This question is locked. New answers and comments are not allowed.
I have an existing ASP.Net Web Application. I will be migrating from SQLDataSources and Code SQL(bad, i know) to a service model and want to use the DataAccess ORM and an ASP.Net Web API. My database is shared between multiple companies. These companies should not be able to modify each others data or view each others data. I have a column on many of the tables where by there is a company ID that signifies which user is allowed to modify or view a record. Also, i also have a permissions table that i need to validate against to make sure the particular user has the permissions needed to be able to perform that operation on a particular set of data for a company(so it's not just company level validation). A short example of the data structure is as follows:
Table -->Companies
Company ID
Company Name
Table-->Projects
Project ID
Company ID
Project Name
Table-->Users
UserID
Password
Company ID
Table--> Permissions
User ID
Allowed Permission
I have been reading through the documentation and watching the videos and would like to post the question. In the example above, I want to validate that a user is attempting to CRUD on the 'Projects' table is only doing so if their company ID matches the Company ID of the projects they wish to create, read, update, or delete and they have the available permissions. Where is the best place to implement the validation of a user who is attempting to CRUD records? By best, i mean the safest(#1) and most application and DB efficient. I currently have forms based authentication with the user data stored in the same database(it actually is much more complicated that what is above). I have no issues controlling the access because i can validated on the application side each time a CRUD is attempted using the sessions variable acquired whenever a session is renewed. Going forward i do not want to have to add this logic in at each operation and i would like to create the logic once and apply to most of the operations. What would be the best way to go about this using Telerik DataAccess?
I saw the documentation about adding an interceptor which seems like it is a possible solution. Are there other solutions that can be recommended for this use case? http://docs.telerik.com/data-access/developers-guide/using-web-services/data-services/developer-guide-wcfservices-data-service-validation
Thanks!
Table -->Companies
Company ID
Company Name
Table-->Projects
Project ID
Company ID
Project Name
Table-->Users
UserID
Password
Company ID
Table--> Permissions
User ID
Allowed Permission
I have been reading through the documentation and watching the videos and would like to post the question. In the example above, I want to validate that a user is attempting to CRUD on the 'Projects' table is only doing so if their company ID matches the Company ID of the projects they wish to create, read, update, or delete and they have the available permissions. Where is the best place to implement the validation of a user who is attempting to CRUD records? By best, i mean the safest(#1) and most application and DB efficient. I currently have forms based authentication with the user data stored in the same database(it actually is much more complicated that what is above). I have no issues controlling the access because i can validated on the application side each time a CRUD is attempted using the sessions variable acquired whenever a session is renewed. Going forward i do not want to have to add this logic in at each operation and i would like to create the logic once and apply to most of the operations. What would be the best way to go about this using Telerik DataAccess?
I saw the documentation about adding an interceptor which seems like it is a possible solution. Are there other solutions that can be recommended for this use case? http://docs.telerik.com/data-access/developers-guide/using-web-services/data-services/developer-guide-wcfservices-data-service-validation
Thanks!