I was asking myself if it is a good practice to have a different outcome / behaviour of a service method based on permissions? For example, the GetAll method in a service might return only the objects that I have created if I a do not have a "see all"-permission. Or the update method might ignore some properties if I do not have the permission to edit all properties of a given object.
I have this notion that one has the permission to either call an action or not. Maybe I am wrong with that one?
1 Answer(s)
-
0
Hi,
These are possibilities and I don't see it wrong. But for the edit/update, you should not show 'uneditable' properties to user on editing (that means you should also check permissions while rendering the edit form).
For the 'GetAll' approach, you may want to check 'organization unit' system if your case is similar: <a class="postlink" href="http://www.aspnetboilerplate.com/Pages/Documents/Zero/Organization-Units">http://www.aspnetboilerplate.com/Pages/ ... tion-Units</a> OUs are used to restrict rows for users.