发表新帖
发表新帖

Virtual Navigation Properties and Multi-Tenancy

后端 未结
关注
2 635
失恋的感觉
失恋的感觉 2020-12-18 10:19

I have a standard DbContext with code like the following: 

 public DbSet Interests { get; set; }
 public DbSet Users
2条回答
  • 悲哀的现实
    悲哀的现实 (楼主)
    2020-12-18 10:23

    As far as I know, there's no other way than to either use reflection or query the properties by hand.

    So in your IQueryable FilterTenant(IQueryable values) method, you'll have to inspect your type T for properties that implement your ITenantData interface.

    Then you're still not there, as the properties of your root entity (User in this case) may be entities themselves, or lists of entities (think Invoice.InvoiceLines[].Item.Categories[]).

    For each of the properties you found by doing this, you'll have to write a Where() clause that filters those properties.

    Or you can hand-code it per property.

    These checks should at least happen when creating and editing entities. You'll want to check that navigation properties referenced by an ID property (e.g. ContactModel.AddressID) that get posted to your repository (for example from an MVC site) are accessible for the currently logged on tenant. This is your mass assignment protection, which ensures a malicious user can't craft a request that would otherwise link an entity to which he has permissions (a Contact he is creating or editing) to one Address of another tenant, simply by posting a random or known AddressID.

    If you trust this system, you only have to check the TenantID of the root entity when reading, because given the checks when creating and updating, all child entities are accessible for the tenant if the root entity is accessible.

    Because of your description you do need to filter child entities. An example for hand-coding your example, using the technique explained found here:

    public class UserRepository
{
    // ctor injects _dbContext and _tenantId

    public IQueryable GetUsers()
    { 
        var user = _dbContext.Users.Where(u => u.TenantId == _tenantId)
                                   .Select(u => new User
                                   {
                                       Interests = u.Interests.Where(u => 
                                                     u.TenantId == _tenantId),
                                       Other = u.Other,
                                   };                               
        }
    }
}

    But as you see, you'll have to map every property of User like that.

    0 讨论(0)
 看不清?
提交回复
热议问题