There is some discussion on my team about updating entity data and how best to approach it. This is a security framework and so here are some of the constraints and ideas.
- every table in DB has a PK that is a guid, this is required for our multi-node clustering solution. The idea is that we don't want to expose this on an entity to a customer via an API because it could do two things,
- give them more info that needed for their job and giving hackers more information about the system.
- support nightmare is that a client hardcodes to this ID in some fashion and if we need to change our PK's clients are impacted.
solutions are to expose the natual key of the items like Role object with a unique Name, and Realm, together guarentee uniqueness however updating either of these values is the challenge, cause you need to specify the old and new values to update, or pass two objects in original and new object, so we can find the one to update. kind of messy,
another approach is to make an alternate key and have this exposed to the client they can use it all they want and we don't care cause it isn't tied to our PK.
it seems everyone these days just uses PK as ID for entities with no issues, not sure how to convince our team of veterns from the old timey programming days.
Another issue is how to support partial updates, issue is that you have entity with 10 properties, 4 collections, etc... with a name+realm combo and specify what property to update instead of pulling down whole object change 1 field, send back for update. I say lazy load the collections, but not sure if partial update makes sense.
thoughts?
thanks!