EntityAuthorize Attributes possibility?

These are a great addition and make the entity definitions self contained - great for documentation and making sure you don't forget to validate enforcement.

One additional one that would be useful is something like

EntityAuthorizeEntityValue(ClaimName, FieldName, EntitySetPermissions)

for Example

[Id('FId', TIdGenerator.IdentityOrSequence)]
[EntityAuthorizeScopes('Administrator', EntitySetPermissionsAll)]
EntityAuthorizeEntityValue('UserId', 'FId', [TEntitySetPermission.Modify];
TUser = Class
FId: Integer;
FName: String;
property Id: Integer read FId write FId;
property Name: String read FName write FName;

So an admin can do everything, but the user themselves can modify the data.

Or am I asking too much?

It's already possible to configure admins to do everything, and users to only modify data. But I believe what you are asking is to specific which properties each user can modify?

That would be nice - but a huge amount of work and probably better handed on the client.

I should have made the attribute

[EntityAuthorizeEntityValue('UserId', 'FId', [TEntitySetPermission.Get, TEntitySetPermission.Modify])];

The idea being that the admin can get any record whereas a normal user can only retrieve their own data. So a normal user can only get and modify a record where the value of the JWT Claim "UserId" is the same as the requested Id, represented by FId in the entity.

Does that explain it?

I understand. In this case, I recommend using Global Filters and also the Filter Enforcer.

Since what you are asking is a kind of "multitenant" approach.

1 Like

I'll take a look.

1 Like