How does one usually go about security trimming RIA services results?
With RIA services, you easily end up exposing quite a few service operations, many of which ought to imply business specific (contextual) security considerations.
Storing the current user in a session or similar, and figuring ou开发者_C百科t who he/she represents on each query operation is all well and good; but is this the common / best way of going about things?
I'd very much appreciate some guidance on best practices here :-)
Yes the checking has to be done by something, so you might as well use the standard membership/role providers (or your own replacements).
You can attribute the RIA services methods with required roles (e.g. using [RequiresRole("RoleName")]
) then the checks are not handled explicitly by you.
精彩评论