Use Reflection to control winforms user permissions?
-
Hi all, I'm hoping someone who knows more about Reflection or the internals of the framework than me can help me out on this one. I'm working on a very large and complex winforms 2.0 in VB.Net 2.0. We will have quite a few different types of users (eg: Data admin, viewer, editor, business rules manager, etc) and I have been tasked with designing and implementing the security model that handles what each user can do. I intend to base it on our own in-house User, User Role and Permissions oracle 9i tables (ie: a pretty standard security model.) Someone suggested that rather than having a call to some method like SecurityModule.CheckUserPermission() in every method I could Reflection to find out what method was currently invoked (how?!) and then check the user permission against a table (loaded into memory) which would contain the user's role and therefore whether they had a right to use that method. For example the AddNewEmployee() method might only be available to the "DataAdmin" and the "HRAdmin" roles and all others would not be allowed to execute the method - it would just give them an appropriate dialog. So does anyone have any thoughts on how to do this? If the above idea is workable can someone point me in the right direction to get started? I've hardly ever used Reflection so am not sure how to go about designing this. Otherwise does anybody have any better ideas for a security model than having to place CheckUserPermission() calls all through this very large app? TIA for any help/info/suggestions. Mike
-
Hi all, I'm hoping someone who knows more about Reflection or the internals of the framework than me can help me out on this one. I'm working on a very large and complex winforms 2.0 in VB.Net 2.0. We will have quite a few different types of users (eg: Data admin, viewer, editor, business rules manager, etc) and I have been tasked with designing and implementing the security model that handles what each user can do. I intend to base it on our own in-house User, User Role and Permissions oracle 9i tables (ie: a pretty standard security model.) Someone suggested that rather than having a call to some method like SecurityModule.CheckUserPermission() in every method I could Reflection to find out what method was currently invoked (how?!) and then check the user permission against a table (loaded into memory) which would contain the user's role and therefore whether they had a right to use that method. For example the AddNewEmployee() method might only be available to the "DataAdmin" and the "HRAdmin" roles and all others would not be allowed to execute the method - it would just give them an appropriate dialog. So does anyone have any thoughts on how to do this? If the above idea is workable can someone point me in the right direction to get started? I've hardly ever used Reflection so am not sure how to go about designing this. Otherwise does anybody have any better ideas for a security model than having to place CheckUserPermission() calls all through this very large app? TIA for any help/info/suggestions. Mike
To get the method you are in, you can use the System.Diagnostics.StackFrame class. You would use
new StackFrame().GetMethod().Name. Note however, that it is going to be expensive to use reflection to retrieve permissions for users using Reflection based on the called method, and you are relying on developers remembering to put the necessary "plumbing" code into each method. (Either that, or you are going to be injecting code into every method - and that is a whole different can of worms). I've done similar to this in the past, and used Extender Providers to control what is available to a user. Shameless plug here - this article http://www.codeproject.com/useritems/AutoEnableUI.asp[^] shows the basics of how to do this. Extending it to use your role model should be fairly trivial.Deja View - the feeling that you've seen this post before.
-
To get the method you are in, you can use the System.Diagnostics.StackFrame class. You would use
new StackFrame().GetMethod().Name. Note however, that it is going to be expensive to use reflection to retrieve permissions for users using Reflection based on the called method, and you are relying on developers remembering to put the necessary "plumbing" code into each method. (Either that, or you are going to be injecting code into every method - and that is a whole different can of worms). I've done similar to this in the past, and used Extender Providers to control what is available to a user. Shameless plug here - this article http://www.codeproject.com/useritems/AutoEnableUI.asp[^] shows the basics of how to do this. Extending it to use your role model should be fairly trivial.Deja View - the feeling that you've seen this post before.