I'm just starting to play around with / learn NHibernate for a personal project, and feel like I'm not "getting" something. I'm used to having apps work like this:
Presentation layer --> Business Layer --> Persistence layer. So for example, my presentation layer would call BusinessLayer.GetCustomer(id). In that method I would check that the caller has the right to fetch the customer. OK, that still works just fine with NHibernate. My question though is how do I have any security on Updates, Adding, and Deletes? For example, Suppose I want to modify the customer I got back. Normally, I would have done this:
customer.FirstName ="Mike";
BusinessLayer.UpdateCustomer(customer);
Again, the UpdateCustomer method would check that you can update this customer. OK, but with NHibernate, to update the customer I'm simply going to set the FirstName. I then don't NEED to call Update since it's all transparent. That's the point of Hibernate right: "Transparent and Automated Persistence." So how do I have my security checks in place with this transparency? I simply don't trust myself enough to not make a mistake and do something like:
List<string> customerNames = new List<string>();
foreach (Customer c in GetCustomersThatLikeStuffThatILike()) {
string custName="";
c.CustomerName = custname; //Oops. I meant to say: custname = c.CustomerName;
customerNames.Add(custName);
}
Oops. I just wiped out all the customers' names in the database. Is this contrived? Yes. Now, if I had some sort of BusinessLayer check in place, this would just throw an exception because that user can't update other users' names.
Another issue. Suppose I'm an admin and can really do anything in the system and I have code like this:
//Display a customers orders that haven't shipped yet:
var Orders = Customer.Orders;
Orders.RemoveAll(order => order.HasNotShipped);
Grid.DataSource = Orders;
Grid.DataBind();
OK, so here I just wanted to filter the orders, but I accidentally ended up deleting them from the database. The transparency caused me to do something very bad. How does one mitigate that risk?
I really want to use NHibernate but I don't want to do it the wrong way. Help! :)