EntitySetsPermissions does not work for SubEntities

Silber_Felix1 · August 21, 2024, 12:37pm

We have declared an Entity with EntitySetPermissionsNone.

This Entity is available as Association within another Entity, that is allowed by accessing through CRUD-Endpoint.

// EntitySetPermissionsNone
TEntity = class
end;

// no EntitySetPermissions defined, List, Get, Insert, Modify, Delete are available
TAnotherEntity = class
private
FParent: Proxy;
end;

Swagger hides CRUD-Endpoints for TEntity as it should.
For TAnotherEntity, FParent is shown and could be accessed.

In my opinion, if an entity is permitted, it should not appear in corresponding endpoints of other entities having associations on permitted entity.

Right now, I'm able to even modify TEntity-Instances using TAnotherEntity Patch...

wlandgraf · August 22, 2024, 10:26pm

If TAnotherEntity has an association to TEntity, then TEntity must be accessible, at least with GET, so proxy works. There is no way to escape that.

Silber_Felix1 · August 23, 2024, 5:56am

So only possible solution is setting XDataExcludePropertyAttribute for all associations pointing to TEntity or at least define cascade, so that data won't be saved using these associations.

wlandgraf · August 23, 2024, 7:57pm

There are multiple solutions, but depends on what you want to do.
Do you want Parent property to be completely absent from JSON? Then XDataExcludePropertyAttribute is a good option.

Do you want it to be present in JSON but not be modifiable? Then you can define (remove) some cascades like Merge, Flush and Save to indeed prevent it from being changed.

But, the 100% flexible and customizable way is to use a service operation where you define your own logic and your own JSON interface. If your endpoint is not 100% mapped to the database, more "correct" way is to use DTOs and service operations.