Hi BigA, Understand your requirements :) and DD only offers two options as already stated ValZ's option is a good way to go, I will be doing somthing like that shortly filtering rows is relativly easy, the big issue you will always face if users typing in
a URL they know will get them access to a Edit/Details of some data they should not have access to this is easily fixed using Domain Service project as all Select statments can be prefiltered. In my opinion this would be the most secure method it all depends
on how much security you will need.
See my blog C# Bits | Twitter @sjnaughton Always seeking an elegant solution.
FilterByRole attribute is one of my little accomplishments. I apply it in real projects about two years. I am sure that it is able to solve this problem.
In this case, that's what I suggest. There are tables Clients,
Projects and ClientTypes. Projects table must have a foreign key columns
clientId and clientTypeId. To the tables
Clients and ClientTypes you must apply FilterByRole attribute. For example [FilterByRole("clnt", "clientId")] and
[FilterByRole("clntType", "clientTypeId")]. Add this roles to a specific client.
A small note. Since the FilterByRole attribute deletes the ALL item, you must supply an additional parameter - withAll.
Thus, the Projects table will have two filters: Client (with All), and
ClientType (without All). As a result, if the Client filter will be selected All, you can see all Projects of your clientType. Otherwise - only your own projects.
A small note. Since the FilterByRole attribute deletes the ALL item, you must supply an additional parameter - withAll.
Hi ValZ this should be doable (adding an ALL that only shows your own Projects) as I am working on somthing like this for my Cascading Hierachcal Filter :) I will try and remember to post here when its done.
See my blog C# Bits | Twitter @sjnaughton Always seeking an elegant solution.
In my view, the Client filter should have two items - All and user`s own ClientId. ClientType filter should have only one item - user`s own clientTypeId. Thus, if the Client filter will be selected All, the user will see all their own and others projects
of the same clientType. Is not it?
Oh, and one more thing. Although I did not quite understand the place of the cascade filter in this example, I want to express my gratitude and admiration of thy works and in particular of Cascading Hierachca :).
HI ValZ, the thing I am working on with Cascade Hierachical Filter is take this hierachy
Manufacturer->Model->Style
and lets say you have three Manufacturers
VW
Audi
Ford
at the moment if you select a Manufacturer or Model then the filter will not be applied byt with me new version that I am working on if you select say Ford you will get all Ford cars listed in the list page. So the query will essentialy get a list of all
Ford car PKs and then do a mult FK filter on them :)
See my blog C# Bits | Twitter @sjnaughton Always seeking an elegant solution.
Thanks for your advice. I am going to try Domain Service because if users can edit the URL and get to data they shouldn't see that will be a problem for me.
sjnaughton
All-Star
27391 Points
5485 Posts
MVP
Re: Row level security
May 05, 2012 03:50 PM|LINK
Hi BigA, Understand your requirements :) and DD only offers two options as already stated ValZ's option is a good way to go, I will be doing somthing like that shortly filtering rows is relativly easy, the big issue you will always face if users typing in a URL they know will get them access to a Edit/Details of some data they should not have access to this is easily fixed using Domain Service project as all Select statments can be prefiltered. In my opinion this would be the most secure method it all depends on how much security you will need.
Always seeking an elegant solution.
valZ
Member
130 Points
41 Posts
Re: Row level security
May 05, 2012 06:43 PM|LINK
Hi, BigA, Hi, Sjnaughton.
FilterByRole attribute is one of my little accomplishments. I apply it in real projects about two years. I am sure that it is able to solve this problem.
In this case, that's what I suggest. There are tables Clients, Projects and ClientTypes. Projects table must have a foreign key columns clientId and clientTypeId. To the tables Clients and ClientTypes you must apply FilterByRole attribute. For example [FilterByRole("clnt", "clientId")] and [FilterByRole("clntType", "clientTypeId")]. Add this roles to a specific client.
A small note. Since the FilterByRole attribute deletes the ALL item, you must supply an additional parameter - withAll.
Thus, the Projects table will have two filters: Client (with All), and ClientType (without All). As a result, if the Client filter will be selected All, you can see all Projects of your clientType. Otherwise - only your own projects.
Regards.
sjnaughton
All-Star
27391 Points
5485 Posts
MVP
Re: Row level security
May 05, 2012 08:05 PM|LINK
Always seeking an elegant solution.
valZ
Member
130 Points
41 Posts
Re: Row level security
May 06, 2012 03:51 AM|LINK
Hi, Sjnaughton.
In my view, the Client filter should have two items - All and user`s own ClientId. ClientType filter should have only one item - user`s own clientTypeId. Thus, if the Client filter will be selected All, the user will see all their own and others projects of the same clientType. Is not it?
Oh, and one more thing. Although I did not quite understand the place of the cascade filter in this example, I want to express my gratitude and admiration of thy works and in particular of Cascading Hierachca :).
sjnaughton
All-Star
27391 Points
5485 Posts
MVP
Re: Row level security
May 06, 2012 09:35 AM|LINK
HI ValZ, the thing I am working on with Cascade Hierachical Filter is take this hierachy
Manufacturer->Model->Style
and lets say you have three Manufacturers
VW
Audi
Ford
at the moment if you select a Manufacturer or Model then the filter will not be applied byt with me new version that I am working on if you select say Ford you will get all Ford cars listed in the list page. So the query will essentialy get a list of all Ford car PKs and then do a mult FK filter on them :)
Always seeking an elegant solution.
biga
Member
72 Points
54 Posts
Re: Row level security
May 07, 2012 08:17 AM|LINK
Hi Steve, ValZ,
Thanks for your advice. I am going to try Domain Service because if users can edit the URL and get to data they shouldn't see that will be a problem for me.
biga
Member
72 Points
54 Posts
Re: Row level security
May 07, 2012 08:40 AM|LINK
valZ
Member
130 Points
41 Posts
Re: Row level security
May 08, 2012 03:53 AM|LINK
I decide this issue in such a way
protected void Page_Init(object sender, EventArgs e) { if (Request.UrlReferrer == null) Response.Redirect("~/Default.aspx"); }biga
Member
72 Points
54 Posts
Re: Row level security
May 08, 2012 03:06 PM|LINK
Hi valZ,
Thanks, presumably that is a foolproof method and UrlReferrer will always be null if they don't get to the page by linking from a previous one?