locked
EF provider via DbContext, with column level security via custom metadata? RRS feed

  • Question

  • I would like to use the Entity Framework provider for my WCF Data service for both queries and updates, but I must have the ability to filter out certain properties in the metadata based on the user's permissions or the context (field/column level authorization). Is it possible to customize the metadata, but still use entity framework for queries, updates, and paging, or do I have to implement all of the provider services if I have even one that is custom?

    If so, are there boilerplate implementations that basically just do what the entity framework provider does, given a reference to the DbContext class? 

    Also, is this secure? As in, if I exclude a property in the metadata that's available in the EF code-first model, but the user types in an odata query using that missing property, will it give an error or ignore it as I expect, or will it pass the query through to the query provider? So, for example, say 'Salary' was a field that was restricted. Even though someone couldn't view a person's salary, if the user types in $orderby='Salary', does that result in an error or are the results ordered by salary even though you can't view each salary?

    Friday, November 2, 2012 2:32 AM

Answers

  • Hi,

    The built-in EF provider doesn't have this ability right now. And I'm also not aware of any custom provider implementation which would do what you want.

    It is possible to write a custom provider on top of EF, but it's non-trivial amount of work. But once you do it, it will be secure (the WCF DS will only allow properties declared in the provider model, it will not know anything about the underlying EF model)

    The other possibility might be to have two EF models and switch between them on the fly.

    Thanks,


    Vitek Karas [MSFT]

    Friday, November 2, 2012 10:03 AM
    Moderator