We need to provide an API for an Activity Feed (think of Facebook) and we decided to give OData a try. We are using .NET so we went for WCF Data Service but we don't use Entity Framework (or any other ORM) so we will use the Reflection Provider. Because we have complex business logic for our retrieval methods we decided to expose them as service operations. However we want to expose Delete/Update and single entity selection as a normal OData REST resource. My question is how can we implement a data source for the reflection provider that restricts access to collections but allows access to single entities (requested by key), allows DELETE/PUT/POST verbs and also allows accessing child collections of single entities (i.e. service/Categories(1)/Products). Basically I only want to restrict access to base collections (i.e. service/Categories or service/Products)
+2
A:
There isn't a great answer here.
There are two settings you can use inside InitializeService(..)
config.SetEntitySetAccessRule("Feed", EntitySetRights.ReadSingle);
config.SetEntitySetPageSize("Feed", 1);
Unfortunately neither do exactly what you want:
EntitySetRights.ReadSingle
limits you to returning just one object from that set. Which fails because it doesn't allow this /Categories(1)/Products AND it also allows /Categories?$filter=... to return a row.SetEntitySetPageSize
restricts the amount of initial load hitting the server to just one record but you can follow the $skiptoken to go and get the rest of the data one record at a time and just like (1) it allows arbitrary queries not just key predicates.
That leaves you with only one realistic option. Visiting the LINQ expression and working out if you allow what is being attempted.
Since you are using the Reflection provider, you basically need to wrap the IQueryables being returned from your 'context' class and look for invalid queries, before passing them on.
Not something for the fainted hearted.
If you do decide to go down that path you'll find my IQueryable wrapping example useful, and you should check out Viteks blog post series on Data Service expressions too.
Hope this helps
Alex (OData Program Manager)
Alex James
2010-09-17 18:27:57
Thank you very much. I actually read your wrapping example and the custom data provider series when I was evaluating options. The first solution does not seem so bad actually. I'll have to check how many entities will have child collections and how many I'll have to work around. Another thing I was wandering was if it is OK to just throw exception in this situations. It seems bad but the other options are not pretty either. Wrapping the IQueryable seems really painful. Honestly I'd rather drop the OData solution and go for some other service type than do this.
Stilgar
2010-09-17 22:18:14