I'm trying to implement a very granular security module in an ASP.NET MVC 3 app where only certain users can edit certain columns on records in a table. I can imagine that the update SQL statement's list of columns would only include the columns that the user had the right to change. The thing is, I'm planning to use an ORM like NHibernate. I'm wondering if NHibernate provides a way to determine at runtime which properties of a model should be part of an Update. Or is my only option to, on the POST method, get the model again from the database, set only the properties that the user is allowed to set then finally Save the model. Also, is this a good way to handle my requirement of of granular security?
Would dynamic-update and dynamic-insert be enough?
dynamic-update (optional, defaults to false): Specifies that UPDATE SQL should be generated at runtime and contain only those columns whose values have changed.
dynamic-insert (optional, defaults to false): Specifies that INSERT SQL should be generated at runtime and contain only the columns whose values are not null.
Otherwise it might be possible with events or interceptors, but I've never used them so I don't know exactly.
Related
Most of our tables have one or more columns which are set by the database, either by a trigger, or we want to use the database default value (which requires not sending the field at all in the insert or update)
This includes transaction dates set in the dB (so all the times are times stamped very accurately by a single source, not relying on the accuracy of the time on an arbitrary server or pc.)
The second VERY common use case is say if a customer record has his address and a last logged in field. the last logged in field (and number of failed logins) is set by another part of the system (e.g. by a web site server). The current overly simplistic CRUD system which GORM provides would overwrite such a field when an operator or customer edits their address for example. This is because GORM includes in its update and insert statements every field, even if it's null, or if it has not been changed.
We need a way to scrub the field from inserts and updates, but still have it used in the read calls.
I.e. a true "read only" attribute.
We tried this:
failedLogins editable: false, attributes: [readonly:true]
Which has no effect on the SQL generated (and doesn't even affect the scaffolded UIs - its still editable in create and edit, in grails 2.4.4 at least, but thats another story)
When we do want to explicitly write one of these fields, such as number of failed logins, we would resort to using embedded SQL.
I saw this post: Read-Only columns
Which asks exactly the same question, but only gives one solution, which is this plugin:
extended GORM mappings
Unfortunately, this plugin has not been updated since 2010, and only works with 1.3. We need something which works with 2.4.4.
Any grails app which has multiple systems which edits independent fields needs something like this, or to do extensive locking (Which is usually out of the question).
E.g. an operator opens the customer details for editing, edits something editable (e.g. address), then the operator fails a login on the website (a different grails or non-grails app), then the operator saves the player details. If the saving included the numberOfFailedLogins field, the system would fail. If opening the player details for editing locked the player, then the player would not be able to login, as updating the "lastLoggedIn" or "numFailedLogins" would fail to be able to write due to the lock. The solution is VERY simple - read only columns. Another way would be to put each read only type field in their own tables, but this would be untenable (and result in hundreds of one field tables)
Or we go back to using MyBatis, which has no such issues, and full control. Sadly, there is no good mybatis plugin for grails.
You can use derived properties for string and number properties:
class Batch {
String name
Integer timesRun
static mapping = {
timesRun formula: 'times_run' //times_run is a column in the "batch" table
}
}
In the code above, timesRun would be read in from the database but ignored in inserts and updates as Hibernate considers the column a calculated one.
Updated the example because the original one may have been misleading
This probably doesn't specifically answer your question, but you can use dynamicUpdates to tell GORM to only update the properties of the domain object that have changed during the current session. So as long as you don't change the "read-only" property in your code it won't be set in the SQL update statement generated by Grails. For added safety you could override (and noop) the setter so that your code can never change that property.
https://grails.github.io/grails-doc/latest/ref/Database%20Mapping/dynamicUpdate.html
One of the downsides of dynamicUpdates is that it might make the Hibernate query cache less useful. However, it seems that some Grails/Hibernate experts recommend that you disable the query cache anyway (at least in older versions of Grails). Not sure if that's true of Grails 2.4+
http://grails.github.io/grails-howtos/en/performanceTuning.html
http://www.anyware.co.uk/2005/2012/11/12/the-false-optimism-of-gorm-and-hibernate/
http://tech.puredanger.com/2009/07/10/hibernate-query-cache/
I am in phase of designing architecture of my web application. I want to work with asp.net mvc5 and oracle database at back end.
One basic requirement of my project is that the application's admin users can add/remove Form Fields. I want to physically add/remove columns in my database tables at run time (not design time).
How can I achieve it in mvc and how the models can be updated dynamically at run time?
Should I use some ORM or how I design data access layer for that?
I just need suggestions and hints for the architecture design approaches.
Instead of physically adding and removing the fields at runtime you can try the following table structure
Field Name Field Type
CustomField1Name Nvarchar(256)
CustomField1Value Nvarchar(Max)
CustomField1IsVisible Bool
CustomField1FieldType Nvarchar(32) [char/numeric/bool etc]
CustomField1Required Bool
CustomField2Name Nvarchar(256)
CustomField2Value Nvarchar(Max)
CustomField2IsVisible Bool
CustomField2FieldType Nvarchar(32)
CustomField2Required Bool
If you need any more field specific information like custom validation you can add here.
Repeat this for how many custom fields you want . Due to this design, in run time there will be no structure changes in DB level. All changes you can do in coding level.
Entity attribute value pattern is one way to go. In my opinion this becomes an anti-pattern if overused. This has some shortcomings such as storing every value as a string. You might find it hard to parse "true+" as a bool. You could also do this in a weakly typed fashion or weakly typed datasets. If you want to go this route you would actually be creating columns. Do not give users rights to create columns, give them rights to execute a proc that creates columns.
I have a requirement from a client to give them the option to add custom fields to a program i am going to write for them. The custom fields will be on a per/poco basis. What is the best way of handling custom properties like this. I am going to use SQL Server and ASP.NET MVC4.
Just need a starting point..
thanks in advance.
The way we handle this where I work is storing the information in a database table. We store the field name, the value, and some identifier for which object it belongs to. Sometimes we have an additional table stores the specific list of available values.
When it's pulled out of the db, we place it in a dictionary list. If you set up some conventions then it's not too bad building validation for the fields. I.E. any field name with "phone" in the name gets validated as a phone number.
Reading up on the web I can set ConcurrencyMode=Fixed against a entity framework database field.
My understanding is that any update statements include in its where clause the original values to determine if the datacontext has changed.
(So if rows effected gets a hit then all is good otherwise we have a conflict )
Now my question is..
Do only the columns changed in the
datacontext get included in the where
clause or all columns that are
marked as fixed.
i.e.
(If I have the following setup)
name=fixedconcurrency
DateofBith=fixedconcurrency
NI=fixedconcurrency
When only the name field changes would I get:
update tbuser set name="newJason"
where Id=2 and name="oldJason" and
DateofBith="19/10/1970" and NI=1234566
or
Update tbuser set name="newJason"
where Id=2 and name="oldJason"
My goal is to only have conflicts raised when a user overwrites another users data ( At field level not record level).
A snippet from MS says that entity framework will only update the fields that a user has edited. IF all fields are included in the where clause it would make this statement redundant.
Thanks,
Jason
All of them. The intention of the feature is for something like a TIMESTAMP field, which the user cannot assign directly.
I'm working on creating an Entity Framework model for our database tables, and for the most part, things are going pretty well. However, I'm running into a bit of an issue mapping the stored procedures. See, the homebuilt ORM that our company has been using tends to use one sproc for inserting and updating, and differentiats the operations by passing a bit valued parameter called #IsInsert (I know, don't get me started). Entity Framework seems to expect separate sprocs for inserting and updating, so I figure that all I have to do is tell EF "pass true for this parameter when you're using it as an insert, false if it's an update". However, at least according to the designer UI, it doesn't seem to give me the option for any mapping other than fields on the entity object. Is there a way to pass a constant value (boolean true or false) to a sproc mapping in EF4?
Your best bet may be to use context.executestorequery(query) and keep it how it was before.