How to handle authorization when using NHibernate in .NET

Question

I'm using the repository pattern to query our database using NHibernate. It makes it really easy to do things like:

public T GetById(int id) {...}

But that doesn't help much when someone start mucking with the querystrings to see things they aren't allowed to.

To compound it, some objects are deeply nested children of the parent object which the authorization should be performed on.

For instance blog --> author --> post --> comment. In this contrived example we'd like to give authors the ability to edit their own posts and comments on those posts, but not see or edit those of other authors. It's easy to check the post belongs to the author, it's a little more difficult to make sure the comment belongs to the author. We have some instances that go deeper.

So ... how do we do authorization (in the model or repository)?

Answer 1

You could implement the Decorator Pattern - I presume you're using an DP/IoC Container to inject your IRepositories?

You'd create an ISecureRepository that checks the calls made are valid for the specific user/request type, and then passed the call back onto the IRepository. This also give you the ability to call the method, and then check the return type...

You'd then setup you're IoC to use an ISecureRepository wrapped around IRepository...

Sounds so simple...

Answer 2

This might be a good implementation for your needs: http://www.codeproject.com/KB/web-security/objectlevelsecurity.aspx, it's an ACL-based model.