    Friday, February 3, 2012 7:39 PM