问题过滤ObjectQuery.include权限业务逻辑方法
我在 BL 和实体框架 DAL 之间创建了中间件层,用于通过应用程序中的用户权限业务逻辑过滤数据。我的层实现了 IObjectSet,它具有“无过滤对象集”的实例,并且只要使用对象集,过滤器表达式就会运行。所有工作都有效,而不是“包含”方法。我找到了一个解决方案,该解决方案创建一个扩展方法,将“无过滤的 ObjectSet”转换为 ObjectQuery 并使用 ObjectQuery.Include 方法,但此解决方案可能会导致绕过权限过滤。
public IQueryable<TEntity> Include<TJoin>(string path)
{
if (_nonAuthorizedObjectSet is ObjectQuery<TEntity>)
{
var result = ((ObjectQuery<TEntity>)_nonAuthorizedObjectSet).Include(path);
return result as IQueryable<TEntity>;
}
}
例如:
表名称“Items”具有列 {Item_Id,Owner,Item_Type_Id} 该表有一个权限逻辑,即用户只能看到Owner==用户的项目。 表“Item_Types”没有权限逻辑。
通过这样做: 允许的 DAL。 Items.ToArray() – 仅获取 current_user==Owner 的项目。 Item_Types.include("项目") 问题!! - 我得到了所有的物品。
谢谢
I created middleware layer between the BL and the Entity Framework DAL for filtering the data by the user permission business logic in the application. My layer implements IObjectSet that have an instance of the "None filtered ObjectSet" and the filter expression is running whenever the ObjectSet is in use. All working grate, instead of the method "Include". I found a solution that create an extension method that convert the "None filtered ObjectSet" to ObjectQuery and use the ObjectQuery.Include method but this solution can cause a bypass of the permission filtering.
public IQueryable<TEntity> Include<TJoin>(string path)
{
if (_nonAuthorizedObjectSet is ObjectQuery<TEntity>)
{
var result = ((ObjectQuery<TEntity>)_nonAuthorizedObjectSet).Include(path);
return result as IQueryable<TEntity>;
}
}
For example:
Table name "Items" have columns {Item_Id,Owner,Item_Type_Id}
This table have a permission logic that the user can only see the items that the Owner==user.
Table "Item_Types" have no permission logic.
By doing:
PermittedDAL. Items.ToArray() – get only the items that the current_user==Owner.
Item_Types.Include("Items")
Problem!! - I get all the items.
Thanks
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
EF 不支持过滤急切加载的记录(包含)。只能过滤主要记录。如果需要过滤关系,则必须对每个关系使用自定义投影或单独的查询。
EF does not support filtering eager loaded records (Include). Only main records can be filtered. If you need to filter relations you must either use custom projections or separate queries for each relation.