views:

308

answers:

1

I am looking for some best practices on how to handle the following scenario - flowing permissions from WCF service layer through to UI:

I have WCF services with methods that have been decorated with the PrincipalPermission attribute. I would like a means to allow a client to check if they have the required permissions before invoking the method.

A basic example of this could be checking whether a user can perform a specific function (say submitting an order), which can then be used to enable/disable a button within the UI.

Possible options are to add "chatty" operations like bool CanSubmitOrder() to the service, or instead have a single method OrderServicePermissions GetPermissions() which returns a message with a property CanSubmitOrder? I can then set the enabled state of a "Submit Order" button to the result.

So does anybody know of a better approach, or even a best practice?

Thanks in advance!

A: 

The whole point of having PrincipalPermission attributes on your service calls is that you don't have to check ahead of time whether or not the caller has the rights to call - if he doesn't, the WCF runtime will throw an exception.

Why not just rely on this built-in mechanism? Why not just put your service calls in a try..catch block and handle the exceptions if they do actually occur? It should be the "exceptional" case anyway, right?

I don't see any other "magic" way besides what you described. But the generally accepted practice would be to call and handle any exceptions if they occur.

Marc

marc_s
I think it really comes down to the UI and workflow I guess - there may scenarios where it would be useful to know what a user can do ahead of time, without incurring the additional costs of multiple service calls and exception throwing/management. An example is setting up the default state of a view based on permissions. Instead of then making multiple calls to various methods, handling the exceptions and setting the state, it makes more sense to me to make a single call to get the details and then set the state with the results.
Frank Bell
I think I am going to go with the OrderServicePermissions GetPermissions() route, which will allow me to add the OrderServicePermissions message to other service call results where appropriate, to reduce the number of calls required. Its really about the same amount of work, but it allows me to wrap it all into the service, keeping my client as thin and simple as possible.Thanks for your comments though...
Frank Bell