Freigeben über

Securing Entities in ASP.NET Dynamic Data

  • Artikel

This first post is about controlling which tables get exposed through Dynamic Data. It's important to remember you have complete control over this and there are essentially two approaches:

  1. The "demo friendly" approach (which you'll see me using a lot) where I ask Dynamic Data simply to scaffold all my tables. I still have control (we'll come back to that) but my start point is "show me everything".
  2. The "start from scratch" approach where I don't expose anything by default but instead I explicitly add tables by creating custom pages for them.
"Demo Friendly"

For the "demo friendly" approach, I set the ScaffoldAllTables property to true in my ContextConfiguration when I register my data context in Global.asax:

     ' Uncomment this line to register your data context with the Dynamic Data engine.
    ' Only set ScaffoldAllTables = true if you are sure that you want all your tables
    ' to support a scaffold (i.e. templated) view.
    model.RegisterContext(GetType(NorthwindDataContext), _
         New ContextConfiguration() With {.ScaffoldAllTables = True})

(Yes, I'm doing this in VB.NET in tribute to Eric's efforts to champion VB. I felt I ought to have a bash)

If I don't want a particular table to be scaffolded, I take a similar approach to that used when customising the model (eg hide a column or add some validation). ie we create a partial class that extends the class we want to modify and add the relevant attributes. In this case we might do something like this to prevent the Products table being scaffolded:

 <Scaffold(False)> _
Partial Public Class Product
End Class
"Start from Scratch"

imageTaking the "start from scratch" approach, I set ScaffoldAllTables to false and expose the tables and views using custom pages. So, for example, to expose a "List" view on the Northwind Orders and Order_Details tables but not the Products table, I might end up with a site structure that looks like that on the left.

I could, of course, just remove the tables I want to hide from my model but that means I lose the foreign key lookup so instead of seeing product "Tofu" in my Order_Details table, instead I see product id 17 or the like.

Technorati Tags: asp.net,dynamic data,security

Comments

  • Anonymous
    August 06, 2008
    In the last post I talked about how to expose or hide specific tables in ASP.NET Dynamic Data. What if