1. Home
  2. LLBLGen Pro
  3. LLBLGen Pro Runtime Framework

Using Linq with authorizers

Posts   
 
    
neilx
User
Posts: 267
Joined: 02-Nov-2007
# Posted on: 08-Jun-2011 00:02:03   

LLB v2.6 2.6.10.809 (SD.LLBLGen.Pro.LinqSupportClasses.NET35.dll) 2.6.10.930 (SD.LLBLGen.Pro.ORMSupportClasses.NET20.dll) 2.6.10.917 (SD.LLBLGen.Pro.DQE.SqlServer.NET20.dll)

I am learning how to use authorizers and see that using any type of projection will bypass the authorizer. That mean projections to DTOs, counts and sums will potentially use unauthorized data.

Are there any guidelines for using Linq with Authorizers you can offer so I can write code that does what I expect it to do with my authorizers?

The main practice I can think of is that all Linq statements should not use .Select() and that projections are done on fetched data only.

If you know of other areas that need care, I would be grateful. Prefetch Paths for example?

Does this limit the use of authorizers in a major way?

daelmo avatar
daelmo
Support Team
Posts: 8245
Joined: 28-Nov-2005
# Posted on: 08-Jun-2011 04:28:17   

neilx wrote:

I am learning how to use authorizers and see that using any type of projection will bypass the authorizer. That mean projections to DTOs, counts and sums will potentially use unauthorized data.

Are there any guidelines for using Linq with Authorizers you can offer so I can write code that does what I expect it to do with my authorizers?

Unfortunately you can't authorize through LLBLGen Authorizers in projection fetches. The reason is explained in this post: http://www.llblgen.com/TinyForum/Messages.aspx?ThreadID=15479&StartAtMessage=0&#86205

So, as long as your Linq query is retrieving entities, the authorizer is used. And no authorizer routines are used in projections.

neilx wrote:

If you know of other areas that need care, I would be grateful. Prefetch Paths for example?

PrefetchPaths are ok with Authorizers as they are in the entity fetch pipeline. If you use TypedViews, DynamicLists or StoredProcedures, your Authorizer is not applied as well (these objects are not entities).

David Elizondo | LLBLGen Support Team
neilx
User
Posts: 267
Joined: 02-Nov-2007
# Posted on: 08-Jun-2011 08:03:33   

As I suspected from the couple of tests so far. So, in order to use authorizers in a general way in a team of developers needs a full understanding of this difference in use of authorizers dependent on the way the code is written.

I think the safest guideline is that every application should include tests to ensure the authorizers are in operation and make this an item to check in the code review.

Thanks for your comments.