Thanks for any thoughts. This question refers to an ASP.NET 4.0 web application.
A DetailsView then uses an ObjectDataSource (although any solution should apply to any of the ASP.NET DataSource controls) for CRUD operations.
A user has permission to view details for all records, but can only create or modify a single record related to their own department.
obviously I can easily modify the listview to show/remove the appropriate buttons
if (!_canModifySelectedWard)
{
dptDetailView.AutoGenerateEditButton = false;
dptDetailView.AutoGenerateInsertButton = false;
dptDetailView.AutoGenerateDeleteButton = false;
}
but this is only removing the buttons. Is there a neat way to disable the ability to edit/insert/delete functionality? I think a malicious request is highly unlikely once the user has access to this page, but it seems better practice to remove functionality, not just UI elements.
I can set the associated objectdatasource’s InsertMethod etc. to null, but this almost seems like a hack.
Your object data source is tied to an class which is responsible for providing the data requested by the object data source. This is where additional checks should be performed to ensure unauthorized access to data doesn’t happen.
Hiding the buttons is a good idea from a user experience perspective, but you should always make sure your business rules are being enforced.
Sorry I cannot provide any more detailed help. Perhaps if you could describe what you have going on in more detail, or post some code that would help.
Cheers.